FDA Clinical Investigations: New Guidance on Electronic Systems

On October 2, 2024, the U.S. Food and Drug Administration (FDA) released guidance in a question and answer format regarding the use of electronic systems, electronic records, and electronic signatures in clinical investigations of medical products, foods, tobacco products, and new animal drugs (the Guidance).

Previously, in 1997, the FDA published a final rule (21 C.F.R. Part 11 Regulations) outlining requirements for records created, modified, maintained, archived, or transmitted in electronic form. The FDA issued further guidance on this topic in August 2003. Since that time, the FDA has acknowledged that advances in technology have expanded the use and capabilities of electronic systems in clinical investigations and have issued several guidance updates, including updates in 2017 and 2023.

Electronic Records

In terms of compliance with Part 11 regulatory requirements, the Guidance confirmed that, with respect to electronic health record systems that are sources of real-world data, the FDA does not intend to assess compliance by such systems with the Part 11 regulations. The FDA did clarify, however, that if a sponsor is conducting a clinical investigation with a non-U.S. site under investigational new drug application (IND), investigational device exemption (IDE), or investigational new animal drug (INAD) file or other clinical investigation subject to FDA regulation, Part 11 Regulations requirements apply to records in electronic form.

Regarding records retention, the FDA clarifies that if a regulated entity intends to maintain a copy of the electronic record in place of original (paper or electronic) records, then a certified copy is required. A certified copy is one that has been verified in some way to maintain the same information (including any metadata of the original record). Once a certified copy is created, the original record may be discarded. Additionally, the FDA notes that there are various ways for regulated entities to retain electronic records including electronic storage devices and using cloud computing services. Regulated entities must simply ensure that the electronic records are maintain for applicable retention period and be available for inspection.

Finally, the FDA notes that Part 11 regulations do not address electronic communication methods like email systems or text messages.

Electronic Systems Deployed by Regulated Entities

As noted in the 2003 guidance, the FDA intends to use a risk-based approach for validation of electronic systems deployed in clinical investigations. Considerations for the risk-based approach will include:

The intended use of the system;
The purpose and importance of the data or records that are collected, generated, maintained, or retained in the system; and
The potential of the system to affect the rights, safety, and welfare of participants or the reliability of trial results.

Additionally, the FDA notes that electronic systems should be validated prior to use in a clinical investigation. Regulated entities may evaluate an information technology (IT) service provider’s validation process by reviewing:

Processes for developing and managing the system;
Validation processes;
Functional testing of the electronic system; and
Change control procedures and tracking logs.

When inspecting an electronic system during a sponsor investigation the FDA will generally focus on the following:

Data collection, data handling, data security, and data management plans and procedures;
The life cycle of the electronic system, from design and implementation to decommissioning or transitioning to a new system;
Processes and procedures that are in place to ensure that the data and records required to reconstruct the clinical investigation are not altered in value or meaning, including during the transfer of data to durable electronic data repositories;
Processes and procedures to ensure only authorized individuals are given appropriate access to electronic systems;
Change control procedures and any changes made to the system once in use;
Relevant contracts with IT service providers or other contracted entities that detail their functions and responsibilities; and
Corrective and preventive actions implemented to address errors and noncompliance that may reasonably be expected to impact data integrity or the protection of participants.

The Guidance also noted various factors that the FDA will focus on during investigations of clinical investigation systems, as well as required and recommended safeguards for electronic systems deployed by any regulated entity.

Information Technology Service Providers and Services

The Guidance continues to list various factors regulated entities should consider when assessing the suitability of IT service and IT service providers. The Guidance also recommends certain components to be included in any written agreement with IT service providers. Finally, the FDA notes that it may inspect IT service providers who have assumed regulatory responsibilities.

Digital Health Technologies

The Guidance notes that sponsors should ensure that any data obtained from digital health technologies are correctly attributed to the originator, and digital health technologies should be designed to prevent unauthorized changes to data through the use of access controls. The FDA acknowledges that implement access controls for certain digital health technologies (such as wearables) may be difficult. Nevertheless, a sponsor needs to consider how to address authentication and data attribution, especially when the data may be used to support a clinical investigation endpoint.

Electronic Signatures

Finally, the FDA notes that various methods may be used to create valid electronic signatures and various methods may be used to verify the identity of any individual that electronic signs records. For instance, electronic signatures based on biometrics must be designed in a way to ensure that no one may sign the records other than the genuine individual. The Guidance also notes that the FDA does not consider signatures drawn with a finger or an electronic stylus as handwritten signatures.

Conclusion

The Guidance offers important insight into how the FDA is viewing the area of electronic systems, records, and signatures. All stakeholders, including sponsors, clinical investigators, institutional review boards (IRBs), and contract research organizations (CROs) should take note of the FDA’s recommendations and guidance for best practices and implement changes in their organization as needed.

Foley is here to help you address the short- and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, our Health Care & Life Science Sector, or to our Health Care Practice Group with any questions.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.