Monitoring/audit visits should be conducted remotely or should be postponed. When conducted remotely:
- Access to research data must comply with the data security requirements and data storage locations outlined in the IRB-approved application.
- Access to research data must comply with any commitments made to subjects in the consent form.
- Direct access to UW Medicine PHI by a site monitor or auditor (i.e. monitor has direct access to the electronic medical record) must be approved by UW Medicine Enterprise Records & Health Information. Submit requests to Sally Beahan at email@example.com. For PHI maintained by non-UW entities, contact that institution for guidance on how to obtain remote access.
- Verify the identity of the monitor/auditor before providing access. This is no different then asking a monitor to present their ID when they show up for an in-person visit.
- Limit access to read-only and for the minimum time necessary to complete the visit.
- Ensure data cannot be copied or downloaded without authorization or, enable any audit features to ensure you are aware if an unauthorized download occurs.
EXAMPLE – The IRB application says Level 3 data security protections will apply. This means you must follow a written process for documenting who has access to data (U10) and follow it. Data provided is coded (i.e. no subject identifiers) (U9). It also means any server that hosts data must log any access (S13), only allow users with unique IDs and passwords (i.e. no shared login accounts) (S9), etc.
Consult your IRB application and the HSD GUIDANCE Data Security Protections to understand the requirements that apply to your specific study. If existing data security requirements prevent remote access, consult with HSD about submitting a modification.
EXAMPLE – The consent form states that “all data will be kept in a secure, password-protected server at the UW.” This means you could not send the records to the study monitor or upload them to a cloud service that was not hosted by the UW.
Contact firstname.lastname@example.org if you have additional questions.