This message was posted by a user wishing to remain anonymous
Thank you for your response. I have fought reporting this immediately to our institution's IRB however, I got a lot of push back from leadership. It is agreed that a CAPA and retraining on the regulations is appropriate in this scenario however, they do not feel it is a deviation that needs reported immediately to the IRB, nor a deviation at all. I was informed it is considered a violation from the "regulatory process," and not a protocol deviation. So, in my professional opinion, the informed consent process is a part of the protocol study. The violation of 21CFRPart11 in this case with the consenter using another staff's REDCap account compromises the integrity of the participant informed consent process, so I am trying to understand how this would not be a protocol deviation in this case. I was informed that because all the other elements of the informed consent process were followed per our SOPs and regulations, that there is no deviation regarding the consent process. But it still breaches the institutional and federal policies on electronic consent. In this case, the team is deciding to ONLY go with a Note to File, with a CAPA and retraining, and reporting it to the IRB at the next continuing review. Is this acceptable, or will this come back to haunt us later down the road? I rather err on the side of caution and report it as soon as possible. What could be the harm in reporting it anyway? Am I over reaching? I just want to ensure to that we are ethically taking the right steps.
Original Message:
Sent: 18-Apr-2024 08:19
From: David Jensen
Subject: Academic REDCap e-Consent deviations/violations
Anon,
This is a major deviation. Using someone else's account to sign documents is not allowed by part 11 (see below with my underline) and is probably a major violation of your institution's policy(ies).
David
| Sec. 11.200 Electronic signature components and controls. |
(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. |
------------------------------
David Jensen PhD, RAC
Senior Regulatory Affairs Scientist
Durham NC
United States
Original Message:
Sent: 17-Apr-2024 17:08
From: Anonymous Member
Subject: Academic REDCap e-Consent deviations/violations
This message was posted by a user wishing to remain anonymous
Hello,
The research institution that I work for recently had an internal audit. One finding during this audit was with the e-Consenting process through Academic REDCap, e-signed by the participant and the investigator for a device/drug treatment trial. This was noted as a major deviation after the audit, and I wanted to confirm if my fellow regulatory colleagues agreed with this.
The back story in this case was that the consenting investigator, who was signing the consent after the participant, had a REDCap account that had expired therefore, the investigator could not utilize his own REDCap account to go through the e-Consent process with the participant. In the essence of saving time and a long wait for the participant, as reactivating the account would have taken some time, the study coordinator for this study allowed the investigator to sign into her REDCap account. The participant signed, and the investigator signed. All other elements of the informed consent process were followed and documented per the regulations. However, deep into REDCap, the auditors wanted to confirm the history of the investigator signature (which our QC and reg team didn't even know this was something that we could have been checking). In doing so, the investigator signature name of course did not match the "user ID," because he was using the coordinators account to go through the signing process. When the auditor's selected the H radio button next to the digital signature of the investigator, it showed it was uploaded by user "fdkfkd" for exaample, and not "yuyuyu."
Is this a violation of part 11 compliance? A fair major deviation to give? Thoughts? Has this happened to anyone before?