Cloud Concinnity adopts embedded signing with CFR Part 11 compliance

“DocuSign was supportive and excited to work with us to push the envelope of integration and compliance in the healthcare space, which is enabling our clients to move more quickly in managing their data and trials.” — Matthew Cook, CTO, The Concinnity Company

The Concinnity Company offers Cloud Concinnity, a single, secure, cloud-based platform for clinical trial oversight. When healthcare entities conduct a clinical trial, they are required to have independent oversight committees such as a Data and Safety Monitoring Board (DSMB), Safety Review Committee (SRC), or Data Monitoring Committee to ensure data integrity, patient safety and FDA protocol compliance. Thanks to Cloud Concinnity, critical aspects of the trial, including patient information, communications, processes, and reporting, can be managed in a single platform, making it easier for participants to review and evaluate the trials they oversee. Not only does Cloud Concinnity manage these processes, but it automates many of them as well, leaving less room for error and making it easier to ensure compliance and data integrity every step of the way. Cloud Concinnity groups a series of tasks together into one automated workflow to ensure all of the steps are completed by the right stakeholders, in the right order and on schedule. This helps participants keep track of exactly what needs to be done and creates a centralized record of all communications and tasks. Cloud Concinnity also has secure video conferencing built into the product, allowing DSMBs to access relevant information during their conversations within a single UI.

Concinnity and DocuSign have partnered to embed Part 11 compliant signatures into the automated workflows in Cloud Concinnity that distinguish it as a leading platform for clinical trial oversight. DocuSign introduced new functionality for using the DocuSign eSignature REST API to build embedded signing solutions into their CFR Part 11 integrations, which made this collaboration possible. Concinnity was an early adopter of the new embedded signing capability and worked closely with the product team at DocuSign to build it into their integration.  

Documents that check all the boxes

Conducting a clinical trial involves signing and managing a lot of documents that detail the trial’s procedures and processes. As more companies have started managing these documents online, the Food and Drug Administration (FDA) has developed requirements for ensuring that electronic records meet the same levels of security and reliability that are required for paper records. These requirements and regulations are established in Part 11 of Title 21 of the Code of Federal Regulations, commonly called simply “Part 11.” Whether Concinnity’s customers are conducting a clinical trial or manufacturing a drug, they need to ensure that the entire process is Part 11–compliant. Not all electronic signatures comply with Part 11, which is why DocuSign developed its Life Sciences modules for 21 CFR Part 11. Thanks to these modules, Concinnity’s customers can ensure that documents signed with DocuSign are always Part 11–compliant.

Cloud Concinnity seamlessly integrates DocuSign into its workflows so its customers can review and sign documents without ever leaving the Cloud Concinnity platform. Figure 1 demonstrates a task in Cloud Concinnity requesting the user’s signature on a document. The SIGN button in the task will direct the user to complete the document without having to find the request for signature in their email inbox or log into their DocuSign account. The task also has a due date and displays status updates to show when users were assigned the task and whether or not they have completed it, keeping stakeholders on track. Users can view all of their tasks in a consolidated dashboard so they don’t need to waste any time tracking down action items. By including DocuSign in its central hub, Cloud Concinnity eliminates the confusion that arises when documents are stored in multiple places. This makes it easy to track which documents need to be signed and by whom.

Figure 1: A signature task in the Cloud Concinnity product 

Concinnity and DocuSign: partners in compliance

During the summer of 2022, the team at Concinnity was working with a client on packaging DocuSign with their product and they learned about new DocuSign functionality: embedded signing for CFR Part 11 accounts. Embedded signing enables users to view and sign documents directly through their app or website. On its own, embedded signing is not a new DocuSign feature, but due to issues with compliance, it was not previously available for CFR Part 11 accounts. In July of 2022, the new functionality became available so that developers could use the DocuSign eSignature REST API to build embedded signing solutions into their CFR Part 11 integrations. The key difference between embedded signing for CFR Part 11 and the embedded signing feature that was previously available in other DocuSign accounts is that, in order to be compliant with regulations, CFR Part 11 embedded signers need to authenticate with SMS for access and signatures. This authentication is required when signers open a document to view it, and it’s required again when they sign or initial the document. Authentication with SMS for access and signatures is not the same as the DocuSign phone authentication feature, which only requires the access code once. This authentication method is specifically designed to comply with Part 11 requirements.

Concinnity was an early adopter of the new embedded signing capability and worked closely with the product team at DocuSign to build it into their integration. The DocuSign team was more than willing to answer questions and even do some pair programming with the Concinnity developers. After working with Concinnity, the DocuSign product team worked with the Developer Content team at DocuSign to document the new feature and publish a how-to guide along with a guide with more general information on developing with CFR Part 11 DocuSign accounts. Now customers who need to comply with Part 11 can use those resources and download the Part 11 compliant code example through the DocuSign Quickstart.

Code that covers all the bases

One of the key ways that the DocuSign team worked with Concinnity on their development was providing guidance on how to require the necessary recipient authentication for signers with the DocuSign Python eSignature SDK. The back end of Cloud Concinnity is built with Python using Django as the web framework and Celery for asynchronous data processing. With the Python SDK, Concinnity developers could easily integrate DocuSign API calls into their existing Python code. In addition to the DocuSign eSignature REST API, Cloud Concinnity integrates with the Box API and uses PDF.js for some PDF conversions.

To implement embedded signing for CFR Part 11 accounts, the Concinnity team needed to require SMS authentication for the embedded signers. This requires signers to provide the last four digits of their phone number and then enter a security code received via SMS each time they access, sign, or initial a document. Recipients do not need a DocuSign account to authenticate using this method, making it compatible with embedded signing. Figure 2 shows the snippet of the Cloud Concinnity Python code that creates a recipient and requires SMS authentication for that recipient.

id_phone_number = RecipientIdentityPhoneNumber()
    id_phone_number.country_code = str(recipient.user.userprofile.phone_number)[0:1]
    id_phone_number.number = str(recipient.user.userprofile.phone_number)[1:]
    id_options = RecipientIdentityInputOption()
    id_options.phone_number_list = [id_phone_number]
    id_options.value_type = "PhoneNumberList"
    id_options.name = "phone_number_list"
    id_verification = RecipientIdentityVerification()
    id_verification.workflow_id = settings.DOCUSIGN_WORKFLOW_ID
    id_verification.input_options = [id_options]
    docusign_signer = Signer(
        email=recipient.email,
        name=recipient.display_name,
        recipient_id=str(recipient.pk),
        routing_order=routing_order,
        client_user_id=client_user_id,
        custom_fields=[recipient.pk],
        identity_verification=id_verification                            
    )

Figure 2: The Python code that requires SMS authentication for embedded signers

As shown in Figure 2, Cloud Concinnity takes the phone number used for recipient authentication from the user’s profile and stores it in the RecipientIdentityPhoneNumber object created with the Python SDK. That object is wrapped in another SDK object named RecipientIdentityInputOption. Then a RecipientIdentityVerification object is created and the workflow_id property on that object is set to the value of the workflow ID that specifies the authentication type of SMS for access and signatures. The input_options property on the RecipientIdentityVerification object is set to the RecipientIdentityInputOption object. When the Signer is created, this identity verification information is included and when the recipient opens the document they will be asked to enter the last four digits of their phone number (as shown in Figure 4) and then an access code that was sent to that phone number (as shown in Figure 5).

Figure 3: A diagram illustrating the code snippet in Figure 2

Figure 4: The screen prompting the recipient to enter the last four digits of their phone number

Figure 5: The screen prompting the user to enter the code that was sent to their phone number via SMS

The recipient is only able to view the document after they have passed these authentication steps. The same identity verification is required after signing. These steps are what ensure that the embedded signature is compliant with Part 11.

Customers can easily dot their i’s and cross their t’s with DocuSign and Concinnity

Cloud Concinnity gives DSMBs a single platform where they can oversee all aspects of a clinical trial and with DocuSign’s new embedded signing feature for CFR Part 11 accounts, customers have a frictionless experience when signing documents. With help from the DocuSign product team, Concinnity was able to adopt the new feature quickly after its release, providing value to customers without delay.

Visit our Developer Center to learn more about how a DocuSign integration can create seamless experiences for your customers. You can start exploring the DocuSign eSignature REST API with a free developer account and check out our documentation on CFR Part 11 accounts to test out Part 11 compliant embedded signing for yourself.