Human Subjects Research

Monitoring Guidance and FAQs


See also: COVID-19 Monitoring Guidance


Approved: June 24, 2020
Administratively Revised: August 20, 2021

  1. Purpose and Applicability
  2. Guidance
    1. Centralized Monitoring or Remote Monitoring
    2. On-Site Monitoring
    3. Monitoring of Multi-Centered PI-Initiated Trials
  3. Frequently Asked Questions (FAQs)
  4. Resources

I. Purpose and Applicability

Monitoring procedures have evolved in recent years due to advancements in technology. Washington University in St. Louis is committed to supporting these process changes while maintaining the privacy and confidentiality of our research participants as well as compliance with HIPAA rules and regulations. The purpose of this guidance is to describe Washington University’s efforts to support both on-site and centralized monitoring procedures for sponsor-initiated trials and outlines monitoring of multi-center PI-initiated trials.

This guidance applies to all clinical trials regardless of support including, but not limited to, all NIH, other federal, industry, foundation and departmental sponsored clinical trials being monitored or conducting monitoring of clinical trials. ​All research team members including faculty, staff, students, or other personnel listed on an IRB application for research should comply with the methods outlined in this guidance.

II. Guidance

Faculty and staff involved in the conduct, oversight, and/or management of clinical trials may be subject to monitoring by sponsors or their delegates. Monitoring may occur via on-site monitoring, centralized or remote monitoring, or multisite monitoring of PI-initiated trials. 

Centralized Monitoring or Remote Monitoring

Centralized monitoring, or remote monitoring, is monitoring that is conducted by an auditor somewhere other than the site in which the study takes place. The FDA monitoring guidance describes centralized monitoring as “a remote evaluation carried out by sponsor personnel or representatives (e.g., clinical monitors, data management personnel, or statisticians) at a location other than the sites at which the clinical investigation is being conducted.” 

The use of centralized monitoring poses concerns associated with sharing information containing Protected Health Information (PHI); therefore, the preferred methods of data transfer include:

  • Uploading source documentation to the sponsor’s Electronic Data Capture System (EDC)
  • WUSTL Box
  • or REDCap

Informed consent/assent document(s) should never be faxed, emailed, and/or sent to sponsors. 

When providing source documentation to the sponsor, regardless of how it is shared, all HIPAA identifiers should be redacted unless specifically needed for the study’s outcomes (e.g. dates of hospitalizations after study medication administration) or the sharing of personal information is outlined in the consent form the subject signed (e.g. monitoring of the informed consent form). For electronic records, provide “view access only” to the systems.

Once the monitor has completed their audit, the PI/coordinator should file any correspondence and findings from the monitoring review in the study’s regulatory binder.

On-Site Monitoring

On-site monitoring is the review of research related records conducted by an auditor at the site in which the study takes place. The FDA monitoring guidance (PDF), describes on-site monitoring as “an in-person evaluation carried out by sponsor personnel or representatives at the sites at which the clinical investigation is being conducted.” 

Monitors should only be given access to the study they have come to monitor and only to the research records requested at that visit to complete their review (i.e. specific subject binders, regulatory binders, etc.). Monitors should be provided a private space where they can conduct their review and be able to ask questions while still maintaining confidentiality of the participants. Conversations with or about non-study patients should not be discussed in front of or within earshot of the on-site monitor.

Monitoring of Multi-Centered PI-Initiated Trials

PIs of multi-center investigator-initiated trials are responsible to ensure that an appropriate monitoring method and plan are summarized in the protocol and the study site sub-award agreements (as applicable). Additional details should be available separately (e.g. in a standard operating procedure document that can be revised when appropriate).

For studies performed under an IND or IDE, Principal Investigators must be aware of their requirements as a “sponsor-investigator”. The method and intensity chosen should (may) depend on the type of study, subject risk, FDA status (e.g., active IND/IDE, intention to submit a marketing application or labeling change), resources, and experience of the research team. If a modification to the monitoring method and plan is made, it is the responsibility of the lead PI/research team to ensure that this is updated in both the protocol and the consent document, if applicable, and disseminate this updated information to participating sites. If additional PHI is required to complete a comprehensive review of study conduct, and is beyond what the current consent permits, participating sites should be alerted and re-consent would be required.

Monitoring of the multi-center PI-initiated study may be conducted either on-site or remotely as described in the sections above. The FDA has issued guidance on risk-based monitoring, which may help in designing an efficient and effective monitoring plan in many instances. Please note also that participating sites may have their own restrictions on remote monitoring practices. The lead PI/research team should work to identify these restrictions prior to initiating a study at a participating site, and outline a modified monitoring plan that preserves the integrity of the study.

III. Frequently Asked Questions (FAQs)

What is the purpose of monitoring?

According to the FDA guidance, “On-site monitoring can identify data entry errors (e.g., discrepancies between source records and case report forms (CRFs) and missing data in source records or CRFs; provide assurance that study documentation exists; assess the familiarity of the site’s study staff with the protocol and required procedures; and assess compliance with the protocol and investigational product accountability. On-site monitoring can also provide a sense of the quality of the overall conduct of the trial at a site (e.g., attention to detail, thoroughness of study documentation, appropriate delegation of study tasks, and appropriate PI supervision of site staff performing critical study functions).” The guidance also expounds that the FDA is encouraging centralized monitoring over on-site monitoring, when appropriate, as monitoring activities can be done as well or better remotely or with monitoring activities that can be accomplished using centralized processes only.

Can monitors be provided access to medical records in EPIC?

Monitors can be provided access to EPIC; however, they must first complete HIPAA Training for Research Monitors through Learn@Work. To do this, the monitor will need a WUSTL Key Guest Account. Detailed instructions for requesting and approving the WUSTL Key Guest Account are available under “Set Up a Guest Account” on IT’s WUSTL Connect page.

Once this is completed, they will be able to login to Learn@Work and complete “HIPAA Training for Research Monitors.” Monitors must complete this training to obtain access to EPIC. Finally, monitors will only be able to access patient records associated with the study that are required to complete their review. To do this, follow the instructions in the “Releasing Patients to Monitors” HIP TIP sheet found in the Research Learning Home Dashboard in EPIC.

In order to access Epic remotely to view patient records, study monitors must have an EpicCare Link Account. (There is a tip sheet located on the Research Learning Home Dashboard under the ‘HIM, Printing, and Study Monitors’ section called “Monitor Access to EpicCare Link” that walks you through the process.) Research staff are responsible for requesting the account.

Go to http://www.myepiccarelink.org and submit a request. You will need to include the monitor name, study IRB number, and some information regarding the dates needed, etc.

For questions regarding Epic access for external monitors, please contact the Epic1 Research Team at epic1research@wustl.edu.

What are the HIPAA identifiers that should be redacted?

All HIPAA identifiers should be redacted unless specifically needed for the study’s outcomes (e.g. dates of hospitalizations after study medication administration) or when the sharing of participants’ personal identifiable information is outlined in the consent form the subject signed (e.g. monitoring of the informed consent form). There are 18 HIPAA identifiers:

  1. Name
  2. Address
  3. Dates (includes birthdate, procedure dates such as admission date and discharge date, date of death, and exact age if over 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email address
  7. Social security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate or license number
  12. Vehicle identifiers such as serial numbers and including license plate numbers
  13. Device identifiers and serial number (includes pacemakers, implants, etc.)
  14. Web URL
  15. Internet Protocol (IP) address
  16. Finger or voice print
  17. Photographic images (not limited to images of the face)
  18. Any other characteristic that could uniquely identify the individual

How should documents be redacted?

Documents can be redacted manually or through computer program functions such as the Redact feature in Adobe. It is not recommended to use computer programs to insert shapes to cover PHI as some EDCs remove these shapes upon upload, exposing the PHI. If using a computer program function, such as the Redact feature in Adobe, it is the responsibility of the PI/coordinator to ensure that the PHI is removed permanently from the document.

Fax and email are not the best methods for secure data transfer as these methods pose greater risk of a confidentiality breach; therefore, it is recommended that these methods not be used. However, if ALL PHI has been removed from the document, the document may be provided to the sponsor via fax or email.

How should WUSTL Box be set up for remote monitoring?

Create a new folder specifically for the monitoring of the study. Only documents requested by the sponsor should be uploaded to this folder. Monitors should only be provided with “Previewer access”. This access allows the monitors to view the documents without the ability to download or print them and ensures that PHI will remain secure to the extent of the monitor’s viewing. Once a monitor is finished accessing the documents, the coordinator will need to remove the monitor’s access from the folder. 

Access can be granted using the individual’s email address as described here. Once they have logged in to WUSTL Box, any files/folders that have been shared with them for review should be visible. If a monitor has difficulty accessing WUSTL Box, WUSTL IT is available to assist them.

Be sure to review the secure information on https://it.wustl.edu/home/how-to/box/

How should REDCap be set up for remote monitoring?

Create a new project specifically for the monitoring of the study. Within this project, create forms and fields for each document to be uploaded. It is recommended that “Read Only” access is granted to the monitor, which will allow them to view the forms and not allow them to edit any fields. Once their access has expired, they will no longer be able to access the documents and there is no further action required by the coordinator. 

Access can be granted by requesting a WUSTL REDCap account for the monitor visiting the WUSTL REDCap site if they do not already have a WUSTL REDCap account. Once the account is created, access can be granted to the monitor and an expiration date for access can be applied. If there are technical issues, contact the REDCap Helpdesk.

How long should records be made available electronically for remote monitoring?

If granting access via REDCap or WUSTL Box, it is recommended that access only be given for 30 days. This should allow sufficient time for the monitor to review and complete their audit. If the monitor finishes their audit prior to 30 days, it is the PI/coordinator’s responsibility to remove the monitor’s access from the documents. If the monitor requires more than 30 days, at the 30 day mark the PI/coordinator should reevaluate their need for continued access.

How should monitoring work when Washington University is the “sponsor” of a multi-center PI-initiated trial?

The chosen monitoring method and plan should be summarized in the protocol, the site-specific consent documents, and the study site sub-award agreements as applicable. Additional details should be available separately (e.g. in a standard operating procedure document that can be revised when appropriate). 

For studies performed under an IND or IDE, Principal Investigators must be aware of their requirements as a “sponsor-investigator”. The method and intensity chosen should (may) depend on the type of study, subject risk, FDA status (e.g. active IND/IDE, intention to submit a marketing application or labeling change), resources, and experience of the research team. If a modification to the monitoring method and plan is made, it is the responsibility of the lead PI/research team to ensure that this is updated in both the protocol and the consent document, if applicable, and disseminate this updated information to participating sites. If additional PHI is required to complete a comprehensive review of study conduct, and is beyond what the current consent permits, participating sites should be alerted and re-consent will be required.

Monitoring of the multi-center PI-initiated study may be conducted either on-site or remotely as described in the sections above. Please be aware that participating sites may have their own restrictions on remote monitoring practices. The lead PI/research team should work to identify these restrictions prior to initiating a study at a participating site, and outline a modified monitoring plan that preserves the integrity of the study.

What does the FDA say about monitoring?

See the FDA guidance on monitoring, “Oversight of Clinical Investigations—A Risk-Based Approach to Monitoring.”

IV. Resources

For questions regarding the acceptability of specific monitoring practices under WU regulations, please contact the Human Research Quality Assurance Program (HRQA) at HRQA@wustl.edu or 314-747-5525 from the Office for the Vice-Chancellor for Research.

For guidance on an investigator’s responsibilities as a sponsor-investigator for a FDA-monitored trial, please contact Abby Keeley from the Human Research Protection Office (HRPO).

For guidance in enabling an external sponsor access to monitor a study, please contact Yi Zhang or Michelle Jenkerson at the Center for Clinical Studies.

For questions on remote Epic access for external monitors, please contact the Epic1 Research Team at epic1research@wustl.edu.

For guidance in designing a monitoring plan for an investigator-initiated study, or for model templates, please contact the Trial-CARE Multicenter Clinical Trial Support Center at trialcare@wustl.edu or Suresh Vedantham