New Guidance on Using EHR Data in Clinical Research Issued By the U.S. FDA

The U.S. Food and Drug Administration (FDA) has introduced new guidance about the usage of EHR data in clinical research and the prerequisite to make sure that proper controls are implemented to protect the confidentiality, integrity, and availability of health information.

Although the guidance is non-binding, it gives healthcare providers useful tips on how to go about deciding whether or not to use EHRs as a source of information for clinical research, how to ensure the quality and reliability of EHR information, and how ensure the FDA’s evaluation, recordkeeping and data retention specifications are satisfied. The objective of the guidance is to promote interoperability of EDC and EHR systems and support the use of EHR information in clinical research.

The guidance doesn’t apply to information gathered for registries, natural history studies, the usage of EHR data to assess the feasibility of test design, recruitment tools for clinical research, or the usage of EHR data in postmarketing observational pharmacoepidemiologic research that evaluates adverse events and risks related to drug exposure or studies which test pre-determined hypotheses for such research.

EHRs can be used to give researchers access to real time information for reviews and can be invaluable for follow-ups to determine the long term efficiency of treatments. EHRs can be used to gain access to the data of large numbers of patients which is necessary when evaluating possible outcomes that are only experienced by a small percentage of patients who undergo specific treatments.

The FDA is encouraging the use of EHR data for clinical research, although to ensure patient privacy is safeguarded, data integrity is preserved, and data are kept secure at all times, it is important for best practices to be adopted.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 required the Office of the National Coordinator of Health IT (ONC) to set up an optional certification program for Health IT. Accredited EHRs conform with 45 CFR part 170 of the HITECH Act that covers interoperability and information security and verifies EHRs satisfy minimum privacy and security requirements.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The FDA suggests healthcare organizations should only use of certified EHR systems for clinical research purposes and policies and procedures for their use should be developed. The FDA proposes that a listing of EHR systems is kept, describing the system developer, EHR version number used, model number, and whether the EHR is ONC certified.

There might be occasions when ONC de-certifies EHRs while clinical research studies are still running, such as when the EHRs are determined to fail to meet appropriate standards. In such instances, sponsors need to identify the cause for de-certification and its effect on the integrity and quality of information utilized in the clinical research study.

Sometimes, it may be required to integrate data from EHR systems utilized in other countries – Couyntries that are naturally not required to meet ONC requirements. Data can be used from EHRs used in other countries, it is necessary for sponsors to determine whether the privacy and security controls are appropriate and whether they will ensure the confidentiality, integrity, and availability of health data.

Sponsors need to make sure that EHR policies and procedures are set up at the research site and proper controls have been applied to secure study information. Any system that houses electronic health records must also be protected by physical and technical controls to prevent unauthorized individuals from gaining access to health data. It should also be clear who the authors of records are, audit trails should be created, and records must be maintained and made available to the FDA on request.

If appropriate controls are not put in place, sponsors should evaluate the level of risk posed by including EHR data, including the risk to research subjects and the regulatory implications of using the data.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: