To be or not to be… compliant
There are a number of challenges when designing and building solutions for the collection and delivery of image submissions for clinical trials. One of them is compliance with global regulations governing the process. While regulations set forth by agencies such as the FDA, HIPAA, and their equivalents in Europe and Asia can be complicated, and in certain cases, open to interpretation, two of them are actually very clear and obligatory. They state first that submission data must be protected, and second that patient privacy must guaranteed prior to submission. Meeting these requirements with an electronic system is complex, and may be one of the reasons some companies still use courier services.
Data protection in transit can be obtained using the secure equivalents of FTP and HTTP. Unfortunately, this only protects the data as long as it is moving and not when it is stored. Cloud solutions and systems built in-house for electronic image transfer are often believed to be secure because, during transit, the data is encrypted by the transfer protocol. However, since the data is not encrypted while stored in the cloud, this violates GCP and Part 11 regulations. The second requirement is significantly more onerous. It specifically calls for all patient identifying information to be removed prior to the data leaving the investigator site. In practical terms this carries at least two requirements: first, submission data cannot be put in the cloud and then deidentified; second, non-protocol specific deidentification cannot guarantee that every bit of patient identifying data, including names “burned” into the images, will be eliminated. If this deidentification is not done within a Part 11 compliant system, i.e. an auditable system with the requisite trace matrix and documentation, access to the required logs showing actions by users will not be captured in a central location, thus presenting a regulatory violation.
Given national regulations, the only way an image submission system will be compliant is if:
- The deidentification process occurs inside the sender’s internal network, on his validated system, collecting proper evidence.
- Te data travels in an encrypted form.
- Images stored in the cloud exist only in encrypted form at all times.
While historically many labs have accepted non-deidentified data from investigator sites and proceeded to perform the deidentification after the fact, this practice is now questioned and rejected by many sponsors who are mindful of the consequences. The risk to the overall clinical trial of accepting this status quo is simply too great when pipelines remain relatively shallow and every compound with promise must be investigated thoroughly.