The Situation: Technological advances and the growing use of electronic records and tools potentially raise privacy and security concerns in connection with certain FDA-related activities.
The Action: FDA has released a draft guidance to ensure that entities regulated by the Agency follow certain procedures and processes that must be in place to safeguard the electronic records used in clinical research activities and electronic submissions.
Looking Ahead: Stakeholders have until August 21, 2017, to direct comments on the draft guidance to FDA.
In March 1997, the Food and Drug Administration ("FDA") published a final rule, codified in 21 CFR Part 11 ("Part 11"), establishing the privacy, security, and reliability criteria for electronic records and electronic signatures used for certain FDA-related activities. FDA subsequently issued several draft guidance documents and a policy statement to clarify Part 11 but withdrew these documents in early 2003 amid concerns that certain of FDA's broad interpretations of the 1997 final rule would lead to prohibitively high costs of compliance and unintended hindrance on technological innovations.
Subsequently, in August 2003, FDA further clarified that it was conducting a reexamination of Part 11 and would exercise enforcement discretion during the reexamination period with regard to Part 11 compliance. In June 2017—more than 13 years after FDA began its reexamination—FDA issued draft guidance on the application of Part 11 to electronic records and electronic signatures used by sponsors, investigators, and third parties when engaged in clinical research activities ("2017 Draft Guidance").
FDA explained the necessity of this 2017 Draft Guidance as stemming from advances in technology and the growing use of electronic records and tools such as audit trails, validation processes, and automated date-and-time stamps. The purpose of the guidance is to ensure that entities regulated by FDA understand that certain procedures and processes must be in place to safeguard the authenticity, integrity, and, when appropriate, the confidentiality of electronic records used in clinical research activities and electronic submissions.
One important area touched upon by the 2017 Draft Guidance is electronic records validation processes. FDA makes clear that regulated entities should have and document "risk-based" validation plans for electronic systems, which should include consideration of the purpose, intended use, nature, and significance of the electronic systems. Such validation could include: processes such as system testing to demonstrate correct installation and functioning; requiring vendor documentation of validation; or documenting and testing any changes to the electronic systems. The 2017 Draft Guidance states that during FDA inspection, FDA will focus on ensuring that any critical data (e.g., lab values, study endpoint data) are not altered in meaning or value when transferred to another system or data format.
Another area of focus in the 2017 Draft Guidance is the use of mobile technology during clinical investigations. FDA has indicated that while regulated entities may use mobile technology to capture, record, or transmit data directly from study participants, certain safeguards must be in place to ensure user identity authenticity, proper tracking of data to a specific participant, data security and confidentiality during storage and transfer, and proper training of study participants in use of the mobile technology.
Highlights of the other items addressed in the 2017 Draft Guidance include:
- FDA permits interchangeable use of electronic records, durable storage devices, and paper records for archiving purposes, assuming certain controls are in place to ensure their authenticity.
- If regulated entities outsource electronic services to third-party service providers, the regulated entity remains responsible for meeting the Part 11 electronic systems regulatory requirements. As such, regulated entities should ensure certain validation, data integrity, authenticity, and confidentiality safeguards are in place before contracting with the third-party provider.
- Electronic health records used in the provision of clinical/medical care are not currently subject to Part 11 requirements.
- The audio, video, or live-chat telecommunications systems used in the provision of telemedicine services are not subject to Part 11 regulations; however, any systems used to store or forward audio, visual, or chat data or transcripts are subject to the regulations.
- Although electronic systems must track user identity, date and time of signature, and meaning attached to any electronic signature, FDA does not mandate any specific form of electronic signature. Instead, electronic signature methods should be implemented based upon ensuring a reasonable likelihood of preventing fraudulent use.
- FDA does not certify individual electronic systems or electronic signature methods. Instead, each regulated entity is responsible for ensuring its own Part 11 compliance in the use of various electronic systems and signature methods.
Beginning May 5, 2018, sponsors and investigators will be required to submit electronically all new drug applications, abbreviated new drug applications, certain biologics license applications, and all investigational new drug applications through FDA's eCTD system. In guidance issued in April 2017 ("Providing Regulatory Submissions in Electronic Format—Certain Human Pharmaceutical Product Applications and Related Submissions Using the eCTD Specifications"), FDA identified the technical specification documents that regulated entities should use to organize these submissions.
FDA is accepting comments on the 2017 Draft Guidance through August 21, 2017.
Three Key Takeaways
- FDA's previous attempts at establishing privacy, security, and reliability criteria for electronic records and electronic signatures used for certain activities potentially came with prohibitively high compliance costs and a risk of hindering technological innovations.
- FDA's new 2017 Draft Guidance helps ensure that regulated entities understand the particular procedures and processes that must be in place to safeguard the electronic records used in clinical research activities and electronic submissions.
- Electronic records validation processes and the use of mobile technology during clinical investigations are areas of particular focus in the 2017 Draft Guidance.