When Title 21 of the Code of Federal Regulation Part 11 went into effect in 1997, a good many software providers were left wondering what business the Food and Drug Administration had in regulating their sector. But then again, it was a product of the FDA’s Department of Health and Human Services. The scope of CFR Part 11 covered public health, life sciences, medicine, pharmacology, medical devices, and other fields where professionals were beginning to do a large amount of their work online.
The Feds realized that the whole brave new world wide web of the ‘90s and the libertarian dreams of folks like John Perry Barlow were’t going to work too well with fields in which human lives were at stake. With Title 21 CFR Part 11, they did three things:
- Ensure the security of online data. Say Ms. Jones is getting treated for diabetes. The FDA wanted to made sure that hackers couldn’t easily breach the system and mess with her file. The same goes for unethical doctors. It also wanted to make sure that, if a negligent medical professional went in and made a mistake, system administrators could easily go back and identify it.
- Confirm with certainty the identity of each individual using a system. They need a verified electronic signature. This closely follows thing #1. A non-medical professional shouldn’t be able to impersonate the real deal. The system should be as secure as, say, the keycard system used to grant certain doctors access to a hospital wing.
- Closely following thing #1 and #2, the regulation requires implementing a verifiable system of electronic records that can be easily audited.
In CFR Part 11, What Is a ‘System?’
You might be reading this and think, ‘System? The planets form a system. Our bodies contain circulatory systems. This is too vague.’ We use that word because the FDA uses it throughout Title 21 CFR Part 11 as their primary subject. In fact, in their opening section where they define the scope of the measure, they say pretty much ‘any use of electronic data, record keeping, or signatures in health and human services’ instead of identifying specific areas where the law applies. In their glossary of terms, they get a little more granular and distinguish between ‘open systems’ and ‘closed systems.’
“Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.”
“Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.”
So whether it’s a learning management system, a hospital database, a medical device manufacturer, a biotech company, videoconferencing used for medicine, a doctors-only dating app, or anything else that requires the online verification and security of medical work, your ‘system’ needs to comply with Title 21 CFR Part 11.
Companies Have struggled to Comply for Over 20 Years
When this code came out in ’97, just about any and every company that fell beneath its broad scope was not happy. Complying with Part 11 would be expensive, there was broad confusion over whether and what parts of it applied to which companies, and implementing the changes ultimately wouldn’t add much marketable value to any system.
After some lobbying and public complaining, the FDA released a document to serve as a guidance for observing Part 11. This helped for some, but others complained the administration was waffling and, in some cases, contradicting its previous positions.
Despite these concerns and the outsized burden placed on a wide swath of companies in the medical industry, Title 21 CFR Part 11 lives on. It has been updated through the years (and the FDA has continued to release further guidance documents). eLeaP has a write-up on how life sciences companies can comply with CFR Part 11.
The current rules on the books were implemented as of April, 2017. It appears that the latest update made some confusing requirements in regard to electronic signatures. Just a few months after it was released, yet another guidance document emerged titled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11—Questions and Answers.”
What happens if you don’t follow CFR Part 11?
If you don’t comply with these regulations, the FDA will eventually find out. Inspectors regularly come around to check up on companies and, if they find measures lacking in terms of electronic records and verification for your system, they will issue a Form 483. This is essentially a warning, saying you need to correct certain areas. For the past several years, the FDA has issued around 5,000 483s annually (it seems to be somewhat of a quota). Keep in mind, these are general forms, and the majority of violations documented have nothing to do with CFR Part 11.
This could mean one of two things. Either the industry has learned to deal with one of the broader and more complicated federal regulations—or inspectors tend to give companies leeway when it comes to following them.
In either case, keeping your data secure and verifying your system is important. While the regulations weren’t written with the greatest tact, they still constitute an important law for the industry.