Spotlight on Compliance: FDA issues guidance on use of electronic records
Spotlight on Compliance: FDA issues guidance on use of electronic records
New draft guidance designed to clarify
By J. Mark Waxman,
JD
General Counsel
CareGroup Healthcare System
Boston
While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is clearly getting all the headlines and a great deal of attention in the research community, the recent Food and Drug Administration (FDA) Guidance for Industry on Electronic Records indicates it is not the only game in town. The purpose of the guidance, issued as a draft, is to address the requirements for use of electronic records to fulfill the record keeping requirements of the Food, Drug and Cosmetic Act; the Public Health Service Act; and FDA regulations.
For some years, the FDA has grappled with the rules to be applied to the acceptance of electronic record and signatures. In early 1997, final regulations were issued [21 CFR Part 11 (Part 11)] to provide the criteria for acceptance of electronic as opposed to paper records. Their goal was to permit and encourage the "widest possible use" of electronic records.
Thereafter, over a period of years, numerous other documents, some in draft guidance form, were issued, as the FDA sought to both seek input from industry and clarify its position on such matters as time stamps, record maintenance, record storage, audit trails, and legacy systems.
Ultimately, the ongoing discussion convinced the FDA that it would need to re-examine its entire approach, leading it to withdraw its prior guidances, while at the same time, issuing new guidance, albeit in draft form, as to how it will approach regulatory enforcement.
Part 11 is designed to address the criteria under which the FDA will consider electronic records adequate to be used in lieu of paper records. This means that electronic records must be "trustworthy, reliable, and generally equivalent" to paper records and signatures. To ensure this, computer systems, including hardware and software, controls, and the attendant documentation, are subject to FDA inspection.
Under the new draft guidance, this scope is refined to be narrowly interpreted. For example, Part 11 applies to records specifically required to be maintained or submitted, but not to records necessary to meet all the regulated activities. In such cases, the "merely incidental" use of computers would not make them subject to Part 11 requirements. However, where records are required to be maintained and are maintained in electronic format, as well as paper, and the electronic records are relied upon to perform the regulated activities, Part 11 would apply.
As the FDA suggests, the approach to be used for decision making is to create a standard operating procedure (SOP) reflecting an assessment of the organization’s business practices. This allows knowledgeable and documented decisions to be made.
Specific requirements
The specific FDA requirements are generally divided into electronic records and electronic signatures. Those records for a closed system — i.e., access controlled by designated employees responsible for the content of records on the system — must meet an extensive series of requirements (21 CFR § 11.10) to create assurance with respect to authenticity, integrity, and, where appropriate, privacy. This requires SOPs in the following areas:
- Validation. The guidance points out that there is no specific regulation with respect to validation. Yet, as Part 11 points out, those using electronic record systems will need to have validated systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The guidance itself goes on to suggest that the effort made to validate any particular system would vary with the risk assessment and the potential to affect product quality, safety, and record integrity.
- Audit trails.
Existing regulations actually do require, in some instances, an auditable
trail of dates, times, or event sequences. For example, the FDA requires that
all data generated during the conduct of nonclinical laboratory study must
be dated, signed, and initialed.
If the system is automated, the individual responsible for direct data input must be identified. Finally, if changes are made, the reason, date, and responsible individual must be identified (21 CFR § 58.130). To protect the organization, similar information is desirable, even where not required. As a result, the ability of an electronic record system to maintain an accurate record of a trial through the creation, revision, and even deletion of records is important and should be validated prior to complete reliance.
- Legacy systems. One of the critical issues in the ongoing discussion with the FDA over electronic records is related to systems that otherwise met FDA regulations prior to the effective date of the final regulations, Aug. 20, 1997. Based upon the draft guidance, it now appears that assuming any actual FDA regulations were actually met, the use of such systems, although all the specific requirements of Part 11 are not met, will not lead to any regulatory action with respect to such systems.
- Copies of records.
One of the important elements of any electronic system is the ability to provide
copies as well as to simply make the records available for inspections.
The guidance recommends that copies be supplied using common portable formats, applying established conversion methods if necessary to attain this goal. If the existing system allows searches or trending, the same capability is desirable in the provided materials, but only if technically feasible — thereby not requiring that this be achieved.
The guidance does not specifically differentiate between open systems (those systems where access is not controlled by people responsible for record content) and closed systems (those systems that are controlled by those responsible for record content) systems. The Part 11 regulations do, however, address the requirements for such systems separately.
The controls for closed systems form a baseline (21 CFR § 11.10). In addition to validation, maintenance of audit trails, and record protection, they include procedures and controls:
- to limit system access to authorized individuals with a system for authority checks;
- to ensure validity of the source of data input or operational instructions;
- to ensure a determination can be made that people who develop, maintain, or use such systems have the education, training, and experience to perform their assigned tasks;
- to deter record or signature falsification (this specifically regards policies that hold system users accountable and responsible for actions taken based upon their signatures);
- to maintain and control appropriate systems documentation and related revisions.
For an open system environment, the challenge and resulting requirements are enhanced. Accordingly, in addition to the closed system requirements, an open system must employ procedures and controls must focus on authenticity, integrity, and higher levels of confidentiality in the system. This typically will require processes such as encryption and use of digital signature standards. (21 CFR § 11.30).
Part 11 contains a series of logical requirements for electronic signature (21 CFR § 11.50 et seq). Recognizing that the usual "XX" is inadequate, the regulations require a signing that indicates:
- the printed name and that the related signature is unique to the individual;
- the date and time of signature;
- the purpose or authority of the signer in connection with the document involved.
Systems that use electronic signatures or handwritten signatures must demonstrate reliability with respect to authenticity and integrity (21 CFR § 11.70). There is latitude provided for those signatures based upon biometrics (fingerprint or retina scan) or identification codes in combination with passwords. Such approaches also require appropriate validation and testing to ensure integrity, including loss management procedures.
Finally, the entity must certify to the FDA — in paper form and "signed with a traditional handwritten signature" that the electronic signatures are intended to be as binding as the equivalent handwritten signature.
While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is clearly getting all the headlines and a great deal of attention in the research community, the recent Food and Drug Administration (FDA) Guidance for Industry on Electronic Records indicates it is not the only game in town.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.