What’s In a Name? Forget ‘Part 11,’ Think Electronic Record Integrity
Tamar June AssurX, Inc. |
Time for a pop quiz. True or false: The Food and Drug Administration (FDA) is not enforcing its electronic records 21 CFR Part 11 Rule.
Answer: True. And False.
William Shakespeare once asked, “What’s in a name?” As the bard noted, a rose by any other name would smell just as sweet. In today’s world, we might instead ask ourselves what’s in 21 CFR Part 11’s name? Call it enforcement of electronic record integrity instead of Part 11 if you prefer, but the same principle applies: Good electronic record integrity is good business.
While it is certainly true that the FDA has relaxed its enforcement policy toward Part 11, to state that the agency has stopped enforcing electronic record integrity requirements can be a costly error.
The confusion comes in part from the FDA’s own well-publicized shift in its Part 11 policy.
When it issued the rule in 1997 and for several years thereafter, the FDA seemed to take a very tough and literal stance on maintaining electronic record integrity.
In fact, there was a time when consultants were wondering out loud whether the FDA intended to inspect the physical conditions — such as room temperature – as a regular part of their inspections.
But cooler heads ultimately prevailed. Indeed, at a May 2003 conference, a leading FDA Part 11 expert signaled this shift when he publicly acknowledged that the agency’s scope for Part 11 was overly broad, and the rule was not achieving the desired effect of encouraging the use of new electronic technologies.
Smaller companies in particular were reverting back to paper because of the rule’s onerous requirements and that the very premise and economic analysis in Part 11’s infamous preamble were flawed.
Kindler, Gentler Approach
Instead, the agency ushered in what some termed a “kinder, gentler” approach to Part 11.
It was grounded more in common sense, and also left much of the onus and responsibility for risk assessment relative to each record to the companies themselves. In other words, if FDA-regulated firms could come up with a policy that provided adequate protection for electronic records based on their relative impact on patient health and product efficacy, the FDA would be happy.
While this shift was generally applauded in industry, some were worried that the requirements had become vague especially in reference to how to rank risk, while others went even further and arguably misinterpreted the agency’s shift to mean it no longer cared much about Part 11 issues or electronic record integrity.
And the agency may have inadvertently encouraged that latter impression by not directly enforcing Part 11 much in its warning letters in 2004 or 2005.
While agency officials maintained at conventions and other public gatherings that they cared about electronic record integrity, for some the proof comes only when it is specifically mentioned in a warning letter.
No mention of Part 11, to this group, meant no enforcement. That’s a mistake on several levels.
For starters, electronic record integrity is simply good business. For many successful firms it is a core of their operational best practices, regardless of regulatory considerations.
Secondly, the FDA clearly values electronic record integrity and expects firms to practice intelligent standard operating procedures (SOPs) designed to ensure it.
Example of Enforcement
A good example comes from an FDA Warning Letter in April 2005 sent to the Rosenthal Eye and Facial Plastic Surgery center in Great Neck, New York.
A closer look at this warning letter may help us to get a better sense of the FDA’s current enforcement position vis-a-vis Part 11 and electronic records.
In the letter, Timothy A. Ulatowski, Director of the Office of Compliance for the Center for Devices and Radiological Health, makes a point of seeking clarification on how the Rosenthal center maintains medical and other clinical data for patients – including study subjects – via an electronic medical record (EMR) with no paper.
Citing Part 11 specifically, Ulatowski asks Rosenthal to show that his center is meeting the requirements that must be met for any system being used to maintain required records.
In the warning letter, the FDA also asks for:
• Documentation of the validation of Rosenthal’s EMR system to ensure accuracy, reliability and the ability to detect invalid or altered records;
• Documentation of the ability to generate accurate and complete copies of records suitable for inspection, review and copying by the agency;
• Documentation of a secure, computer-generated, time-stamped audit trail that can independently record the date and time of operator entries and actions that create, modify, or delete electronic records, and to verify that record changes do not obscure previously recorded information.
As consultant Keith Benze with SEC Associates notes, the FDA “does not actually cite a violation of Part 11 but requests information about computer systems based on Part 11 requirements.”
And while it would not be accurate to say that Part 11-related computer systems concerns were the central issue cited in the letter, it is fair to note however that just as a flawed Corrective and Preventive Action (CAPA) system often raises red flags for FDA inspectors, so too do computer system integrity issues.
Produce Records Quickly
It is also worth noting that the Rosenthal warning letter highlights another important electronic record issue: Firms must be able to quickly retrieve and produce records sought by FDA inspectors.
Unfortunately, many companies are taking what they think is a “safe” approach to Part 11 and electronic record compliance by simply holding on to everything they generate.
It is as if instead of developing a common sense SOP, they just hold onto everything and cross their fingers.
The problem there is obvious: Companies generate so many electronic records, and so many of them simply do not need to be kept, that when they want to find a required one it will be time-consuming if not downright impossible to retrieve it.
Instead, intelligent firms will develop and implement intelligent best practices that harness the best in technology and common sense risk assessment to ensure that they are keeping the electronic records they need to keep, protect the integrity of those electronic records, and be able to access them in an accurate and timely manner.
Shakespeare certainly understood that our word labels don’t always mean much.
It’s time we all recognized that electronic record integrity is an important issue whether it is called Part 11 or not.
Tamar June (tamar@assurx.com) is the vice president of strategic marketing for AssurX, Inc. She has been in the information technology and manufacturing industry for more than 15 years and has published numerous regulatory (21 CFR Part 11) and technology articles appearing in a variety of publications. She holds a B.S. degree in marketing from St. Joseph’s University and she attended the Katz Graduate School of Business at the University of Pittsburgh.