Upholding regulatory compliance in decentralised trials
Before getting lost in the vast options a decentralised clinical trial (DCT) setup provides, sponsors considering a DCT model need to keep in mind that it is not a one-size-fits-all approach. DCT solutions need to be flexible to work in accordance with Good Clinical Practice guidelines, regional and country-specific regulatory and privacy requirements and clinical trial guidelines regarding participant data confidentiality.
These are all critical consideration for sponsors, as failing to conduct trials in accordance with GCP and other applicable regulations can lead to regulatory authorities rejecting data that is generated to support new treatments and regulatory applications, as well as penalties for the company ranging from monetary fines to a negative impact on reputation.
As such, proactively planning for regulatory considerations for the full trial lifecycle, including the key examples of DCT solutions below, is a worthy investment of resources and budget.
Direct-to-patient recruitment
Just as we have seen societal acceptance of remote and digital interaction, such as virtual video meetings and grocery deliveries, we saw the positive impact of direct-to-patient outreach in clinical research for COVID-19 treatments and vaccines.
Using real-world data insights from deidentified and anonymised electronic medical record data, claims data, disease registries, etc., sponsors can go beyond site-based patient recruitment to reach additional patients. Fine-tuning direct-to-patient (DTP) outreach communications, including partnering with social media companies and customised online advertising, helps inform potential participants of the value trial participation could provide, especially when living with specific health conditions. Once individuals are informed of the trial, DTP models allow interested participants to sign up with a click of the mouse via user-friendly platforms.
With easier participant outreach and increased trial awareness, sponsors can better address recruitment, a longstanding challenge in study start-up. To ensure this DCT solution’s benefits effectively mitigate any risks or concerns, sponsors need to directly address regulatory requirements, including data privacy and security concerns regarding sensitive health information.
For one, it is important to keep digital advertising restrictions in mind, because this newer advertising method has fast-changing requirements that can vary per country. Digital media partners also must make sure they comply with regulatory requirements and protect user information. Specifically, data security, data minimisation and data localisation requirements can play a role in setting up the right DTP recruitment model and participant sign-up process.
Some countries also limit the transfer of sensitive health information outside of their borders, which can pose an additional challenge for DTP recruitment model implementations. As part of any DTP model, given that personal participant information is collected prior to the trial consent stage, sponsors and their CRO partners need to ensure there is an appropriate agreement in place regarding collecting and using data to determine whether potential participants are eligible to join the trial.
As discussed further below, in order to meet GCP and other regulatory requirements, sponsors also have to ensure potential participants’ personal information is not housed in their systems or accessible to them in any capacity. Rather, the DTP model needs to link these individuals to investigators.
DCT technologies
It is no surprise that new technologies integrated into clinical trials are highly regulated and should be properly vetted by sponsors to uphold data integrity, availability, and confidentiality and to adhere to regulatory requirements before being deployed. Whether sponsors build their own, purchase or license DCT technologies, these products have to operate and be configured in alignment with all relevant rules and regulations.
When creating their own DCT platforms/systems, sponsors may host the technology in their own or third-party data centres, which provide user support and system administration. Regardless of the option, if the sponsor hosts, operates or has access to a DCT technology that processes directly identifiable data about study participants and/or stores or produces source documentation not generated at the trial site, it is possible that some regulatory requirements or GCP guidelines for data confidentiality will not be met.
For example, within the European Economic Area, where approximately 4,000 clinical trials are conducted annually, it is vital for DCT technologies to operate in accordance with the stringent General Data Protection Regulation as applicable, as well as other laws and regulations, such as GCP and local requirements, in order to be processed lawfully.
Given the nuances of GDPR and other local regulations, sponsors may benefit from working with an experienced CRO that has received third-party GDPR validation to ensure its processing of personal data in DCTs is in accordance with GDPR as applicable. This is especially true as regulations consistently evolve and plans need to account for how to operationally update or adjust processes to meet new requirements.
A CRO partner with an extensive DCT implementation record will also consider its experience providing different services locally, as there could be lesser acceptance of some DCT technology solutions despite being viable options in a regulatory context.
To help avoid generating potentially noncompliant data via DCT technologies, sponsors may also want to consider:
- When developing their own DCT systems, building internal firewalls to establish complete separation between the company’s research focus and the in-house teams who develop, host, operate, and access the DCT technologies.
- Integrating a fully managed service technology for which the sponsor licenses a DCT technology that is hosted and administered by an external provider. This option gives sponsors more operational control of the DCT but allows them to stay further away from the actual technology, with no direct access to personal data of trial participants.
- Integrating a full-service platform model, typically provided by CROs, which allows sponsors to maintain data confidentiality compliance and separation from directly identifiable patient data.
Home health
Because GCP requires that all reasonable precautions be taken to protect participant confidentiality and data quality, access to information that identifies trial participants should be restricted to authorised parties as needed to conduct the study. Per GCP, protocol-related activities are to be conducted by the investigator, or through delegation and under supervision of the investigator, by a person determined by the investigator to be qualified by skill, education, and training to perform the task.
Prior to integrating a third-party home health provider into a study, sponsors will need to perform a risk-benefit analysis of how appropriate oversight of the remote assessment and third-party provider by the investigator will be accomplished. To be able to perform the protocol-related tasks, home health providers have to access participants’ directly identifiable information, especially in order to set up appointments, plan travel logistics, and validate participant identity prior to performing assessments.
Investigators will review the home health provider’s training and qualifications to confirm that the provider will protect participants’ confidential identifiable information while also reviewing study plans to determine how the provider is expected to handle participant information. For example, for a home health nurse, a sponsor will have to consider what level of participant information they will need to perform their tasks as intended. An experienced home health provider will be able to support the setup of systems and processes that are in line with current requirements.
Once the investigator is satisfied that the third-party home health professional is qualified and that appropriate processes and systems will be used to conduct protocol-required activities, the provider can be formally delegated certain tasks and added to the site delegation log.
As they change how the industry plans and conducts trials, DCT solutions offer sponsors, patients, and site teams multiple benefits to help accelerate trial timelines and ensure patients are better engaged in their care outcomes. While patient centricity is critical, there needs to be a balance between how sponsors conduct DCTs in accordance with GCP, GDPR, and other appropriate regulations and laws and how they uphold data confidentiality and quality as done in traditional studies.
To better ensure regulatory compliance without added burdens on stakeholders, it is critical that sponsors stay up to date with the latest in regulatory guidance and engage the right experts during DCT planning stages to make sure necessary requirements are addressed as early in the process as possible.
About the authors
Eric Klaver, decentralised clinical trials regulatory director, IQVIA, brings nearly three decades of clinical research experience to the company, in roles varying from data management to post-trial access. His focus has been on compliance in clinical trials, through training and auditing. Klaver has trained clinical research staff around the world and has audited and supported audits and inspections on an international stage, as well. In his current role at IQVIA, he focuses on the continued compliance of the IQVIA DCT strategy and platform.
Jill Baehring, LL.M, associate director, privacy in decentralised clinical trials, IQVIA, is a privacy expert with more than six years of experience in data privacy. In her current role at the company, Baehring is working on privacy compliance for decentralised clinical trials globally. With her team, she has worked to obtain the industry’s first GDPR Validation for the DCT Programme. Before joining IQVIA, she was responsible for privacy compliance for the commercial organisation of a pharmaceutical company in Germany, where she helped establish privacy processes across Europe.