Remote Monitoring Visits and Electronic Records: What ICH E6(R3) Requires for E-Signatures

Remote monitoring visits became standard practice during the pandemic, and they have stayed standard practice since. ICH E6(R3), which reached final adoption in 2023, formally recognized risk-based and remote monitoring approaches as compliant with GCP for the first time. What the guidance did not simplify is the electronic records and e-signature obligation that remote monitoring creates. When monitors access, review, annotate, and sign clinical trial records from off-site, those records and those signatures must still meet FDA 21 CFR Part 11 and ICH E6(R3) Section 5.5 requirements. The geography of the reviewer changed. The regulatory standard did not.

This guide covers what remote monitoring visits create in terms of electronic records obligations, the specific ICH E6(R3) requirements that apply, how FDA 21 CFR Part 11 intersects with remote source data verification, and what a research site's e-signature system needs to support for sponsor and CRO monitors working remotely. The audience is primarily QA managers and study coordinators at clinical research sites, plus CRO monitoring teams responsible for setting up and executing remote visits.

What ICH E6(R3) Changed About Remote Monitoring

The 1996 ICH E6(R1) and the 2016 E6(R2) addendum focused on risk-based monitoring as a concept but left sponsors with significant interpretive latitude about how to execute it. E6(R3) moved from concept to operational standard. Section 5.18 of E6(R3) addresses centralized and remote monitoring explicitly, treating them as legitimate methods for meeting the monitoring obligations of the protocol rather than as pragmatic substitutes for on-site visits.

Three elements of E6(R3) are particularly relevant to the electronic records question. First, the guidance defines a monitoring plan as a required document that must describe the monitoring strategy, methods, and responsibilities, including the rationale for using centralized or remote monitoring for specific site activities. That document is itself a regulated record. Second, Section 5.18.6 requires that monitoring visit reports include findings, deviations, recommendations, and any actions taken to correct deviations. The report generated at the conclusion of a remote monitoring visit carries the same content and retention requirements as one generated after an in-person visit. Third, the guidance ties sponsor oversight of site-level systems to the broader sponsor responsibility in Section 5.5.3.

What E6(R3) did not do is carve out a simpler compliance path for electronic records in the remote monitoring context. The electronic records created during and after a remote monitoring visit, the signatures applied to them, and the audit trails that document them must still satisfy 21 CFR Part 11 if they are FDA-required records. The fact that the monitor was in a different city or country when they reviewed the records does not change what the records must be.

The Electronic Records a Remote Visit Creates

A remote monitoring visit generates several categories of records, and the compliance requirements differ by record type. Understanding which records require Part 11 compliant e-signatures and which do not is necessary to design a compliant remote monitoring workflow.

The monitoring visit report and the follow-up letter are the documents that most frequently fall through compliance gaps in remote monitoring programs. They are FDA-required records under ICH E6(R3), they are commonly stored in trial master file (TMF) systems, and they require an attributable electronic signature from the monitor. If the monitor signs them using a general-purpose tool that does not enforce authentication at the signing event, the signature does not meet Part 11 requirements regardless of how the document is stored downstream.

Remote Source Data Verification and the EDC Boundary

Remote source data verification involves a monitor reviewing source records, typically electronic health records at the site, against case report forms entered in the sponsor's EDC system, without being physically present at the site. This is one of the activities that E6(R3) explicitly recognizes as compatible with risk-based monitoring.

The FDA's October 2024 final guidance on electronic systems in clinical investigations addressed the Part 11 question for this workflow directly. The guidance clarified that Part 11 compliance will not be required for electronic health records or other systems that are sources of real-world data. FDA will assess Part 11 compliance starting at the point where data enters the sponsor's electronic data capture system. This means the EHR itself does not need to meet Part 11, but everything that happens at and after the EDC boundary does.

For remote SDV, the practical implications are these. The monitor's access to the EHR for review purposes is governed by whatever access agreements and audit trails the site's EHR system maintains, not by Part 11 directly. But when the monitor makes a query in the EDC, acknowledges a data discrepancy, or adds a monitoring note in the sponsor's system, those actions are in the Part 11 scope. The EDC must generate a computer-generated, time-stamped audit trail entry attributing that action to the specific monitor, with the monitor's unique credentials, meeting the requirements of Part 11 Section 11.10(e). For a detailed breakdown of what an audit trail entry must capture, see our guide to 21 CFR Part 11 audit trail requirements.

The transcription pathway from EHR to EDC also creates a records obligation. The 2024 FDA guidance confirmed that the process of transcribing source data from the EHR into the EDC must be documented and auditable, even though the EHR itself is not a Part 11 system. The site's procedures for how source data is transcribed, by whom, and with what verification must be captured somewhere in the audit-trailed record set.

ICH E6(R3) Section 5.5.3 and Sponsor Oversight of Site Systems

One of the substantive changes in E6(R3) compared to E6(R2) is the emphasis on sponsor accountability for electronic systems used at investigator sites. Section 5.5.3 requires sponsors to ensure and document that computerized systems used in the trial are suitable for their intended purpose, have validated processes ensuring data integrity, and conform to applicable regulatory requirements for electronic records and signatures.

This creates a documented oversight obligation that extends to the site's e-signature platform. A sponsor conducting remote monitoring visits cannot simply accept a site's assurance that its electronic signature system is Part 11 compliant. The sponsor needs documentation. In practice, this means that during site qualification, sponsors should request the name and version of the e-signature system in use at the site, evidence that it has been validated (vendor-supplied IQ/OQ/PQ documentation), the site's user access management SOP, and confirmation that the site has submitted a non-repudiation letter to FDA under 21 CFR 11.100(c).

Sites that use general-purpose e-signature tools without vendor-supplied validation documentation routinely fail this check during sponsor qualification. The site may have been using the tool without issue for months, but if the vendor cannot produce IQ/OQ/PQ protocols that demonstrate Part 11 compliance, the sponsor has no basis to document that the site system meets E6(R3) Section 5.5.3. Remote monitoring amplifies this issue, because the monitoring workflow itself generates signatures through the site's system rather than through a sponsor-controlled one. For how sponsors structure the written agreement that governs this, the guide on CRO and sponsor electronic signature responsibilities covers the qualification obligation on both sides.

What the Site's E-Signature System Needs to Support

Remote monitoring creates a specific set of demands on the site-level e-signature system that in-person monitoring handled through physical presence and wet signatures. The site needs to be able to:

1. Issue guest or external signer access to monitors without compromising audit trail attribution. When a CRO monitor signs a monitoring visit report or acknowledges a document through the site's platform, the signature must be attributed to a unique user identity, even if the monitor is an external party not registered in the site's own system. Shared or generic accounts invalidate the signature under Part 11 Section 11.100(a), which requires that each electronic signature be unique to one individual.
2. Require two-component authentication at each signing event, regardless of where the signer is located. Remote signing does not relax the authentication requirement. Part 11 Section 11.200(a) requires at least two distinct identification components at the time of signing. A monitor signing a visit report from their home office must re-authenticate at the signing event, not just use a persistent session. Systems that authenticate only at login and allow document signatures throughout the session without re-authentication are non-compliant regardless of the signer's location.
3. Capture signature meaning on the face of each signed document.Section 11.50 requires that every signed electronic record display the signer's printed name, the date and time of signing including time zone, and the meaning of the signature (for example, reviewed, approved, or acknowledged). For monitoring visit reports and follow-up letters, the meaning field must reflect the appropriate regulatory significance of the signature, not just a generic signing acknowledgment.
4. Maintain an immutable audit trail for all signature events, including remote ones. The audit trail for a signature executed remotely must be indistinguishable in quality from one executed on-site. The entry must include the user ID, the server-generated timestamp, the action type, the record affected, and any original values for modified fields. The audit trail must be tamper-evident, meaning it uses cryptographic protections that allow detection of any modification to historical entries.
5. Support 25-year retention for documents that fall under EU CTR 536/2014. If the trial is running under EU CTR 536/2014 as well as FDA oversight, Article 58 requires the clinical trial master file to be retained for at least 25 years. Monitoring visit reports and follow-up letters are TMF documents. The e-signature system must retain signed documents in a format that remains readable and legally intact for the full retention period, even through platform updates or vendor changes.

These five requirements are not unique to remote monitoring. They apply to any Part 11 compliant e-signature workflow. What remote monitoring does is increase the frequency with which external parties (monitors from CROs or sponsor teams) sign documents through the site's system, and it removes the physical co-presence that previously served as an informal check on authentication quality. A monitor who was physically at the site when they signed a paper visit report could be visually identified. A monitor signing remotely exists only as an electronic identity, which means the system's authentication controls are the only verification that the signature is attributable to the right person.

The Delegation of Authority Log Under Remote Monitoring

The delegation of authority log is one of the highest-risk documents in a clinical research site's regulatory binder under any monitoring model. Under remote monitoring, it becomes a particular focus because the investigator and monitor are not in the same room when tasks and responsibilities shift, and any change to the delegation log after the remote visit must be captured with the same rigor as a change made in person.

ICH E6(R3) Section 4.2 requires the principal investigator to document all trial-related duties and functions delegated, to whom they are delegated, and when the delegation begins and ends. The PI must personally sign each delegation entry. Under Part 11, that signature must meet all Subpart C requirements: unique identification, two-component authentication at signing, signature meaning, and cryptographic binding of the signature to the specific record version being signed.

The most common failure mode is a delegation log where tasks are added or modified after a remote visit but the PI signs the log in a batch update rather than at the time each change is made. The audit trail entry for a batch update will show all delegations signed at the same timestamp, which can look implausible during inspection and is directly contradicted by the contemporaneous requirement of ALCOA+. Each delegation change should be signed at the time it is made or at the time it becomes effective, and the audit trail should reflect that timing accurately. For the full set of site-level Part 11 considerations, the guide for clinical research sites covers the six highest-risk document categories and the three-SOP minimum.

Common Remote Monitoring Compliance Gaps

Based on the regulatory text and the patterns that appear in FDA 483 observations for clinical investigation records, the most common compliance gaps in remote monitoring programs cluster around four areas.

Monitor credentials shared or borrowed.When monitors use a shared account or borrow a colleague's login to access the site's system for a remote visit, the audit trail attribution is broken. Every action in the system appears under the wrong name. If the delegation log shows Monitor A reviewing documents on a date when Monitor A was not assigned to that site, the discrepancy is visible to any inspector who checks the visit records against the audit trail. This is one of the most common audit trail findings in FDA clinical investigation inspections.

Monitoring visit reports signed days or weeks after the visit. The contemporaneous principle under ALCOA+ requires that records be created at the time of the observation. ICH E6(R3) Section 5.18.6 requires that written reports be sent to the sponsor after each site visit. An inspection-ready monitoring program should show visit report signatures dated within a few days of the visit at most. A pattern of visit reports signed two or three weeks after the visit, particularly if the report was edited multiple times before signing, raises data integrity questions during inspection.

Authentication at login only, not at signing.Platforms that authenticate monitors at login and allow the session to remain open for signing throughout the visit create a gap against Part 11 Section 11.200(a). This is a structural feature of the platform, not a configuration option. Remote monitoring, where a monitor may be logged in for several hours reviewing multiple sites' documents in a single session, amplifies this gap because the session duration is longer and the risk of an unauthorized signature is correspondingly higher.

No documented procedure for remote system access at the site.When a sponsor or CRO monitor accesses the site's records remotely, the site should have a written procedure covering what access was granted, to whom, for what purpose, for what time period, and what records were reviewed. This procedure does not need to be elaborate, but it needs to exist and be followed. An FDA inspector reviewing the TMF of a remote-heavy trial will ask how remote access was controlled and documented. "The sponsor sent us a link and we gave them login access" is not a procedure.

How Klyverity Supports Remote Monitoring Workflows

The requirements for remote monitoring create a specific platform profile: external signer support with attribution-preserving credentials, authentication enforced at each signing event regardless of session state, server-generated timestamps that reflect the actual time of signing, and a tamper-evident audit trail that captures all signature events in a format exportable for sponsor review.

Klyverity is built to meet these requirements natively. External monitors can be issued unique, time-limited signing credentials without being given access to the site's full system, so the audit trail attributes their signature to their specific identity while keeping access scoped to the relevant documents. Authentication is enforced at each signing event, not only at login, satisfying Part 11 Section 11.200(a) for every monitoring visit report and follow-up letter regardless of session duration. Audit trails are SHA-256 hash-chained, server-generated, and exportable in formats that sponsors can review during qualification and inspectors can request during an audit. IQ/OQ/PQ validation documentation for the current platform version is available to support sponsor system qualification under ICH E6(R3) Section 5.5.3.

If you are evaluating e-signature platforms for a remote monitoring program, the vendor evaluation checklist covers the RFP questions specific to clinical trial use, and the compliance overview shows how Klyverity maps to each Part 11 and ICH E6(R3) requirement.

Conclusion

ICH E6(R3) made remote monitoring a legitimate and endorsed GCP practice. It did not change the electronic records and e-signature requirements that apply to the records a remote visit generates. Monitoring visit reports, follow-up letters, delegation of authority log updates, and SAE acknowledgments signed electronically after a remote visit must meet 21 CFR Part 11 in full: authentication at each signing event, signature meaning on the record, unique attribution, and a tamper-evident audit trail. ICH E6(R3) Section 5.5.3 adds a sponsor documentation obligation for the site-level systems used during those visits. The most common gaps, shared credentials, post-hoc signatures, login-only authentication, and undocumented remote access procedures, are all well within the ability of a purpose-built Part 11 platform to prevent. They are also well within the list of things FDA investigators check. Closing these gaps before a remote monitoring program scales is more efficient than correcting them after an inspection.