Providing Restricted Access to an Electronic Medical Record for Research Monitoring

Clinical Researcher—March 2018 (Volume 32, Issue 3)


Leslie Bell, MA; Stephanie Gentilin, MA; Susan Sonne, PharmD, BCPP; Toni Mauney, BA; Patrick Flume, MD

[DOI: 10.14524/CR-17-0034]



As hospital systems and healthcare institutions adopt electronic medical records (EMRs), this creates a new challenge in the normal conduct of clinical research. When protected health information (PHI) is stored in an EMR, there is inherent risk that general access to these systems for source verification purposes could allow research monitors to also have access to the PHI of non-study participants.


The International Council for Harmonization (ICH) Good Clinical Practice (GCP) guidelines stress the necessity of identifying a safe and appropriate means of allowing research monitor access to source documentation contained in EMRs.1 However, there often remains challenges in mitigating security risks when granting third-party access to such systems.

In addition, the Health Insurance Portability and Accountability Act (HIPAA) of 1996’s Privacy Rule minimum necessary standard specifies that PHI should not be disclosed unless necessary to achieve a particular function, and that a covered entity should take steps to prevent unnecessary or inappropriate disclosure of PHI.2

As technology evolves and becomes increasingly integrated with clinical research, it is imperative that institutional leaders continuously evaluate their policies and procedures for the safeguarding of PHI, as well as their methods for granting appropriate access to those data.

Considering the Options

Limited research is available on successful implementation of EMR monitoring solutions, but there are descriptions of a variety of methods attempted by clinical research sites.3 One approach is to utilize study coordinators’ time and resources, having them access the EMR system and navigate through patient records while the monitor reviews by an over-the-shoulder approach. This solution consumes excessive coordinator time that could be utilized for other study-related duties, as well as potentially creates scheduling conflicts, as monitors can only be scheduled when study coordinators have sufficient time to spare.

Another approach is to prohibit monitors from accessing EMRs, and instead compile hard-copy “shadow charts” for each study participant. This method has inherent cost burdens related to production, storage, and destruction, as well as the logistical burden of necessitating that all hard-copy records receive the designation of a certified copy. In addition, many monitors view the shadow chart as an incomplete form of monitoring, as there is no way to verify that the chart is complete and free of intentional or accidental omissions.2

Case Study

At the authors’ institution (the Medical University of South Carolina [MUSC]), the Epic system was implemented for EMRs. Access to the EMR system for general users is a rigorous process involving investigation and documentation of private information (e.g., Social Security numbers) in order to acquire the requisite unique login and password.

This methodology was in place for all users, creating a large procedural burden for research staff to obtain access for monitors, as well as potentially violating existing contracts with sponsors (e.g., by introducing incongruent indemnification language). In addition, there are regulatory requirements to have a system in place for proactive restriction of PHI to patients who had consented to study participation, which was not readily provided with this process.

Cognizant of the limitations of available methods, MUSC undertook the development of a means of granting external research monitors access to Epic in a way that allowed view-only, real-time access to study patients’ complete medical records, while prospectively limiting them to the charts of patients who had consented to the trial being monitored. Here we describe the methods and outcomes with our “solution” to this problem.


We solicited approaches from other institutions where Epic was in use to assess if there was an existing approach to secure, compliant monitoring using pre-existing Epic functionality. However, none of the institutions approached were wholly satisfied with the existing solutions.

The various functionality employed by institutions included Epic’s Release to Inspector function, the EpicCare Link workflow, and the Epic InBasket functionality. Limitations to these methods identified by users at the institutions included static data that prevented real-time source verification, the presentation of data in a PDF format that was extensive and lacking a method to navigate the document, as well as an inability to eliminate the risk of institutional providers inadvertently sending non-research patient charts to monitors’ in-baskets.

Unsatisfied with existing options, the authors of this paper decided to develop their own method of monitor access by working with an analyst at MUSC on a restricted-access template in Epic that employs a dual method of security. This restricted-access template limits user rights so that they have no authorization to make edits to the chart or the template itself, or to navigate anywhere in the system outside their assigned patient list.

In addition, the restricted-access template removes all visual depictions suggesting the ability to edit or navigate outside the patient chart. Prior to the development of this template, access restriction was not a defined process specific to facilitating monitor access.

An implementation process was developed instructing study teams to notify Epic security requesting restricted access for the monitor prior to the monitor’s arrival. A restricted access account is provided that does not allow access into patient records other than those the study coordinator has linked to a monitor’s account.

When a monitor logs into Epic, he/she can see only the shared patient list while having access to complete, real-time patient charts. Testing of the template was performed by Epic analysts, university compliance, and Epic clinical and research users. Training of study staff included live presentation (also recorded) and instructional materials. The template was successfully piloted with study teams in January 2015 and broadly implemented in February 2015.

The step-by-step workflow from template assignment to chart access proceeds as follows:


Figure 1: Restricted Monitor Access Workflow


The restricted-access monitor process was initiated in January 2015 in parallel with the release of the first signed institutional policy outlining the process. The first six months the process was in place was considered a pilot phase under strict oversight by the MUSC compliance office.

During the pilot phase, compliance officers identified no instances of inappropriate access or activity by visiting research monitors. In addition, no negative feedback regarding the new process was received by the university’s Support Center for Clinical & Translational Science (SUCCESS Center) throughout the pilot phase. Consequently, at the end of six months, the only change made to the process was switching the institutional authority that issued the monitor access accounts from University Human Resources to the Health Information Management team for work flow efficiency purposes. No process or workflow changes were made from the perspective of the research monitor or study team.

As of August 2017, 18 months post-implementation, 490 monitors had utilized the restricted access template. On a monthly basis, up to 100 patient charts have been accessed appropriately, with compliance continuing to come up with zero instances of inappropriate access during post-monitoring visit audits.


The implementation of the restricted-access template in Epic has succeeded in restricting research monitors to consented study patient charts while also allowing them the complete, real-time access required for ensuring human subjects protection and data validation. This has been accomplished in a manner that satisfies security needs at our institution.

Establishing this new institutional process has unveiled the challenge of identifying and incorporating the concerns and requirements of various institutional groups involved in data access across the institution and accommodating all of their requirements. This discovery was the impetus for forming a diverse group of institutional stakeholders who were able to contribute to the development of the monitor access process and corresponding institutional policy.

The group also created a Research Monitor/Sponsor Auditor agreement form—to be signed by both a study team representative and the visiting monitor—outlining the responsibilities of each party. Finally, the group drafted language to embed within contracts between MUSC and corporate research sponsors that spoke to the new policy, to ensure that all sponsors were aware of the necessary requirements for issuing monitors EMR access prior to study initiation.

One limitation identified during this process was the necessity of issuing an MUSC university identity account to research monitors required for them to access Epic. Although these accounts are restricted and secure, almost 500 users had to be added and maintained as account holders in the institutional identity management system. In addition, in order to ensure security, these accounts were prohibited from being utilized remotely, therefore preventing remote monitoring, although such an option was becoming widely requested by corporate sponsors.

In 2017, MUSC upgraded to a newly released version of Epic that contained functionality specifically designed for granting access to research monitors. The solution implemented through this new release was in near exact alignment with our approach, allowing for minimal change in workflow with the adoption of this enhanced functionality. This new approach also eliminates some coordinator burden, allowing the sharing of patient lists with the monitors to be more automated.

The template utilized in this newly released functionality was built using components of Epic’s clinical Release to Inspector functionality in combination with the restricted access template that MUSC had designed. This new functionality adds the benefit of allowing for easy remote monitoring; a monitor is sent a link by e-mail that sends him/her directly to an Epic InBox, where view-only, real-time chart information of patients assigned by the study coordinator through the restricted access template may be accessed.

MUSC compliance will test this new functionality and, if approved, new training materials will be developed and the new process piloted by select research teams.


The development of the restricted-access template and workflow process has been successful in serving its purpose of providing a secure and compliant means of granting monitors appropriate, limited access to the MUSC EMR system prior to the release of this functionality in Epic. This satisfied the security needs of the institution while simultaneously adhering to GCP guidelines and HIPAA privacy rule regulations. The authors hope that the new Epic functionality will allow for the possibility of granting monitors access to patient data remotely in an equally secure manner.


  1. U.S. Food and Drug Administration. 1996. Guidance for Industry—E6 Good Clinical Practice: Consolidated Guidance.
  2. U.S. Department of Health and Human Services. 2003. OCR HIPAA Privacy Guidance: Minimum Necessary Requirement.
  3. Strohmeyer P. 2011. Managing CRA access to electronic medical records. J Clin Res Best Pract7(6).

 All authors of this paper are affiliated with the Medical University of South Carolina.

Leslie Bell, MA, ( is a Research Navigator with the South Carolina Clinical & Translational Research Institute (SCTR) SUCCESS Center.
Stephanie Gentilin, MA, is Director of the SCTR SUCCESS Center.
Susan Sonne, PharmD, BCPP, is an Associate Professor of Psychiatry.
Toni Mauney, BA, is a Regulatory Coordinator.
Patrick Flume, MD, is a Professor of Medicine and Pediatrics.