By Ken VanLuvanee
Recently in our conversations with sponsors, we’ve seen a significant uptick in clients using electronic means beyond just storage on hard drives to manage their documents. That’s a wonderful thing to see and we’re thrilled. In this age of purely electronic assets and required electronic only communication with global health authorities, to see an increasing number of life sciences sponsor organizations recognizing the need to manage their electronic documents and treat them like to assets they truly are is a significant development within the life sciences industry.
We do, however, see a significant amount of confusion about what the various types of electronic systems available are and what they’re best suited to do, as well as what requirements (both practical and legal) each of those types of systems meet.
Let’s first define what we’re talking about. As we see it, there are three major types of systems available for housing your electronic content:
Document Sharing Systems – These are systems with varying levels of security with the primary focus of allowing broad sharing of electronic documents among a group of people. They tend to have fairly light security associated with them, little access tracking or audit trailing, little/no version control capabilities, and little/no pre-arranged organization for your documents. Often, these are “free” systems that are supported by on-line advertising, banner ads, etc. They rarely meet any legal burden for document control and that’s fine, because their primary focus is on simple document sharing among a (usually) broad group.
eRoom Systems – These are systems with slightly higher levels of security that are primarily intended for fast and flexible sharing within a pre-defined, closed group. They tend to be fast and light, as with Document Sharing Systems, but with tighter access controls intended to limit access to a smaller group. Also like Document Sharing Systems, the rarely meet any legal burden for document control, and again this is fine, because their primary focus is still on relatively simple document sharing, just this time among a smaller group.
Electronic Document Management Systems – These are systems with varying levels of complexity ranging from simple systems meant to enable document sharing and collaboration among a small number of people to very complex systems meant to drive efficiencies across very large enterprises. They all have some things in common, though. A key difference between Electronic Document Management Systems and both Document Sharing Systems and eRoom Systems is that all Electronic Document Management Systems in the life sciences industry are intended to deliver compliance with various regulations around management of controlled documents. They are intended to meet a legal burden.
The Legal Burden
In the life sciences industry, those documents with management requirements and the regulations supporting their management are very clearly defined. If we limit to merely documents under FDA authority, then that list includes the Health Insurance Portability and Accountability Act (HIPAA), GCP, GMP, and GLP regulations (identified in various places in 21 CFR and referred to as “Predicate Rules”) and FDA’s specific overarching regulation on management of Electronic Records and Electronic Signatures (21 CFR Part 11). Any document that goes to or might go to FDA is subject to 21 CFR Part 11 and any applicable Predicate Rules for management. Compliant Electronic Document Management Systems for use in life sciences will meet or exceed these legal burdens.
…and even though we’re focusing this discussion on purely FDA requirements, no discussion of electronic management of any type of data is complete without a mention of the EU’s General Data Protection Regulation (GDPR). Almost every organization in life sciences, regardless of size, will do business in some form with people in Europe and, as such, the GDPR becomes a consideration.
While this is not an exhaustive list by any means, it does give us a place to start. The good news is that not all the regulations listed above apply to all documents or all systems. Let’s break this down into what US regulations apply to what types of documents or systems.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA largely applies to documentation associated with patient point of care and is primarily concerned with ensuring patient privacy with respect to health information documentation. The system your doctor uses to document your most recent visit or to write you a prescription? Yup, HIPAA compliance is a key factor there. When patient care is the only activity being considered, HIPAA is the primary regulation for managing the patient’s documentation.
When clinical trials become part of the conversation, HIPAA is also applicable. For example various clinical research systems need to ensure patient privacy when a patient is screened for or treated as part of a clinical trial. With clinical trials, though, HIPAA is only part of the picture. Once FDA approved research is a consideration, the other forms of regulation also apply.
GLP, GMP, GCP (collectively GxP) Regulations – Predicate Rules
The Code of Federal Regulations (CFR) Title 21 defines US law with respect to foods and drugs and is the controlling regulation for the FDA. All aspects of manufacturing, researching, and marketing of approved medicinal therapies in the US are detailed in 21 CFR. Within 21 CFR are various regulations in support of proper and legal management of documentation supporting good manufacturing practices (GMP), good laboratory practices (GLP), and good clinical practices (GCP) and these regulations can go back decades, extending prior to the widespread use of computerized systems to manage these areas, so the regulations were written with paper documentation in mind. These regulations are still applicable and in force.
When FDA issued its new regulation on the use of electronic records and electronic signatures, 21 CFR Part 11 (more on this below), they did something very smart and very helpful. FDA recognized that this change would not be instantaneous by sponsor companies and they also recognized that the existing regulations made good sense and indicated that 21 CFR Part 11 did not replace them, but worked with them, terming them “Predicate Rules.” Essentially, FDA’s direction to industry when it came to use of electronic records, was “If you did it in paper, you still do it, but if you’re using electronic documents and/or electronic signatures, you have to do these things for us to receive them with credibility.”
“These things” are the things defined in 21 CFR Part 11.
For a more detailed discussion of 21 CFR Part 11 and its requirements, see our white paper here.
Electronic Document Sharing and eRoom Systems are largely about simply sharing documents. These systems seek to meet no compliance burdens or meet any legal requirements.
Electronic Document Management Systems in life sciences are about sharing documents and enabling collaboration, but do so with an express focus on meeting specific legal and compliance burdens associated with the various regulations and guidances mandated by global health authorities (example, the US FDA) to establish confidence in the documentation presented as evidence of scientific activity that has occurred.
Watch this space for our next topic in this series: HIPAA, Part 11, and the Predicate Rules: What Applies to Me?