WSGR ALERT

New FDA Guidance Opens the Door for Electronic Consent Forms That Come with Significant Advantages and Raise Privacy and Secure Data Storage Regulatory Compliance Concerns

March 16, 2015

On March 9, 2015, the U.S. Food and Drug Administration (FDA) published a draft guidance1 that allows for the use of electronic informed consent (eIC) in human clinical trials. eICs have the potential to:

  • better and more fully educate subjects on whether to voluntarily participate in a clinical trial;
  • gauge a clinical trial subject's understanding of what they are consenting to;
  • more easily allow for the use of an electronic signature (e.g., an encrypted digital signature, an electronic signature pad, a voiceprint, or a digital fingerprint);
  • allow for the possibility of remote consent (e.g., where the consent form is not signed at the same location as the clinical investigator);
  • facilitate rapid patient notification of clinical trial protocol changes;
  • promote timely entry of eIC data into a clinical study database; and
  • allow for the timely collection of remote location informed consent data.

On the other hand, eICs also raise privacy and secure data storage regulation compliance concerns.

The eIC, if properly implemented, will be of significant benefit to institutional review boards (IRBs), clinical investigators, sponsors, patients, parents, and subjects' legally authorized representatives (LARs).

Background

Studies subject to the requirements of FDA regulations (e.g., human clinical studies on drugs, biologics, medical devices, or combinations of these) require the informed consent of participants. The clinical studies' IRB must review and approve the informed consent form, and the IRB is the final authority on the consent form content. In addition, informed consent forms are required to contain the basic elements found in 21 CFR § 50.25(a), and any element(s) of 21 CFR § 50.25 (b) that are appropriate to the specific clinical study.

In the past, consent forms were typically paper forms signed and dated by the subject, or the subject's parent or LAR.2 The FDA notes that the "clinical research community is showing greater interest in using electronic media to provide information usually contained within the written consent document, evaluate the subject's comprehension of the information presented, and document the consent of the subject or the subject's LAR."3 The FDA, recognizing that eICs covey multiple advantages, issued the eIC Guidance.

eIC Guidance Specifics

Section III of the eIC Guidance, entitled "Instituting an Electronic Informed Consent," presents 14 relevant questions and answers related to instituting an eIC. This alert highlights key information taken from these.

The eIC Guidance discusses how the eIC should be presented to the subject. The eIC Guidance notes that the eIC must contain all of the 21 C.F.R. § 50.25 elements, and must be in a language understandable to the subject or the subject's LAR.4

Also addressed is where the eIC process may be conducted. The "consent process my take place at the study site where both the investigator and subject are at the same location, or it may take place remotely (e.g., at the subject's home or another convenient venue) where the subject reviews the consent document in the absence of the investigator."5 For remote location processes, "if the consent process is not personally witnessed by study personnel, the computerized system should include a method to ensure that the person signing the informed consent is the subject who will be participating in the research study (or the subject's LAR)."6

The eIC Guidance maintains that subjects should be allowed to ask questions about the study, and that this "may be accomplished by in-person discussions with study personnel or by using a combination of electronic messaging, telephone calls, videoconferencing, or a live chat with a remotely located clinical investigator or appropriately delegated study personnel."7

To facilitate the subject's understanding, and the investigator's ability to gauge that understanding, "the eIC may use interactive computer-based technology, which may include diagrams, images, graphics, video technology, and narration, as appropriate."8

Regarding electronic signatures, the FDA notes that use of electronic signatures is permitted, provided that these are in compliance with applicable FDA regulations.9,10 The eIC procedure "may include an electronic method to capture the signature of the subject or the subject's LAR (e.g., an encrypted digital signature, electronic signature pad, voice print, digital fingerprint)."11 Notably, the FDA does not mandate a specific method of electronic signature.12

Pediatric subject assent also falls under the eIC process umbrella, but the IRB "must determine that there are adequate provisions for soliciting the assent of children when, in the IRB's judgment, the children are capable of providing assent."13 In addition, the IRB must determine whether and how assent must be documented.14

FDA regulations require that a person signing the informed consent be provided with a copy of the written consent form.15 The eIC Guidance expands the options for fulfilling this requirement, stating that "the copy of the informed consent document could be in the form of printed paper or an e-copy that can be transmitted by email or other form of electronic media."16

The eIC guidance also touches heavily on privacy and data security regulation compliance concerns. For example, if an e-copy of the consent form is offered, "subjects should be informed of the risks of storing or viewing the consent document on a personal electronic device (PED), especially if that PED is shared with other users or is lost, hacked, or subject to a search warrant or subpoena. Unlike paper copies which the subject may refuse to retain or destroy, e-copies delivered directly to the subject's PED may not be able to be permanently removed."17

Additionally, the FDA states that the "computerized system that supports the eIC must be secure with restricted access, and should include methods to ensure confidentiality regarding the subject's identity, study participation and personal information after informed consent has been obtained."18 For entities holding the subject's personal information and covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or a business associate of a HIPAA covered entity, "the requirements of the HIPAA Privacy, Security, and Breach Notification Rules apply."19

Finally, the FDA requires that the "eIC process should incorporate procedures to ensure that electronic documents can be archived appropriately and all versions of the eIC can be retrieved easily."20 The system should have audit trail capability, and must be in compliance with applicable FDA regulations for electronic records. Notably, if "eIC data are stored on a remote computer, in a data storage center, or in 'the cloud' . . ., data privacy laws and regulations that apply to the remote storage site(s), in addition to those that apply to the research site, may apply and should be considered."21

Conclusion

eICs present significant opportunities to enhance the informed consent process, including the ability to better inform subjects, and to verify that subjects have been informed, of clinical study risks and advantages, and subject rights. In an increasingly multi-lingual society, eICs make it easier (with appropriate pre-planning) to enroll non-English speaking subjects, to capture consent (for example, with a voiceprint or fingerprint), and to populate databases with eIC data. eICs will be more easily understood and adopted by the millennial generation. However, eICs, like other forms of electronic records, raise privacy and data security regulatory compliance concerns.

Companies contemplating clinical trials may wish to employ eICs to gain their many advantages while taking the appropriate steps to comply with privacy and data security regulations. Vendors may wish to create and market eICs to these companies, raising potential issues of software patents, trademarks, copyrights, licensing, and privacy regulation compliance.

For help with any FDA regulatory aspect of consent forms, eICs, associated privacy and secure data storage regulatory compliance, software patents, trademarks, copyrights, or licensing, please contact David Hoffmeister, Vern Norviel, Charles Andres, or any member of Wilson Sonsini Goodrich & Rosati's life sciences, patents and innovation strategies, or privacy and data protection practices.


1 "Use of Electronic Informed Consent in Clinical Investigations–Questions and Answers," Guidance for Industry, FDA, March 9, 2015, (eIC Guidance) available electronically at: http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-drugs-gen/documents/document/ucm436811.pdf, last accessed February 13, 2015.
2 21 C.F.R. § 50 (e.g., the Human Protection Regulation) requires that clinical trial participants sign and date the informed consent form. A somewhat common mistake is for the principal investigator or clinical research investigator, not the patient, to date the consent form (typically by date stamping). This mistake, when uncovered during an FDA on-site inspection, inevitably leads to a Form 483 report.
3 eIC Guidance at page 3.
4 "Understandable means that the information presented to the subjects is in a language and at a reading level the subject can comprehend (including the explanation of scientific and medical terms). All abbreviations should be spelled out at the time of first use. If the eIC programs are interactive, they should be easy to navigate, allowing the user to proceed forward or backward within the system or stop and continue at a later time. Hyperlinks may be provided where helpful." Id. at pages 3-4.
5 Id. at page 4.
6 Id.
7 Id.
8 Id. at page 5.
9 Id.
10 See also 21 C.F.R. part 11, subpart A (11.1)(a).
11 eIC Guidance at page 5.
12 Id.
13 Id.
14 Id.
15 See, e.g., 21 C.F.R. § 50.27(a).
16 eIC Guidance at page 6.
17 Id. at page 6.
18 Id. at page 7.
19 Id.
20 Id. at page 8.
21 Id. at page 9.