Risk-Based Monitoring of Clinical Trials: COVID-19 and Paving the Road to the Future

Clinical Researcher—September 2020 (Volume 34, Issue 8)


Sandra “SAM” Sather, MS, BSN, CCRC, CCRA, FACRP; Jennifer Lawyer, RN, BS


Clinical research professionals are accustomed to sponsors requiring onsite monitoring to ensure human subject protection, data integrity, and quality. During the COVID-19 pandemic, however, clinical research sites have reduced the number of staff onsite and restricted onsite monitoring. Travel restrictions and the safety of the sponsor or contract research organization (CRO) monitors also compound the challenges of monitoring onsite.

Additional challenges have arisen with monitoring plans for active trials and trials that are soon to begin. These trials often support 100% source data verification (SDV), which is reviewing original data or certified copies to check for accuracy in the transcription into the electronic case report form (eCRF), and/or 100% data review of trial subjects, which is the monitoring of the quality of the data, the compliance to the protocol, and the completeness of reporting subject safety. This reveals a significant barrier to the ability to quickly shift to remote monitoring in the short term, due to the lack of agility of the quality systems.

Many sponsors and CROs do not have a clinical quality management system that is responsive enough to update the monitoring plan based on risk. Some of this is due to the common practice of CROs treating risk-based monitoring (RBM) as a more expensive line item or using it for only certain types of studies or clients. Additionally, the current state of quality systems includes technologies and other inflexible systems that create barriers to a more remote or virtual review of data quality. Even if the standard operating procedures (SOPs) are general enough to support various site monitoring approaches, the actual trial execution, training, design, integration of technology, and differences in regional laws combine to create an unhealthy system.

In the long term, as pandemic conditions linger and we move into the reopening phases of trials, faced with increased expenses and the challenges with onsite monitoring, clinical research professionals need to ensure their quality management systems have the flexibility for the “new normal” for site management.

Risk-Based Monitoring

Have you ever heard someone (maybe yourself) say, “We are not doing risk-based monitoring for this study”? This means that the monitoring function is conducting “traditional” monitoring. However, regulatory agencies, including the U.S. Food and Drug Administration (FDA), require sponsors to monitor the quality of their clinical investigations, and the ICH E6(R2) Integrated Addendum to the International Council for Harmonization’s guideline for Good Clinical Practice (GCP) made it clear that this includes ensuring that monitoring is based on risk.

So, if the choice is to do 100% SDV, that decision should be based on evaluation of risk. Remember, SDV is not monitoring the quality of the data; it only monitors the accuracy in the CRF. All studies should apply RBM or risk management in determining whether and how to perform remote monitoring.{1}

The term RBM is sometimes used as if it is a technique and a noun, instead of an action or standard foundation of a clinical quality management system. This disconnect starts early—usually during the selection of the study vendors. The request for proposal commonly inserts assumptions like “100% SDV,” which are then worked into the proposal by the vendor and get into the foundation of the relationship with the sponsor. This should be questioned at the pre-study stage, and it should have been occurring before the pandemic.

Many sponsors and CROs do not coordinate this well within the multiple layers of clinical organizations. Each stakeholder should complete this gap analysis as it moves into the post-COVID-19 landscape.

Remote Monitoring Before COVID-19

So, what is your definition of remote monitoring? Is it part of centralized monitoring, or part of onsite monitoring prep and follow-up? Is it a separate activity?

The FDA and the European Union’s (EU’s) European Medicines Agency (EMA) released guidance to clarify remote monitoring before the pandemic. The FDA has for many years encouraged the use of various approaches to monitoring, including centralized monitoring and activities that review critical data offsite, when appropriate.

The FDA’s 2013 guidance{2} on risk-based monitoring also clarifies some alternative monitoring techniques that could be done remotely, depending on the processes and systems in place. For example, 1) communication with sites, 2) informed consent form review, 3) informed consent process review, 4) original source data review, and 5) SDV could be done remotely. Many of these activities also require some review of the site’s original source data remotely.

Besides centralized monitoring of data entered into the eCRF, remote access of source documents can be challenging due to privacy, system security, site time, unharmonized definitions of source data and certified copies across sites and sponsors/CROs, and unnecessary laborious processes, such as misusing the word “de-identify” vs. “redact.”

In the EU, the General Data Protection Regulation{3} (GDPR) has some stringent rules for collecting or processing subject data, including during the conduct of a clinical trial. GDPR adds complexity to remote monitoring of source data by requiring that investigative sites pseudonymize source documents before sponsors/CROs receive them offsite. This would require additional onsite monitoring later to confirm attributability of the data to the study subject. Therefore, if 100% SDV is required, the value of remote SDV decreases. Remote monitoring does, however, have value globally for working with sites early to monitor quality performance.

GDPR is applicable for all businesses in the EU, but also to any business that is collecting or processing data of an EU subject. This applies to any study conducted in the EU. Regarding remote monitoring pre-COVID-19, if it is in line with national or local requirements, remote monitoring is limited to non-source document review. This includes, for example, discussions regarding a trial subject’s progress, issue management discussions, and training site personnel, but not SDV.

Globally, subjects need to know about any risks, safeguards, and rights they have regarding their data. For study participants, this includes the remote monitoring of their data, when applicable. Informed consents should be reviewed to ensure they support the requirements.

Remote Monitoring During and After COVID-19

The practical implications of the restrictions and challenges during the pandemic are that sites can adjust to the new state of remote monitoring using a risk-based approach. The global guidance from regulatory authorities supports remote access for critical data during the restrictions. Has the current pandemic been a trigger to consider a risk-based approach and better support for remote monitoring? Is this true even in Europe?

The FDA guidance{4} for conducting clinical trials during COVID-19 restrictions supports remote monitoring for oversight of clinical sites. A risk-based decision should be made on what data are critical to monitor, while ensuring subject safety, data quality, and data integrity.

The EU guidance{5} for conducting clinical trials during COVID-19 notes in Chapter 11 (Changes to Monitoring) that “offsite monitoring” refers to remote communications between the site and sponsor, but this does not include remote SDV. Besides needing to be in line with current and temporary national law, the EU states that remote SDV can only be considered “during the public health crisis for trials involving COVID-19 treatment or prevention or in the final data cleaning steps before database lock in pivotal trials investigating serious or life-threatening conditions with no satisfactory treatment option.”

The remote review should focus on critical data, like primary efficacy data and important safety data. If secondary endpoint data can be assessed at the same time without asking for more source documentation and not adding to the site’s workload, then that is acceptable during the crisis.

The EU guidance notes that remotely reviewed data will likely need re-monitoring, especially when the information has been de-identified and the review has been restricted to less data. De-identified data or pseudonymized source data would require additional information to confirm identity at a later time. When using the word “redacting,” one must define the level of redaction, which does not necessarily mean at the level of de-identification. Following the regional, local, and institutional requirements must be ensured.

The interpretations of the EU guidance may ironically lead to more onsite monitoring after the crisis normalizes, depending on what the monitoring plans require for SDV. For global trials conducted in the U.S. and EU, this will require innovations to support more source data review (SDR, which we will discuss in a moment) and less SDV, as well as more remote monitoring of data.

Protecting the privacy, safety, and rights of study subjects is paramount. It is interesting that two regulatory agencies have such wide differences in the approach to remote site oversight. Is this due to SDV?

Telehealth and Remote Monitoring

One global practice that has helped the industry during the pandemic is healthcare’s use of telehealth, also referred to as telemedicine, prior to COVID-19. In the U.S., the Office for Civil Rights (OCR) released an Enforcement Discretion{6} and a Frequently Asked Questions guidance{7} clarifying how telehealth may be used for remote healthcare visits during the pandemic. For clinical trials, subjects can have virtual visits through non-public videoconferences or home health services, when it is safe and feasible.

It has been observed that sites that are part of managed care using telehealth are more adaptable to performing clinical trial study visits using similar approaches as telehealth. Fortunately, the service providers’ telehealth platforms for managed care in the U.S. often have been vetted by the healthcare institutions for compliance with the Health Insurance Portability and Accountability Act (HIPAA). These institutions would need to consider the differences and risks in using video conferencing for remote study participant visits and for remote monitoring meetings between the sponsor monitor and the site’s research team vs. physician and patient visits. In many cases, the sites and monitors can use video conferencing for remote visits with sites to discuss clinical trial participants’ study cases.

GDPR allows telehealth under certain conditions{8}; the information must still be lawfully collected, which would be covered by the subject signing the consent to participate in the study and complete study visits, with permission for collection and processing of certain data. Additionally, the data are needed for compliance with regulatory authorities’ requirements to monitor subjects’ safety, for inspections, and for data retention.

Telehealth solutions need to meet the principles of GDPR:

  • Lawful, fair, and transparent processing
  • Purpose limitation
  • Data minimization
  • Accurate and up-to-date processing
  • Limitation of storage in a form that permits identification
  • Confidentiality and security
  • Accountability and liability

Telehealth also needs to be compliant with any regional requirements under the ePrivacy Directive.{9} According to the statement{10} by the European Data Protection Board, only data that are necessary to complete the objectives should be obtained.

Given the requirements for protecting the rights of data subjects in the EU, telehealth for subject visits is more challenging and complex than in the United States, where the OCR released an Enforcement Discretion{11} for good faith disclosure of protected health information during the crisis. Telehealth may be employed more frequently, even after the crisis, and more guidance on how to proceed is likely to follow.

Remote SDR vs. SDV After COVID-19

As previously noted, SDV involves reviewing original data or certified copies to check for accuracy in the transcription into the eCRF, while SDR refers to monitoring the quality of the data, the compliance to the protocol, and the completeness of reporting subject safety. SDR may include some SDV. In the U.S. and EU, remote SDR can be performed when agreed upon between the sponsor and sites. When SDR involves SDV, it gets trickier and must meet national, local, and institutional restrictions for privacy.

There needs to be well thought out use cases related to what is acceptable for each sponsor and site based on their approved processes. For example, can a monitor ask a site’s clinical research coordinator (CRC) to hold a paper source document in front of a screen during a video conference for the monitor to review? Can the CRC send a subject’s lab value in the “chat” function for a monitor’s review? Can a site attach a copy of a source document to an e-mail to the sponsor monitor?

In the EU, the EMA’s guidance{12} for conducting clinical trials during COVID-19 states that remote SDV should be restricted per national and emergency measures to cases related to critical data and subject safety, which account for very few trials. They mention a few possible scenarios: sharing pseudonymized copies of trial-related source documents with the monitor that would likely require re-monitoring onsite later; direct controlled remote access to subjects’ electronic medical records (EMRs); and video review of medical records with clinical site team support, without sending any copy to the monitor and without the monitor recording images during the review.

Sponsors and sites need restrictions in place regarding the use of the chat function and any recording of the session because of the risk of a breach of protected health information. Some examples of risks include a lab value and patient name being entered and sent to the monitor in the chat, or the monitor recording the session or taking screenshots of the source data during the session.

Both the sites and the sponsors/CROs should have processes in place to ensure subjects’ privacy. For future trials, sponsors/CROs should include an assessment of the site’s requirements related to remote communications regarding study subjects in site qualification visits. Sponsors should also ensure their processes for remote monitoring are flexible enough to support the variable restrictions from site to site, including using the site’s approved technology vs. the sponsor’s.

Should a site redact source documents before sending or making them available? Should a site provide direct access to the electronic source documents? How does the monitor document SDV remotely in the eCRF; does the eCRF system define the monitor’s review the same as onsite? Each of these answers depends on the country, local, and institutional requirements of the site, sponsor, and vendors. Regardless, the sponsor has obligations to ensure it can review the quality of the documentation equally onsite and remotely. Ensuring the documentation meets the ALCOA standards is essential (i.e., the source documents are attributable, legible, contemporaneous, original, accurate, and complete).{13}


As pandemic-related restrictions are lifted and onsite monitoring is permitted, reviewing that clinical sites have good documentation of their actions related to changes to their trials will become a top priority. Areas to focus on include documentation of consent, deviations related to changes, and documentation of communication with subjects (e.g., about home shipment of investigational product or protocol changes).

Remote monitoring and remote access to EMRs were possible before COVID-19 restrictions, but few thought about how best to implement them. The positive outcome and lessons learned from navigating through COVID-19 restrictions are that there can be a future with increased remote monitoring for clinical trials.

The industry needs to question whether tasks that are completed onsite are necessary, or if they are being completed onsite just because it is “how things are done.” If a remote monitoring requirement is not part of the monitoring plan, it may be possible to challenge the norm. For example, remote investigational product accountability may initially not seem feasible, but there may be evidence of accountability with documentation, or video conferencing may provide another virtual solution.

It is likely that enough data will be gathered to support a continued progression to remote visits for subjects and remote monitoring, using a risk-based process to ensure quality clinical trials.


  1. ICH E6(R2) Guideline for Good Clinical Practice, Section 5.0, November 2016
  2. U.S. FDA Guidance on Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring, August 2013
  3. EU The General Data Protection Regulation 2016/679
  4. U.S. FDA Guidance on Conduct of Clinical Trials of Medical Products During COVID-19 Public Health Emergency, March 2020
  5. EMA Guidance on the Management of Clinical Trials During the COVID-19 (CORONAVIRUS) Pandemic Version 3, April 28, 2020
  6. OCR Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
  7. OCR FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
  8. Teleconsultation and COVID-19: who can practice remotely and how? Information for professionals practicing telehealth (telemedicine and telehealth), published on 18.03.20
  9. Directive 2009/136/EC
  10. Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak, March 16, 2020
  11. OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, March 30, 2020
  12. EMA Guidance on the Management of Clinical Trials During the COVID-19 (CORONAVIRUS) Pandemic Version 3, 28/04/2020
  13. ICH E6(R2) Guideline for Good Clinical Practice, Section 4.9.0, November 2016

Sandra Sather headshot

Sandra “SAM” Sather MS, BSN, CCRC, CCRA, FACRP, is Vice President of Clinical Pathways, a consulting firm located in the Research Triangle Park area of North Carolina with a mission to promote clinical quality systems for sponsors/CROs and investigators/research institutions. She has been dual-certified by the Association of Clinical Research Professionals (ACRP) for more than 10 years (as both CCRC and CCRA). She also is a current ACRP Fellow, which is awarded to individuals who have made substantial contributions to the Association and the industry at large.

Jennifer Lawyer, RN, BS, is Operations Director at Clinical Pathways, with a focus on implementing processes to improve quality and on-time delivery for eLearning development and project management. Prior to joining Clinical Pathways, she was a private duty nurse and held other clinical research positions. She is an ACRP member and is working toward her professional certification.