Enterprise SOP’s for DocuSign 21CFR11 Compliance

DocuSign Part 11 SOP’s

Usage, Definitions and Part 11 Compliance (DS-SOP-001)
Site Administrator Procedures (DS-SOP-002)
Creating, Sending and Signing Procedures (DS-SOP-003)
Training Procedures (DS-SOP-004)
Participant Instructions (DS-SOP-005)

Version 2 – Initially Approved and Executed March 1, 2021

1. General Overview

DocuSign is the approved platform for electronic consent and electronic signatures for UNC human subjects research studies. REDCap or Qualtrics may be used only if all other study activities are conducted via those systems (e.g. survey-only study with all surveys built in REDCap with electronic consent also integrated into REDCap). If the research study requires 21CFR Part 11 compliance, it is the responsibility of the study team to ensure all electronic consent and other electronic signatures are completed in the Part 11 module of DocuSign and managed appropriately to maintain Part 11 compliance.

Site Information

Standard Account
DocuSign Account Number: #5193367
DocuSign Account Name: UNC-CH: Human Subjects Research
DocuSign Account Type: Standard
Access URL: https://account.docusign.com

Part 11 Enabled Account
DocuSign Account Number: #5138127
DocuSign Account Name: UNC-CH: [ Part 11 ] Human Subjects Research
DocuSign Account Type: Part 11 Module Enabled>
Access URL: https://account.docusign.com

Agency Contacts

UNC Primary Contact

• Associate Director for Data Analytics, Clinical Research Support Office – School of Medicine : [email protected]

UNC Central Offices

• Office of Vice Chancellor for Research (OVCR)
• Office of Research Information Systems (ORIS)
• Office of Human Research Ethics (OHRE)
• Office of Clinical Trials (OCT)
• School of Medicine
• Information Technology Services (ITS)

UNC DocuSign Part 11 Site Administrators

School of Medicine

• Clinical Research Support Office (CRSO)
• School of Medicine IT

All other schools and departments

• Office of the Vice Chancellor for Research (OVCR)

UNC DocuSign System Administrators

• Clinical Research Support Office (CRSO)
• ITS Security – Identity Management

Definitions

Accounts: Within DocuSign, an organizational group that is used to separate UNC human subjects research usage of DocuSign into either standard module or Part 11 module. A DocuSign account is not synonymous with a ‘user account’, such as an ONYEN or UNC Health user ID. This document does not cover usage of DocuSign accounts unrelated to humans subjects research.

Documents: A digital file that contains content to be reviewed and/or signed or initialed by one or more recipients. Documents are always encrypted while stored in the system and can be supplied through client devices, cloud storage systems, or additional document sources. DocuSign accepts almost all document types – for example .pdf, .docx, .rtf, .txt, .png, .xls – and you can store multiple documents in a single envelope.

Envelope: An envelope is a container or “package” that is used to send documents to recipients and manage transactions. Envelopes have statuses (i.e. sent, delivered, completed, voided) and typically contain documents, recipients, and tabs/fields. They also contain information about the sender, document-related metadata, and timestamps that indicate the progress of the delivery procedure. When an envelope is completed the DocuSign platform automatically generates a Certificate of Completion which details the full audit history of the transaction.

DocuSign Site Administrator: The person(s) within a school or department who is designated to be the Senders’ points of contact and who are responsible for configuring and managing their user accounts in the DocuSign System. In particular, Site Administrators set up policies (e.g. password, document retention, etc.) and manage the DocuSign user memberships on their account. At UNC, they are also responsible for verifying 21 CFR Part 11 training of Senders and granting appropriate permissions to DocuSign human subjects research Accounts.

Sender: A person within a business entity of UNC Chapel Hill who uses DocuSign to send regulatory forms and/or consent documents to others for signing.. Senders are Users with account memberships responsible for creating, sending, and managing envelopes which are logical containers for all data in the DocuSign System. In addition, Senders perform many actions for envelopes such as uploading documents, adding Recipients, defining routing orders, and placing fields on documents for Recipients.

Signer: A person either within or outside of UNC-CH/UNC Health who uses DocuSign to sign a regulatory form or consent document.. Someone who receives an envelope and, depending on the settings, can sign the documents or enter information where indicated by tabs/fields.

Part 11 (21 CFR 11): The FDA regulations outlining requirements for electronic records and electronic signatures for specific types of research studies.
Addition information from the FDA

Permitted uses of DocuSign for Human Subject Research

• UNC DocuSign HSR accounts may be used
• For purposes directly associated with the initiation or management of a human subject research study or the enrollment of participants into a human subjects research study.

• UNC DocuSign HSR accounts may not be used
• During in-person research consenting without utilizing the “Host” capability in DocuSign.
• To document the assent of children for participation in a research study unless using Part 11 enabled account (see FAQ).
• For signing any document that is required to accompany the transport of hazardous material (I.e. Bill of Lading).

2. Training Procedures

Training Requirements for General DocuSign Usage

The Office of Clinical Trials and Clinical Research Support Office will provide a website for best practices and FAQ’s for using DocuSign for Human Subject Research at UNC.

DocuSign University will serve as the primary source for users to obtain general training on using DocuSign

Training Requirements for FDA-Regulated Studies

21 CFR 11.10(i) requires records to verify persons that maintain or use electronic signature systems have education, training and experience to perform their assigned tasks

Interpretation

• All individuals who will be responsible for performing administrator and developer functions in the Part 11 account (e.g. managing users, user groups, settings, custody transfer, etc.) should have the appropriate education, training, or experience to operate the system.
• All individuals who will send DocuSign Envelopes for eConsent and/or regulatory document signature should also be appropriately trained on the processes for complying with Part 11 requirements before using the system.
• Individuals who solely sign documents using DocuSign do not need special training because they are not responsible for developing, maintaining, or using the Part 11 features of DocuSign.

Implementation

Before being granted system access, a user should be trained according to their role.

Site Administrator and Developer Training: The training plan for Developers and Site Administrators is described and completed in CRSO Training Plan

Sender Training: The training plan for Developers and Site Administrators is described and completed in CRSO Training Plan

Signer Resources for Training: General DocuSign training resources are available at DocuSign University

Documentation of Training

Upon completion of the training plan an email is generated and sent to the respondent to document the training certifications.

Training records for all individuals are accessible to Site Administrators within each department in case of audit.

3. Procedures for DocuSign Site Administrators

General Responsibilities

• Provide access to both the DocuSign development and production environments
• Verifying Part 11 training and assigning appropriate DocuSign permissions
• When staff are no longer performing the role of Site Administrator either the lead or assistant lead site administrator, will remove that role from their profile in the DocuSign system within 30 days
• Designating additional Site Administrators within Departments, Units, or Centers within respective schools
• Creating IRB groups within DocuSign for new research projects and adding appropriate study team members to that group

Designation of Site Administrators

School of Medicine

• Site Administrators will be staff designated within the School of Medicine Information Technology and Clinical Research Support Office.

All other Departments/Schools

• Site Administrators will be staff designated within the Office of the Vice Chancellor for Research

4. Procedures for Requesting Access to Send Envelopes

Requesting Access

• Personnel who will need to use DocuSign Part 11 for sending research consent documents or certain FDA forms should proactively complete the training noted above and then contact one of their unit’s Site Administrators about gaining user access.
• Users will submit a request for a new project via the following form:
  CRSO DocuSign Access Request Form

Access for Standard, Non-FDA Regulated Studies

• Site Administrator(s) will create new user accounts for any user that does not have an existing DocuSign account
• Site Administrator(s) will create a new DocuSign group for the listed project, either by IRB number or by the Principal Investigators name if no IRB is available
• Site Administrator(s) will add each user account to the Standard DocuSign account (UNC-CH: Human Subjects Research) with the one of the following permission profiles:
  • System Administrator: System administrators that can add users, groups and other account
    administrative actions
  • UNC DS Template Creator: Research Staff with signing authority on behalf of the study; ability
    to create, send and share templates and envelopes
  • UNC DS Sender: Research Staff with signing authority on behalf of the study; ability to send
    templates and envelopes to recipients
  • DS Viewer: Research Staff without signing authority; ability to view completed documents

Access for FDA Regulated Studies

• • Site Administrator(s) will verify all users requesting access have completed the required Part 11 training as described in section 2.2.
    If a user has not completed the required Part 11 training, the Site Administrator will not perform any additional provisioning steps for that user until the required training is complete
  • Site Administrator(s) will create new user accounts for any user that does not have an existing DocuSign account
  • Site Administrator(s) will create a new DocuSign group for the listed project, either by IRB number or by the Principal Investigators name if no IRB is available
  • Site Administrator(s) will add each user account to the Part 11 Enabled DocuSign account (UNC-CH: [ Part 11 ] Human Subjects Research) with the one of the following permission profiles:
    • System Administrator: System administrators that can add users, groups and other account
      administrative actions
    • UNC DS Template Creator: Research Staff with signing authority on behalf of the study; ability
      to create, send and share templates and envelopes
    • UNC DS Sender: Research Staff with signing authority on behalf of the study; ability to send
      templates and envelopes to recipients
    • DS Viewer: Research Staff without signing authority; ability to view completed documents
    • OCT Reviewer: Staff of the OCT that require necessary reporting permissions for audit and
      review purposes

5. Procedures for Creating, Sending, and Signing Envelopes

Confirming correct DocuSign account

• Each time a team member logs into DocuSign to initiate signing, he/she must confirm they are working in the appropriate DocuSign module: Standard or Part 11 The specific names of the available accounts are listed in section 1.1
• Any study activities that meet the criteria as FDA-regulated, must be completed within a Part 11 enabled DocuSign account
• Permissible uses for each DocuSign account are listed in sections 1.4

Naming standards for documents and templates

• All consent/authorization/regulatory documents developed in DocuSign should follow the below standardized file naming procedure:
  
  [IRB-Number/PI Last Name]_[Form Type]-[Sub Type]_[Version Date]
  • “IRB Number/PI Name”: If an IRB number is not available or has not been assigned, the last name of the Principal Investigator should be used in place of the IRB Number. Otherwise, the IRB number should be used whenever one is available and must be used for any consent documents.
  • “Form Type” includes: Consent, HIPAA, FDA, or other regulatory/start-up documents (e.g. Protocol.Signature.Page, DOA.Log)
  • “Sub Types” include: Main, Substudy, ForeignLanguage, Specimen, FDA Document Number
  • “Sub Type” may not apply to all “Form Types” and not be included in the document name
• Dates should always be formatted as:<blockquote YYYY.MM.DD
• Examples:
  • 20-2959_Consent-Main_2020.10.15
  • 18-0622_Consent-Specimen_2019.06.04
  • 17-1196_HIPAA_2017.05.20
  • 20-2959_FDA-1571_2020.01.19

DocuSign for obtaining eSignatures for informed consent documents

IRB application to use DocuSign for e-signing informed consent documents

• Each study must determine if the study requires Part 11 compliance as defined by FDA requirements. Any questions concerning whether a study qualifies for 21 CFR 11 should be directed to the appropriate regulatory authority.
• Study teams must state within the consent methods of their IRB application that DocuSign will be used to obtain informed consent from study participants
• Study teams must acknowledge that if assent from minors is required, DocuSign cannot be used for assent

Developing consent document templates in DocuSign

Consent document templates may be created by any member of the study team and each study team should define a process to ensure documents are created in accordance with the recommendations and that documents are accessible by all relevant members of the study team.

• Do not create study forms in DocuSign until you have received IRB approval.
• Any consent documents created in DocuSign must be the IRB-approved version of the document without modifications.
  • As updated versions of the consent documents are approved by the IRB, the study team must update the consent document in DocuSign and ensure the currently approved version of the consent document is used
  • If new versions of the consent form(s) are added, the study team must either:
    • Archive the previous template by downloading the template from DocuSign and deleting the template from the DocuSign website
    • Overwrite the old forms within the existing template with the new forms and update the template name to match accordingly
• The study team must ensure that all applicable fields of the consent document that require signature or initials or other input from any signer is marked appropriately with a signature field in DocuSign.
• The study team must ensure any checkboxes or other fields that must be completed have form elements added to the DocuSign document.
  • I approve this document
  • I have reviewed this document
  • I am the author of this document
• For Informed Consent Forms, participants should be instructed to select “I have reviewed this
  document” if they agree to participate in the study
• For other FDA regulated documents, signers should be instructed to select “I approve this document”

Assembling consent envelopes

• All documents related to informed consent that require review/signature should be sent together in a single envelope (e.g. main consent, HIPAA, stored specimen consent, etc.)
• When envelopes are assembled, all documents included will appear as one continuous document; therefore, it is important to assemble the documents in appropriate order:
• Main consent
• Secondary consents and/or stored specimen consent (as applicable)
• HIPAA authorization (as applicable)

Sending and signing consent documents within envelopes

• An envelope should only be sent to a study participant after the study team has discussed the study with the participant and have determined that he/she is ready to provide consent to participate in the study.
• Additional user instructions may be sent to the participant as needed (to support account creation, identity verification with access codes, and signing) and template documents are available here:
  UNC Research – Clinical Trials
  

  Instructional documents unrelated to the specific study do not require IRB review/approval and may be modified as needed.

  
  
• Just as with in-person written consent:
  • Verification of written consent based on review of signed and fully-executed consent documents must be completed prior to initiating study activities (unless otherwise authorized by the IRB).
  • The study team should offer continuing opportunities to discuss the study as needed or requested by the participant to ensure ongoing consent, even after the consent document has been signed

DocuSign for e-signing documents other than e-consent

Acceptable uses of Standard Account

• Documents that do not require Part 11 compliance should be signed in the standard module.
• Potential forms to be signed in the standard module include:
  • Delegation of authority logs
  • Training documentation logs
  • Deviation logs
  • Adverse event forms
  • Protocol signature pages (for non-FDA-regulated studies)

Acceptable uses of Part 11 Module

• DocuSign Part 11 should ONLY be used when obtaining signatures for an FDA-regulated study.
• Potential FDA forms needing to be signed in DocuSign Part 11 include:
  • Form FDA 1571
  • Form FDA 1572
  • Form FDA 3454
  • Form FDA 3455
  • Form FDA 3674
  • Form FDA 3926
  • Protocol signature pages (for FDA-regulated study)
  • Investigator Brochure signature pages
• All documents covered under the standard module (5.4.1) should also be used in the Part 11 Module for FDA regulated studies

6. Procedures for Retaining Envelopes in DocuSign

This section outlines the policies and procedures for the transfer, storage and retention of documents (e.g., consent forms) that were signed using DocuSign. This applies to documents signed in either the standard module or the Part 11 module.

Requirements for saving documents to Local Storage

• When all persons have signed, a link to the fully executed PDF document will be emailed to the sender.
• Each signer will receive an email with a link to access and download the full executed document.
• The sender is responsible for transferring (downloading and saving) the signed document from DocuSign to an approved local storage system or study file (e.g., UNC network drive) for retention .
• For Part 11 Compliant Documents, verify the combined PDF contains:
  • Original document text
  • Certificate of Completion
  • Entrust certificate
• For Non-Part 11 Compliant Documents, verify the PDF contains:
  • Original document text
  • Save the document locally with the rest of the research or relevant documents.

Saving executed documents

• • Executed documents can be downloaded from the DocuSign website and saved as a local backup in PDF form
  • Downloaded consent documents should follow the naming format described in 4.2 and be suffixed with the participant signing information in the format:

• • Dates should always be formatted as: YYYY.MM.DD
  • Examples
    • 20-2959_Consent-Main_2020.10.15_KP_Signed-2020.11.01
    • 20-2959_HIPAA_2020.10.15_KP_Signed-2020.11.01
  • Non-consent documents should follow the naming format described in 4.2 and be suffixed with the execution date of the completed document in the format

• Dates should always be formatted as: YYYY.MM.DD
• Examples:
  • 20-0595_FDA-1572_2020.12.05_Executed-2020.11.21
  • 17-2801_ProtocolSignaturePage_2020.12.05_Executed-2020.11.21

Record Retention

• DocuSign is an electronic signature solution and not intended as a long-term storage solution for University records. However, until a validated, long-term storage solution is identified and implemented, documents will not be purged from the DocuSign site.
• It is the Sender’s responsibility to ensure the official/public record is archived in a long-term storage solution, retained and destroyed in accordance with the UNC Records Management Policy, the Clinical Trial Agreement, and time periods listed in the North Carolina Retention and Disposition Schedules.
• Signed documents including the certificate of completion will be retained by the study teams in their study files in accordance with University record retention policy, state and federal regulations.
• The UNC DocuSign administrator will automate a nightly download of all signed envelopes and associated documents to a central file at UNC. The download will be maintained / stored in this central file will be organized by date signed and if relevant, IRB #. The download will maintain the full audit trail of the signing process to maintain part 11 compliance requirements.
• For a list of applications approved for long-term storage, please visit Information Technology Services page:
  ITS Mass Storage
• For university retention periods and approval requests, visit: UNC records-management policy:
  UNC Library Records Management

Systems Integration

UNC Single Sign On (SAML) is integrated with DocuSign login to authenticate active UNC credentials and permissible access to UNC HSR DocuSign

Part 11 Compliance

Section 11.10(i):
Requires records to verify persons that maintain or use electronic signature systems have education, training and experience to perform their assigned tasks. Customers are responsible for ensuring this is followed, but training is available from DocuSign to assist in this process.

UNC accomplishes this by establishing the following trainings with auditable user completion (further detail covered in Section 2):

Site Administrator and Developer Training

• Training requirements for Site Administrators are outlined in detail in DS-SOP-004 Section 2.4.1

Sender Training

• Training requirements for Senders are outlined in detail in DS-SOP-004 Section 2.4.2

Signer Resources for Training

• Training resources for Signers are outlined in detail in DS-SOP-004 Section 2.4.3

Section 11.10(j)

Requires the establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Customers are required to write and enforce their own procedures. DocuSign has established systems and maintenance documentation specific to the DocuSign platform, including: Validation policy and procedures (11.10(a)), Disaster recovery, Revision and change control procedures (11.10(k)(2)), System access and security procedures (11.10(c),(d),(g)) and Document control procedures (11.10(k)(1),(2)).

UNC accomplishes this by:

• The creation and maintenance of this document
• Establishment of standard user procedures for the administration, creation, sending, and signing of all documents associated with FDA regulated studies.

Section 11.100(c)

Requires that signers agree that the electronic signatures are intended to be the legally binding equivalent of traditional handwritten signatures. The DocuSign Part 11 module settings ensure the Electronic Record and Signature Disclosure feature is active, but customers must verify or provide specific language for the consumer consent to meet the requirements of the section. Refer to the Legal Disclosure section for more information about the disclosure.

UNC accomplishes this by:

• Posting a Consumer Disclosure online and in DocuSign’s Electronic Record and Signature Disclosure feature

Section 11.200(a)(1)

Requires that electronic signatures that are not based on biometrics “employ at least two distinct identification components such as an identification code and password” (i.e. dual authentication).

UNC accomplishes this by:

• The DocuSign or UNC SSO login is the first verification, and the access code associated with each envelope sent to a recipient is the second.

Section 11.300(b)

Requires that passwords be periodically revised. Customers must set their passwords to expire in the Password Strength settings. Additionally, DocuSign recommends that customers use the Strong or Custom Password Strength setting for their account. Customers are responsible to setup and maintain password settings in alignment with compliance needs. Refer to the Password Security section in this guide for more information about password settings.

UNC accomplishes this by requiring:

• Internal users to sign in through an email address within the family of &*.unc.edu, which is redirected to the UNC Single-Sign On page for authentication. Passwords will be updated according to UNC policies (every 365 days).
• External users’ accounts are set to use a Custom password strength, minimum of 12 characters and must have 1 upper case, 1 lower case, and 1 numeric character.

Section 11.300(c)

Requires that there are loss management procedures to de-authorize lost, stolen, missing or compromised identification codes or passwords. Customers are responsible for ensuring this information is documented.

UNC accomplishes this by:

• Setting and sending new access codes for each new user.
• Procedures for handling lost, stolen, missing or compromised passwords and access codes are described at:
  • UNC ONYEN
  • External Users

Section 11.300(e)

Requires procedures for initial and periodic testing of devices that are used to generate identification code or password information. Customers are responsible for documenting any internal controls for this. If your DocuSign account uses the SMS Authentication feature, DocuSign can provide information about periodic testing for this feature.

UNC accomplishes this by:

• Relying on DocuSign’s documentation regarding access codes and by creating access codes manually, not automatically.
• Record retention policies in their entirety are described in section 6.3
• All policies will apply to both Part 11 compliant and non-Part 11 studies

Participant Instructions

• UNC websites (OCT, CRSO) will include information and instructions for sharing with research participants regarding procedures from the participant perspective. This will generally include, but is not limited to:
• Email receipt and opening information
• Instructions on creating an account
• Instructions for reviewing the document(s)
• Signing instructions
• Instructions for downloading and saving completed documents

References

• Source: Part 11, Electronic Records; Electronic Signatures – Scope and Application. U.S Food & Drug Administration. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
• https://its.unc.edu/research-computing/techdocs/mass-storage/
• https://unc.policystat.com/policy/5431468/latest/
• https://guides.lib.unc.edu/recman/schedule
• Source: Use of Electronic Informed Consent Questions and Answers – Guidance for Institutional Review Boards, Investigators, and Sponsors. U.S. Food & Drug Administration.