Table Of ContentElectronic Record Keeping
Achieving and Maintaining
Compliance with 21 CFR Part 11 and
45 CFR Parts 160, 162 and 164
David Nettleton
Janet Gough
Interpharm/CRC
Boca Raton London New York Washington, D.C.
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 2 Wednesday, November 19, 2003 2:52 PM
Library of Congress Cataloging-in-Publication Data
Nettleton, David, 1963(cid:150)
Electronic record keeping: achieving and maintaining compliance wih 21 CFR Part 11
and 45 CFR parts 160, 162, and 164 / David Nettleton, Janet Gough.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-2164-6 (alk. paper)
1. Medical records--Law and legislation--United States. 2. Medical records--Automation.
3. Medical records--Data processing. I. Gough, Janet. II. Title.
KF3827.R4N48 2003
070.5(cid:146)797--dc22 2003055694
This book contains information obtained from authentic and highly regarded sources. Reprinted material
is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable
efforts have been made to publish reliable data and information, but the author and the publisher cannot
assume responsibility for the validity of all materials or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, micro(cid:222)lming, and recording, or by any information storage or
retrieval system, without prior permission in writing from the publisher.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for
creating new works, or for resale. Speci(cid:222)c permission must be obtained in writing from CRC Press LLC
for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identi(cid:222)cation and explanation, without intent to infringe.
Visit the CRC Press Web site at www.crcpress.com
' 2004 by CRC Press LLC
No claim to original U.S. Government works
International Standard Book Number 0-8493-2164-6
Library of Congress Card Number 2003055694
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Printed on acid-free paper
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 3 Wednesday, November 19, 2003 2:52 PM
Introduction
It has been said that the only static element is change. So it is in business. Technology
becomes available and industry seeks to embrace it. The rules and regulations evolve
commensurately. Proposed regulations and (cid:222)nal rules about electronic record keep-
ing that apply to food, drug, medical devices and biologic businesses and healthcare
management require companies to achieve and maintain compliance. This is a
formidable task, but it need not be onerous. This book provides guidance for pur-
chasing, installing, validating and managing commercial off-the-shelf (COTS) soft-
ware for data collection and retention.
Title 21 of the Code of Federal Regulations (CFR) Part 11, Electronic records;
electronic signatures and the new Health Insurance Portability and Accountability
Act (HIPAA) regulations 45 CFR Parts 160, 162 and 164 that were signed into law
in early 2003 spell out essentially the same requirements, and, in fact, 21 CFR Part
11, which was signed into law in 1997, provides the paradigm for the new HIPAA
regulations. Companies already familiar with the 21 CFR Part 11 requirements can
build on that knowledge to comply with HIPAA requirements.
We are currently experiencing a revolution in software, and the regulations have
evolved to address the increasingly sophisticated software on the market worldwide.
More and more, companies are turning to off-the-shelf software for electronic record
keeping. Electronic record keeping, also known as electronic data capture (EDC),
entails collecting or acquiring data as a permanent electronic record with or without
a human interface, such as using data collection systems or applications that are
modem based or Web based, use optical mark/character recognition or employ audio
text, interactive voice response, graphical interfaces, clinical laboratory interfaces
or touch screens. The word (cid:147)permanent(cid:148) here means that changes made to electronic
data are recorded in an audit trail. To maintain the integrity of the record, an audit
trail and controlled security are imperative.
The bottom line is this: people using data from computerized systems must have
con(cid:222)dence in the integrity of their data, and data entered into electronic systems
must be as reliable, if not more so, than data captured in paper form.
Security and accountability are big factors in data integrity, and this book
discusses security measures and how to manage passwords. Finally, since the audit
function has long been a part of FDA regulations but can be new to many facilities
that are subject to the newer HIPAA regulations, the book presents a summary of
an effective audit function. It also offers guidance in training people in the electronic
systems and preparing supporting documentation.
Note that the HIPAA regulations that have been in place since 1996 are extensive.
These regulations are related to healthcare, labor and bene(cid:222)ts, and reside in the CFR,
Titles 26, 29, 42 and 45. This book addresses only those regulations recently passed
into (cid:222)nal rule related to electronic record keeping. A primary purpose of 45 CFR
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 4 Wednesday, November 19, 2003 2:52 PM
Parts 160, 162 and 164 is to reduce paperwork (cid:151) and the projection is that the new
regulations will do so by 25 percent. Accomplishing this should signi(cid:222)cantly reduce
costs.
UPPER MANAGEMENT COMMITMENT
Once a company determines to employ electronic record keeping, it is important
that upper management understand what is involved in going electronic. Manage-
ment may not fully understand what installing electronic record keeping systems
entails and therefore may not allocate the appropriate resources for all the activities
that must occur to make and keep a company compliant. Thus, those folks who
actually plan to purchase, install, validate and document an electronic record keeping
system and conduct user training for it must be adept at conveying what(cid:146)s involved,
so that the system can receive proper support both in terms of capital and time
allotment, and ultimately do the job for which it is intended. To be overly frugal
with resources at this stage will surely prove costly going forward.
Further, electronic record keeping requires top-down support because electronic
record keeping systems are tools that serve to drive the operation forward. To avoid
going down the electronic path is akin to setting limits on the operation. Without
electronic record keeping, a company can fall far behind its competitors and lose
the cutting edge. Embracing it now will keep the operation poised to grow effectively.
And ultimately, electronic record keeping will translate into better records, fewer
problems and cost-effective operation (cid:151) provided it(cid:146)s put in place correctly.
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 5 Wednesday, November 19, 2003 2:52 PM
Authors
David Nettleton is a 21 CFR Part 11, HIPAA, and Computer System Validation
consultant involved with the development, purchase, installation, operation and
maintenance of computerized systems used in regulated applications. Services
include gap analysis, remediation plans, SOP development, vendor audits, training,
and project management. He has completed more than 120 computer system vali-
dation projects for mission critical applications involving blood bank, clinical trial,
corrective action, document control, electronic data capture, Excel spreadsheets
developed for regulated applications, Internet billing, laboratory instruments, labo-
ratory information management, manufacturing, enterprise resource planning, med-
ical device software, MRI software, nuclear power plant maintenance, pharmaceu-
tical, retail software including Visio and MS Windows operating systems, server
room moves and toxicology systems. He is on the faculties of several professional
training organizations. He is also the co-author of Commercial Off-the-Shelf (COTS)
Software Validation for 21 CFR Part 11 Compliance (Davis Horwood International
[DHI] and the Parenteral Drug Association [PDA]).
916-928-1470 phone
916-928-1470 fax
dnettleton@ computersystemvalidation.com
www.computersystemvalidation.com
Janet Gough, an English language expert and consultant to the pharmaceutical,
biotech and device industries, assists companies in developing compliant systems
and preparing documentation, including research and development reports, proce-
dures, clinical documents and regulatory (cid:222)lings. She also trains staff in systems and
procedures and in English as a second language and technical writing. She has been
a director of technical communications for a biotech company, has taught English
in university graduate and undergraduate programs and is currently on the faculties
of several professional training organizations. She is the author of Write It Down:
Guidance for Preparing Documentation that Meets Regulatory Requirements (CRC
Press) and Hosting A Compliance Inspection (Davis Horwood International [DHI]
and the Parenteral Drug Association [PDA]); and the co-author of The Internal
Quality Audit, The External Quality Audit and Commercial Off-the-Shelf (COTS)
Software Validation for 21 CFR Part 11 Compliance (Davis Horwood International
and PDA).
973-252-3731 phone
973-252-6910 fax
[email protected]
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 7 Wednesday, November 19, 2003 2:52 PM
Table of Contents
Chapter 1 Electronic Record Keeping: The Big Picture..................................... 1
Regulatory Evolution................................................................................................ 2
The Electronic Revolution.............................................................................. 4
Compliance Requirements.............................................................................. 7
General Basis for Electronic Records................................................ 8
Security.............................................................................................. 9
Data Transfer..................................................................................... 14
Operation Checks.............................................................................. 15
Archiving........................................................................................... 15
Audit Trails....................................................................................... 16
Computer System Validation, Training and Documentation................................. 17
Chapter 2 The Regulations: Not Just What They Say,
But What They Mean........................................................................ 19
45 CFR Parts 160, 162 and 164 and Industry Standards...................................... 31
160.103 De(cid:222)nitions....................................................................................... 31
164.304 De(cid:222)nitions....................................................................................... 32
164.306 Security Standards: General Rules................................................. 33
164.308 Administrative Safeguards.............................................................. 34
164.310 Physical Safeguards........................................................................ 37
164.312 Technical Safeguards...................................................................... 38
164.314 Organizational Requirements.......................................................... 39
164.316 Policies, Procedures and Documentation Requirements................ 41
Chapter 3 Going Electronic: What You Need to Know and Do....................... 43
Software Development and Use: From Then till Now.......................................... 43
The COTS Software Development Life Cycle............................................. 45
Purchasing COTS Software.............................................................. 46
Choosing a Vendor............................................................................ 47
Escrow Accounts........................................................................................... 50
Developer and User Validation......................................................... 51
Developer Validation......................................................................... 53
User Validation.............................................................................................. 56
Ten Steps to Computer System User Validation.......................................... 58
User and Developer Combined Validation................................................... 59
Operating Environments................................................................... 60
Computer System Validation............................................................ 61
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 8 Wednesday, November 19, 2003 2:52 PM
Validation Models for System Components......................................62
Retrospective Validation................................................................................ 64
Chapter 4 Documentation and Training............................................................ 65
The Validation Packet............................................................................................. 66
Validation Documents............................................................................................. 68
User Requirements........................................................................................ 68
Project Plan....................................................................................... 68
Installation Protocol.......................................................................... 69
Installation Report............................................................................. 69
Functional Speci(cid:222)cations.................................................................. 69
Hazard Analysis................................................................................ 70
User Testing Protocol........................................................................ 70
User Testing Report.......................................................................... 70
System Release Report..................................................................... 71
System Review Report...................................................................... 71
System Support Documents.......................................................................... 71
Standard Operating Procedures.................................................................... 72
Document Management.................................................................... 73
Training............................................................................................ 73
Facilities Security.............................................................................. 73
Network Security.............................................................................. 74
Workplace Security Awareness Program.......................................... 74
Computer System Back-up............................................................... 74
Data Archiving.................................................................................. 74
Computer System Maintenance Event Recording............................ 74
Computer System Disaster Recovery............................................... 75
Information System Monitoring and Review................................... 75
Security Incident Procedure.............................................................. 75
Electronic Signatures........................................................................ 75
Electronic Record Retention............................................................. 76
Control of Electronic Mail................................................................ 76
Computer Software Procurement...................................................... 76
Software Vendor Auditing................................................................. 77
Computer System Change Control................................................... 77
Computer System Validation............................................................ 77
Computer System Retirement........................................................... 77
Signature Log/Look-Up Table SOP.................................................. 78
Human Resources......................................................................................... 78
Additional Records....................................................................................... 78
Electronic Signature Noti(cid:222)cation...................................................... 78
Minimum Required Signatures List................................................. 79
System User Training.................................................................................... 79
21 CFR Part 211 (cid:151) Current Good Manufacturing Practice for
Finished Pharmaceuticals.................................................................. 79
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 9 Wednesday, November 19, 2003 2:52 PM
Subpart B (cid:151) Organization and Personnel........................................ 79
21 CFR Part 606 (cid:151) Current Good Manufacturing Practice for
Blood and Blood Components.......................................................... 80
Subpart B (cid:151) Organization and Personnel........................................ 80
21 CFR Part 820 (cid:151) Quality System Regulations........................................ 80
Subpart B (cid:151) Quality System Requirements.................................... 80
Subpart G (cid:151) Production and Process Controls............................... 80
ICH Q7A Good Manufacturing Practice Guide for Active
Pharmaceutical Ingredients................................................ 81
Chapter 5 Security, Accountability and Change Management......................... 83
Managing the System............................................................................................. 84
Security................................................................................................................... 84
The People Factor......................................................................................... 84
Fraud........................................................................................................... 85
Vandalism...................................................................................................... 85
Terrorism....................................................................................................... 85
Theft........................................................................................................... 86
Security Defenses.......................................................................................... 86
Commitment to Security............................................................................... 87
The Security Mindset........................................................................ 87
Ongoing Communication....................................................................................... 89
Managing Passwords: A Keychain......................................................................... 90
Biometric Keychains..................................................................................... 90
Change Management..................................................................................... 93
Maintaining a Robust System....................................................................... 94
Remaining Compliant................................................................................... 95
Chapter 6 Auditing Electronic Record Keeping Systems................................. 97
Establishing an Audit Function.................................................................... 99
The Scope of the Audit............................................................................... 100
Preparing to Audit....................................................................................... 101
The Binding Regulations............................................................................ 101
Document Review....................................................................................... 102
Scheduling the Audit................................................................................... 102
Audit Measurements................................................................................... 103
The Audit Plan............................................................................................ 104
Checklists and Notebooks........................................................................... 104
Conducting the Actual Audit...................................................................... 105
Interviewing Users...................................................................................... 105
Observing System Operation...................................................................... 107
Training.......................................................................................... 107
Building Security............................................................................ 107
Computer Security.......................................................................... 107
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 10 Wednesday, November 19, 2003 2:52 PM
Backup.......................................................................................... 108
Archiving Data................................................................................ 108
System Maintenance Event Recording........................................... 108
Change Control............................................................................... 108
Disaster Recovery........................................................................... 108
Electronic Signature Policy............................................................ 108
Electronic Record Retention........................................................... 108
Computer System Validation.......................................................... 108
Nonconformances............................................................................ 109
Information Exchange................................................................................. 109
Evaluating and Reporting Results.............................................................. 109
Reporting Audit Results.............................................................................. 110
Future Audits............................................................................................... 110
Keeping the Audit Function Vital............................................................... 110
Auditing and the Regulatory Inspection..................................................... 111
The Mock Inspection.................................................................................. 111
Chapter 7 Moving Forward.............................................................................. 113
Computer System Validation Committee............................................................. 113
Changing Company Cultures...................................................................... 114
Gap Analysis............................................................................................... 115
Computer System Inventory....................................................................... 116
Software Inventory Elements.......................................................... 117
Revalidation................................................................................................. 117
Remaining Vigilant..................................................................................... 118
Chapter 8 Frequently Asked Questions........................................................... 121
Binding Regulations.................................................................................... 121
Software Vendors........................................................................................ 123
Computer System Validation...................................................................... 126
Electronic Records...................................................................................... 128
Electronic Signatures and Accountability................................................... 130
Security........................................................................................................ 132
Systems........................................................................................................ 134
Audit Trails................................................................................................. 136
Staying Informed......................................................................................... 137
Appendix I ...........................................................................................................139
Appendix II .........................................................................................................235
Appendix III ........................................................................................................247
Copyright © 2004 CRC Press, LLC
PH2164_C00.fm Page 11 Wednesday, November 19, 2003 2:52 PM
References ............................................................................................................357
Copyright © 2004 CRC Press, LLC
Description:Covering the recently passed 45 CFR, and the parallel CFR 21 Part 11 and HIPAA regulations 160, 162, and 164, this book provides guidance for purchasing, installing, validating, and managing commercial off-the-shelf software data for collection and retention. Addressing the interface between these r
