Electronic Record Keeping Achieving and Maintaining Compliance with 21 CFR Part 11 and 45 CFR Parts 160, 162 and 164 David Nettleton Janet Gough Interpharm/CRC Boca Raton London New York Washington, D.C. Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 2 Wednesday, November 19, 2003 2:52 PM Library of Congress Cataloging-in-Publication Data Nettleton, David, 1963(cid:150) Electronic record keeping: achieving and maintaining compliance wih 21 CFR Part 11 and 45 CFR parts 160, 162, and 164 / David Nettleton, Janet Gough. p. cm. Includes bibliographical references and index. ISBN 0-8493-2164-6 (alk. paper) 1. Medical records--Law and legislation--United States. 2. Medical records--Automation. 3. Medical records--Data processing. I. Gough, Janet. II. Title. KF3827.R4N48 2003 070.5(cid:146)797--dc22 2003055694 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, micro(cid:222)lming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Speci(cid:222)c permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identi(cid:222)cation and explanation, without intent to infringe. Visit the CRC Press Web site at www.crcpress.com ' 2004 by CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-2164-6 Library of Congress Card Number 2003055694 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid-free paper Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 3 Wednesday, November 19, 2003 2:52 PM Introduction It has been said that the only static element is change. So it is in business. Technology becomes available and industry seeks to embrace it. The rules and regulations evolve commensurately. Proposed regulations and (cid:222)nal rules about electronic record keep- ing that apply to food, drug, medical devices and biologic businesses and healthcare management require companies to achieve and maintain compliance. This is a formidable task, but it need not be onerous. This book provides guidance for pur- chasing, installing, validating and managing commercial off-the-shelf (COTS) soft- ware for data collection and retention. Title 21 of the Code of Federal Regulations (CFR) Part 11, Electronic records; electronic signatures and the new Health Insurance Portability and Accountability Act (HIPAA) regulations 45 CFR Parts 160, 162 and 164 that were signed into law in early 2003 spell out essentially the same requirements, and, in fact, 21 CFR Part 11, which was signed into law in 1997, provides the paradigm for the new HIPAA regulations. Companies already familiar with the 21 CFR Part 11 requirements can build on that knowledge to comply with HIPAA requirements. We are currently experiencing a revolution in software, and the regulations have evolved to address the increasingly sophisticated software on the market worldwide. More and more, companies are turning to off-the-shelf software for electronic record keeping. Electronic record keeping, also known as electronic data capture (EDC), entails collecting or acquiring data as a permanent electronic record with or without a human interface, such as using data collection systems or applications that are modem based or Web based, use optical mark/character recognition or employ audio text, interactive voice response, graphical interfaces, clinical laboratory interfaces or touch screens. The word (cid:147)permanent(cid:148) here means that changes made to electronic data are recorded in an audit trail. To maintain the integrity of the record, an audit trail and controlled security are imperative. The bottom line is this: people using data from computerized systems must have con(cid:222)dence in the integrity of their data, and data entered into electronic systems must be as reliable, if not more so, than data captured in paper form. Security and accountability are big factors in data integrity, and this book discusses security measures and how to manage passwords. Finally, since the audit function has long been a part of FDA regulations but can be new to many facilities that are subject to the newer HIPAA regulations, the book presents a summary of an effective audit function. It also offers guidance in training people in the electronic systems and preparing supporting documentation. Note that the HIPAA regulations that have been in place since 1996 are extensive. These regulations are related to healthcare, labor and bene(cid:222)ts, and reside in the CFR, Titles 26, 29, 42 and 45. This book addresses only those regulations recently passed into (cid:222)nal rule related to electronic record keeping. A primary purpose of 45 CFR Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 4 Wednesday, November 19, 2003 2:52 PM Parts 160, 162 and 164 is to reduce paperwork (cid:151) and the projection is that the new regulations will do so by 25 percent. Accomplishing this should signi(cid:222)cantly reduce costs. UPPER MANAGEMENT COMMITMENT Once a company determines to employ electronic record keeping, it is important that upper management understand what is involved in going electronic. Manage- ment may not fully understand what installing electronic record keeping systems entails and therefore may not allocate the appropriate resources for all the activities that must occur to make and keep a company compliant. Thus, those folks who actually plan to purchase, install, validate and document an electronic record keeping system and conduct user training for it must be adept at conveying what(cid:146)s involved, so that the system can receive proper support both in terms of capital and time allotment, and ultimately do the job for which it is intended. To be overly frugal with resources at this stage will surely prove costly going forward. Further, electronic record keeping requires top-down support because electronic record keeping systems are tools that serve to drive the operation forward. To avoid going down the electronic path is akin to setting limits on the operation. Without electronic record keeping, a company can fall far behind its competitors and lose the cutting edge. Embracing it now will keep the operation poised to grow effectively. And ultimately, electronic record keeping will translate into better records, fewer problems and cost-effective operation (cid:151) provided it(cid:146)s put in place correctly. Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 5 Wednesday, November 19, 2003 2:52 PM Authors David Nettleton is a 21 CFR Part 11, HIPAA, and Computer System Validation consultant involved with the development, purchase, installation, operation and maintenance of computerized systems used in regulated applications. Services include gap analysis, remediation plans, SOP development, vendor audits, training, and project management. He has completed more than 120 computer system vali- dation projects for mission critical applications involving blood bank, clinical trial, corrective action, document control, electronic data capture, Excel spreadsheets developed for regulated applications, Internet billing, laboratory instruments, labo- ratory information management, manufacturing, enterprise resource planning, med- ical device software, MRI software, nuclear power plant maintenance, pharmaceu- tical, retail software including Visio and MS Windows operating systems, server room moves and toxicology systems. He is on the faculties of several professional training organizations. He is also the co-author of Commercial Off-the-Shelf (COTS) Software Validation for 21 CFR Part 11 Compliance (Davis Horwood International [DHI] and the Parenteral Drug Association [PDA]). 916-928-1470 phone 916-928-1470 fax dnettleton@ computersystemvalidation.com www.computersystemvalidation.com Janet Gough, an English language expert and consultant to the pharmaceutical, biotech and device industries, assists companies in developing compliant systems and preparing documentation, including research and development reports, proce- dures, clinical documents and regulatory (cid:222)lings. She also trains staff in systems and procedures and in English as a second language and technical writing. She has been a director of technical communications for a biotech company, has taught English in university graduate and undergraduate programs and is currently on the faculties of several professional training organizations. She is the author of Write It Down: Guidance for Preparing Documentation that Meets Regulatory Requirements (CRC Press) and Hosting A Compliance Inspection (Davis Horwood International [DHI] and the Parenteral Drug Association [PDA]); and the co-author of The Internal Quality Audit, The External Quality Audit and Commercial Off-the-Shelf (COTS) Software Validation for 21 CFR Part 11 Compliance (Davis Horwood International and PDA). 973-252-3731 phone 973-252-6910 fax [email protected] Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 7 Wednesday, November 19, 2003 2:52 PM Table of Contents Chapter 1 Electronic Record Keeping: The Big Picture..................................... 1 Regulatory Evolution................................................................................................ 2 The Electronic Revolution.............................................................................. 4 Compliance Requirements.............................................................................. 7 General Basis for Electronic Records................................................ 8 Security.............................................................................................. 9 Data Transfer..................................................................................... 14 Operation Checks.............................................................................. 15 Archiving........................................................................................... 15 Audit Trails....................................................................................... 16 Computer System Validation, Training and Documentation................................. 17 Chapter 2 The Regulations: Not Just What They Say, But What They Mean........................................................................ 19 45 CFR Parts 160, 162 and 164 and Industry Standards...................................... 31 160.103 De(cid:222)nitions....................................................................................... 31 164.304 De(cid:222)nitions....................................................................................... 32 164.306 Security Standards: General Rules................................................. 33 164.308 Administrative Safeguards.............................................................. 34 164.310 Physical Safeguards........................................................................ 37 164.312 Technical Safeguards...................................................................... 38 164.314 Organizational Requirements.......................................................... 39 164.316 Policies, Procedures and Documentation Requirements................ 41 Chapter 3 Going Electronic: What You Need to Know and Do....................... 43 Software Development and Use: From Then till Now.......................................... 43 The COTS Software Development Life Cycle............................................. 45 Purchasing COTS Software.............................................................. 46 Choosing a Vendor............................................................................ 47 Escrow Accounts........................................................................................... 50 Developer and User Validation......................................................... 51 Developer Validation......................................................................... 53 User Validation.............................................................................................. 56 Ten Steps to Computer System User Validation.......................................... 58 User and Developer Combined Validation................................................... 59 Operating Environments................................................................... 60 Computer System Validation............................................................ 61 Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 8 Wednesday, November 19, 2003 2:52 PM Validation Models for System Components......................................62 Retrospective Validation................................................................................ 64 Chapter 4 Documentation and Training............................................................ 65 The Validation Packet............................................................................................. 66 Validation Documents............................................................................................. 68 User Requirements........................................................................................ 68 Project Plan....................................................................................... 68 Installation Protocol.......................................................................... 69 Installation Report............................................................................. 69 Functional Speci(cid:222)cations.................................................................. 69 Hazard Analysis................................................................................ 70 User Testing Protocol........................................................................ 70 User Testing Report.......................................................................... 70 System Release Report..................................................................... 71 System Review Report...................................................................... 71 System Support Documents.......................................................................... 71 Standard Operating Procedures.................................................................... 72 Document Management.................................................................... 73 Training............................................................................................ 73 Facilities Security.............................................................................. 73 Network Security.............................................................................. 74 Workplace Security Awareness Program.......................................... 74 Computer System Back-up............................................................... 74 Data Archiving.................................................................................. 74 Computer System Maintenance Event Recording............................ 74 Computer System Disaster Recovery............................................... 75 Information System Monitoring and Review................................... 75 Security Incident Procedure.............................................................. 75 Electronic Signatures........................................................................ 75 Electronic Record Retention............................................................. 76 Control of Electronic Mail................................................................ 76 Computer Software Procurement...................................................... 76 Software Vendor Auditing................................................................. 77 Computer System Change Control................................................... 77 Computer System Validation............................................................ 77 Computer System Retirement........................................................... 77 Signature Log/Look-Up Table SOP.................................................. 78 Human Resources......................................................................................... 78 Additional Records....................................................................................... 78 Electronic Signature Noti(cid:222)cation...................................................... 78 Minimum Required Signatures List................................................. 79 System User Training.................................................................................... 79 21 CFR Part 211 (cid:151) Current Good Manufacturing Practice for Finished Pharmaceuticals.................................................................. 79 Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 9 Wednesday, November 19, 2003 2:52 PM Subpart B (cid:151) Organization and Personnel........................................ 79 21 CFR Part 606 (cid:151) Current Good Manufacturing Practice for Blood and Blood Components.......................................................... 80 Subpart B (cid:151) Organization and Personnel........................................ 80 21 CFR Part 820 (cid:151) Quality System Regulations........................................ 80 Subpart B (cid:151) Quality System Requirements.................................... 80 Subpart G (cid:151) Production and Process Controls............................... 80 ICH Q7A Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients................................................ 81 Chapter 5 Security, Accountability and Change Management......................... 83 Managing the System............................................................................................. 84 Security................................................................................................................... 84 The People Factor......................................................................................... 84 Fraud........................................................................................................... 85 Vandalism...................................................................................................... 85 Terrorism....................................................................................................... 85 Theft........................................................................................................... 86 Security Defenses.......................................................................................... 86 Commitment to Security............................................................................... 87 The Security Mindset........................................................................ 87 Ongoing Communication....................................................................................... 89 Managing Passwords: A Keychain......................................................................... 90 Biometric Keychains..................................................................................... 90 Change Management..................................................................................... 93 Maintaining a Robust System....................................................................... 94 Remaining Compliant................................................................................... 95 Chapter 6 Auditing Electronic Record Keeping Systems................................. 97 Establishing an Audit Function.................................................................... 99 The Scope of the Audit............................................................................... 100 Preparing to Audit....................................................................................... 101 The Binding Regulations............................................................................ 101 Document Review....................................................................................... 102 Scheduling the Audit................................................................................... 102 Audit Measurements................................................................................... 103 The Audit Plan............................................................................................ 104 Checklists and Notebooks........................................................................... 104 Conducting the Actual Audit...................................................................... 105 Interviewing Users...................................................................................... 105 Observing System Operation...................................................................... 107 Training.......................................................................................... 107 Building Security............................................................................ 107 Computer Security.......................................................................... 107 Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 10 Wednesday, November 19, 2003 2:52 PM Backup.......................................................................................... 108 Archiving Data................................................................................ 108 System Maintenance Event Recording........................................... 108 Change Control............................................................................... 108 Disaster Recovery........................................................................... 108 Electronic Signature Policy............................................................ 108 Electronic Record Retention........................................................... 108 Computer System Validation.......................................................... 108 Nonconformances............................................................................ 109 Information Exchange................................................................................. 109 Evaluating and Reporting Results.............................................................. 109 Reporting Audit Results.............................................................................. 110 Future Audits............................................................................................... 110 Keeping the Audit Function Vital............................................................... 110 Auditing and the Regulatory Inspection..................................................... 111 The Mock Inspection.................................................................................. 111 Chapter 7 Moving Forward.............................................................................. 113 Computer System Validation Committee............................................................. 113 Changing Company Cultures...................................................................... 114 Gap Analysis............................................................................................... 115 Computer System Inventory....................................................................... 116 Software Inventory Elements.......................................................... 117 Revalidation................................................................................................. 117 Remaining Vigilant..................................................................................... 118 Chapter 8 Frequently Asked Questions........................................................... 121 Binding Regulations.................................................................................... 121 Software Vendors........................................................................................ 123 Computer System Validation...................................................................... 126 Electronic Records...................................................................................... 128 Electronic Signatures and Accountability................................................... 130 Security........................................................................................................ 132 Systems........................................................................................................ 134 Audit Trails................................................................................................. 136 Staying Informed......................................................................................... 137 Appendix I ...........................................................................................................139 Appendix II .........................................................................................................235 Appendix III ........................................................................................................247 Copyright © 2004 CRC Press, LLC PH2164_C00.fm Page 11 Wednesday, November 19, 2003 2:52 PM References ............................................................................................................357 Copyright © 2004 CRC Press, LLC
Description: