Monitoring/audit visits should be conducted remotely or should be postponed whenever possible. However, study sponsors may insist on in-person monitoring as a condition of allowing the UW to participate in the study.
When monitoring or audit visits must be conducted in-person:
- Obtain permission from the location facility, as needed.
- Limit the time in the building spaces to the minimum necessary. Try to hold any Q-and-A sessions in a well-ventilated place, such as an outdoor plaza near the building.
- Minimize the number of people gathering together.
- Everyone must be masked.
- (As possible) schedule the visit for a time of day when there are likely to be fewer people around.
When monitoring or audit visits are conducted remotely:
- Access to research data must comply with the data security requirements and data storage locations outlined in the IRB-approved application.
- Access to research data must comply with any commitments made to subjects in the consent form.
- Direct access to UW Medicine PHI by a site monitor or auditor (i.e. monitor has direct access to the electronic medical record) must be approved by UW Medicine Enterprise Records & Health Information. Submit requests to Sally Beahan at email@example.com. For PHI maintained by non-UW entities, contact that institution for guidance on how to obtain remote access.
- Verify the identity of the monitor/auditor before providing access. This is no different then asking a monitor to present their ID when they show up for an in-person visit.
- Limit access to read-only and for the minimum time necessary to complete the visit.
- Ensure data cannot be copied or downloaded without authorization or, enable any audit features to ensure you are aware if an unauthorized download occurs.
EXAMPLE – The IRB application says Level 3 data security protections will apply. This means you must follow a written process for documenting who has access to data (U10) and follow it. Data provided is coded (i.e. no subject identifiers) (U9). It also means any server that hosts data must log any access (S13), only allow users with unique IDs and passwords (i.e. no shared login accounts) (S9), etc.
Consult your IRB application and the HSD GUIDANCE Data Security Protections to understand the requirements that apply to your specific study. If existing data security requirements prevent remote access, consult with HSD about submitting a modification.
EXAMPLE – The consent form states that “all data will be kept in a secure, password-protected server at the UW.” This means you could not send the records to the study monitor or upload them to a cloud service that was not hosted by the UW, unless you obtain advance IRB approval of a modification request to allow this.
Contact firstname.lastname@example.org if you have additional questions.