Decentralized Clinical Trials: The FDA Remote Monitoring Compliance Gaps Most Sponsors Miss

Three sponsors in the same quarter. Different therapeutic areas, different contract research organizations, different monitoring tools. All three received FDA Form 483 observations tied to the same root cause: they’d built a decentralized clinical trial infrastructure without fully mapping it against the existing regulatory framework.

That’s the pattern we keep seeing in 2025 and into 2026. Sponsors embrace decentralized clinical trials (DCTs) for every legitimate reason — broader patient access, faster enrollment, real-world data capture — and then discover, often during a Bioresearch Monitoring Program (BIMO) inspection, that their compliance architecture didn’t keep pace with their operational design.

FDA’s final guidance on DCTs, published in May 2023, was enormously helpful. It clarified expectations around remote monitoring, local healthcare provider (local HCP) visits, direct-to-patient drug shipment, and electronic consent. But it explicitly didn’t create a new regulatory pathway. Every obligation under 21 CFR Parts 50, 56, 312, and 812 still applies. The guidance just tells you how to meet those obligations in a distributed setting — and that “how” is where most programs have gaps.

What FDA’s DCT Guidance Actually Says (and What It Leaves Open)

The May 2023 guidance defines a decentralized clinical trial as one that uses “non-traditional” trial sites, remote interactions, and digital health technologies (DHTs) to bring trial activities to the participant. That definition is intentionally broad, which is useful for sponsors designing hybrid models but creates interpretive work for compliance teams.

A few things the guidance is explicit about:

Investigator responsibility doesn’t change. Under 21 CFR § 312.60, the investigator still bears personal responsibility for the conduct of the trial. In a DCT, where a local HCP might draw blood, a digital health device might capture the primary endpoint, and the investigator might never meet the patient in person, tracing that responsibility line requires a lot more contractual and procedural scaffolding than a traditional site model.

eConsent has real requirements. FDA’s separate eConsent guidance (2016, still operative) requires that the consent process meet all 21 CFR Part 50 elements, that subjects have the opportunity to ask questions in real time, and that the process be documented in the trial master file. A checkbox on a patient app doesn’t satisfy this. We’ve seen IRB submissions approved without adequate eConsent documentation because reviewers weren’t asking the right questions.

Direct-to-patient shipping is not a logistics issue — it’s a regulatory one. When product ships directly to participants’ homes, chain-of-custody requirements under 21 CFR § 312.61 apply at every leg of that shipment. Temperature excursion documentation, tamper-evident packaging verification, and accountability records must be as rigorous as they would be at a traditional pharmacy or investigational site. Sponsors who treat this as a third-party logistics problem — rather than a regulatory compliance problem — tend to learn that distinction during inspections.

What the guidance leaves open is substantial. FDA describes “acceptable” approaches for many DCT elements without specifying exactly what “acceptable” looks like in practice. Local HCP qualification criteria, for instance, are discussed in principle but not in the detail that an IRB submission or monitoring plan requires. That ambiguity is intentional — FDA wants flexibility — but it means sponsors have to build defensible position papers for their specific protocol before they’re asked for them.

The BIMO Inspection Findings That Keep Appearing

BIMO inspections of DCTs aren’t dramatically different from inspections of traditional trials in what investigators want to see. They’re dramatically different in what they actually find.

The three most common citation categories we track in decentralized programs:

Data integrity under 21 CFR Part 11. Electronic records generated by wearables, patient-reported outcome apps, and remote monitoring platforms must meet Part 11 requirements — audit trails, access controls, system validation, and protection against unauthorized modification. Many DHT vendors are strong on their FDA 510(k) clearances but have not built their platforms to meet Part 11 record-keeping requirements in the specific way a clinical trial sponsor needs. Validating a DHT for clinical use is distinct from its FDA market authorization. Sponsors who assume one covers the other are setting up a citation.

Source data verification gaps. In a traditional model, a clinical research associate (CRA) walks into the site and compares the case report form to the source document sitting in the patient’s chart. In a DCT, source data might live in three places: the patient’s DHT, the local HCP’s EMR, and the sponsor’s eClinical platform. Audit trails have to bridge all three, and monitoring plans have to specify exactly how the CRA (or remote data reviewer) confirms that what’s in the CRF matches what the device actually recorded. We routinely see monitoring plans that describe remote SDV conceptually but don’t specify the technical mechanism or the escalation path when a discrepancy can’t be resolved remotely.

IRB submission incompleteness. Under 21 CFR Part 56, the IRB must receive enough information to make a complete risk-benefit determination. DCT-specific risks — data security, the participant’s ability to understand electronic consent, the absence of in-person investigator contact, the implications of home-based procedures — have to be explicitly addressed. Many IRB submissions for DCTs are adapted from traditional trial templates and don’t adequately describe the decentralized elements. Some IRBs don’t flag this. FDA investigators do.

21 CFR Part 11 in Decentralized Trials: A Practical Framing

Part 11 compliance is where regulatory compliance consulting engagements in this space spend the most time, and for good reason. The intersection of DHTs, patient apps, eClinical platforms, and central monitoring tools creates a data flow that’s genuinely complex to validate end to end.

The key Part 11 requirements that surface most often in DCT inspections:

• Audit trails must be computer-generated, timestamped, and protect the original record. If a wearable device syncs data through a patient app to a cloud platform, each handoff must preserve the original values and timestamp — not overwrite or aggregate them in ways that obscure what the device actually measured.

• System validation under 21 CFR § 11.10(a) requires documented evidence that the system does what it’s designed to do, consistently. For a novel DHT used as a primary endpoint capture device, this means protocol-specific validation, not just the manufacturer’s general validation package. Sponsors should request the vendor’s validation documentation and assess the gaps against their intended use before the IND goes in.

• User access controls (§ 11.10(d)) matter in a decentralized setting because participants, local HCPs, CRAs, and sponsor personnel may all interact with the same data environment through different interface layers. Access must be limited to what each role requires, and the audit trail has to distinguish between user types.

• Signed records (§ 11.50) apply to any electronic record that stands in for a signature — eConsent attestations, investigator protocol certifications, pharmacy acknowledgments. The signature must be linked to the record in a way that can’t be removed or falsified.

FDA doesn’t expect perfection here. It expects documented, controlled systems with clear SOPs and evidence that deviations were captured and assessed. The sponsors who get Form 483 observations are rarely those who tried and fell short — they’re the ones who didn’t document what they tried.

Building a DCT Compliance Framework That Survives Inspection

The structural mistake most sponsors make is treating DCT compliance as an overlay on an existing trial design rather than as a foundational element of protocol development. By the time the monitoring plan is being written, the decisions that drive compliance risk — which DHTs to use, how eConsent will work, whether to use local HCPs and who qualifies — have already been made. Changing them is expensive and disruptive.

A more defensible approach runs the compliance review in parallel with protocol development, not after it. Specifically:

Map the data flow before the IND. Every data element that will be collected — whether from a wearable, a patient app, a local lab, or a telemedicine encounter — should be mapped to its storage location, its Part 11 status, and its audit trail mechanism before the IND is submitted. This map becomes a living document that the monitoring plan, the TMF plan, and the IRB submission all reference.

Qualify local HCPs as you would a sub-investigator. FDA’s DCT guidance describes local HCPs as distinct from sub-investigators but doesn’t eliminate the oversight obligation. Practically, a local HCP who draws blood, administers study procedures, or assesses safety endpoints is performing investigational functions that require documented training, CV review, and protocol delegation. The investigator delegation log has to account for them.

Build the monitoring plan around your actual risk. FDA’s 2013 Risk-Based Monitoring guidance (updated 2023) still applies, and it’s genuinely useful here. DCTs often have lower geographic footprint but higher data-integrity risk. The monitoring plan should reflect that inversion — less travel to sites, more intensive centralized data review, and explicit triggers for on-site (or local HCP-site) visits when centralized monitoring detects signals.

Pre-plan your inspection response. BIMO inspections in DCTs will include requests for TMF access, platform audit trails, and protocol deviation logs. Having a pre-inspection readiness review — running your own audit against the data flow map — is significantly more efficient than reconstructing documentation under inspection pressure. Assign a single point of contact who knows the full DCT architecture, not just the clinical operations piece.

The shift to decentralized trial designs is real, it’s accelerating, and regulators are adapting their inspection approach accordingly. But adaptation doesn’t mean relaxation. FDA’s inspection program for DCTs is getting more sophisticated, not less. Sponsors who treat the May 2023 guidance as permission to decentralize are reading it wrong. It’s a framework for doing it compliantly — and that framework requires work.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Talk to our compliance consultants about building a DCT compliance framework before your next IND. Contact us

Related from our network

• GMP manufacturing compliance and laboratory quality systems — Qalitex Laboratories provides ISO 17025-accredited testing support for sponsors managing investigational product quality.
• Clinical trial supply chain and product testing in Canada — Androxa supports Canadian regulatory submissions and NHP compliance for cross-border trial sponsors.