The U.S. Food and Drug Administration (FDA) issued in May draft guidance titled, “Use of Electronic Health Record [EHR] Data in Clinical Investigations.”

The guidance advises sponsors and clinical investigators to adhere to best practices, including the planning and management of using EHRs in research, modifying EHR data, providing audit trails, including statements about confidentiality in informed consent, and maintaining privacy and securing data.

IRB Advisor asked the FDA to respond, in writing, to a few questions about the draft guidance in this Q&A. The FDA’s responses were made by Cheryl Grandinetti, PharmD, Health Science Policy Analyst in the Office of Medical Policy at FDA’s Center for Drug Evaluation and Research, and Leonard Sacks, MD, Associate Director of Clinical Methodology, also in the Office of Medical Policy.

IRB Advisor: What kinds of issues have arisen that led to the need for the new draft guidance related to EHR data in clinical trials?

FDA: In general, EHRs are not under the control of FDA-regulated entities (e.g., sponsors, clinical investigators), because in most instances these systems belong to healthcare organizations and institutions. FDA has stated in previous guidance that we do not intend to assess compliance of EHRs with 21 CFR part 11. However, FDA’s acceptance of data from clinical investigations for decision-making purposes depends on FDA’s ability to verify the quality and the integrity of data during on-site inspections and audits (see 21 CFR parts 312 and 812). Sponsors are responsible for assessing the validity, reliability, and integrity of any data used to support a marketing application for a medical product. Therefore, best practices on the use of the data in clinical investigations from these systems are needed and this guidance clarifies our expectations when EHRs are used as a source of data in clinical investigations.

IRB Advisor: How does the guidance ensure that EHR data meets FDA’s requirements (i.e., what are some of the common problems related to recordkeeping and record retention)?

FDA: This guidance describes the critical information that should be captured for audit trails as well as other controls, like access controls and the ability to retain and copy records. These are important attributes of an electronic system when used as a source of data in FDA-regulated clinical investigations, and necessary to ensure the reliability, integrity, and confidentiality of the data.

IRB Advisor: With so many different EHRs in use, how are organizations doing with interoperability? How have things improved over where they were five years or a decade ago?

FDA: Issues pertaining to EHR interoperability are being addressed by the adoption of data standards and through standardization requirements as part of the ONC Health Information Technology Certification Program.

IRB Advisor: In the draft guidance’s informed consent section, the document refers to foreseeable risks with the use of EHRs. Besides the risk of data breaches, what other types of risks might there be?

FDA: The risks associated with the use of electronic health records stem primarily from data breaches. The consequences that arise from such data breaches include risks to the subject’s insurability or employability, and could also stigmatize the subject. Additionally, data breaches increase the likelihood of the subject being a victim of medical identity fraud.

Editor’s note: A copy of the new draft guidance is available online at: