FDA is again shining a spotlight on data integrity violations, announcing in a new draft Guidance for Industry: Data Integrity and Compliance with CGMP that it was “troubl[ed]” by the growing number of such violations that were “increasingly” being discovered during cGMP inspections. In recent years, the pharma and device industries have become highly sensitized to the potential fallout of violating current Good Manufacturing Practices (cGMPs). Statements from the Food and Drug Administration and the Department of Justice − making clear that cGMP compliance is a top enforcement focus − have been borne out with a range of highly visible enforcement activities, from administrative actions (such as Warning Letters) to civil judicial actions (including seizures, consent decrees, and civil penalties) to a number of criminal prosecutions.
Percolating just under the surface have been actions relating specifically to the subset of cGMP issues concerning “data integrity.” When thinking of good documentation practices in the cGMP environment, there is an oft-repeated compliance adage: “If it’s not documented, it didn’t happen.” This should perhaps be supplemented, relative to data integrity: “If it’s not documented completely, consistently, and accurately, it didn’t happen.”
When we hear the words “data integrity,” we most often think of violations that appear to reflectintentional misconduct and manipulation of data and records. Some in the industry have argued, however, that many violations are unintentional and due in part to expectations that are left unclear from the cGMP regulations and guidance. Indeed, the regulatory concept of current Good Manufacturing Practices recognizes that FDA’s regulations and guidances are intended to be flexible, as the best way to achieve compliance may evolve over time with new technologies and continuing improvement, and may depend on the unique features of a company and its products. As a result, FDA requirements do not enumerate every aspect of a cGMP-compliant manufacturing process.
The Draft Guidance, released on April 14, 2016, could be seen as addressing FDA critics while seeking to provide greater clarity around data integrity expectations. The language of the Draft Guidance is straightforward and direct. Information is mainly set out in a Q-&-A format, including several real-world examples that reflect recordkeeping technologies used today in the modern cGMP environment. In this sense, the Draft Guidance does not draw a new line in the sand so much as provide more precise warnings about the location of the existing lines. Future conduct will no doubt be viewed against the backdrop of this Draft Guidance. In that respect, the release of the Draft Guidance is a salutary reminder of the many enforcement risks that pervade the cGMP environment.
What are the most significant of these risks? What is at stake for regulated companies (and their executives), and what new insight does the Draft Guidance lend about agency expectations? Continue reading to find out.
FDA’s cGMP enforcement
To briefly restate the basics, the Food, Drug, and Cosmetic Act (FDCA) prohibits adulterated products from interstate commerce; adulteration is a “prohibited act.” A drug or medical device is “adulterated” if the methods used in, or the facilities or controls used for, its manufacture, processing, packing, holding or storage, or (for devices) installation do not conform to cGMP. While this statutory requirement to adhere to cGMP lacks detail, FDA’s implementing regulations offer fairly extensive and detailed expectations for certain products such as finished drugs (21 C.F.R. Parts 210 and 211) and devices (21 C.F.R. Part 820).
Even where detailed regulations are in place, however, there is an inherent degree of interpretation necessary when applying the cGMP regulations, and areas of arguable ambiguity when reading the regulations. Sometimes agency thinking or interpretation is communicated to the industry through emerging trends in 483 Observations and Warning Letters rather than changes to the regulations, or even a guidance document. During both 2014 and 2015, many hundreds of Form 483 Observations were issued relating to alleged cGMP violations. More tellingly, roughly 220 Warning Letters citing violations of cGMP regulations were issued from 2014 through 2015. While the immediate consequences can vary, Warning Letters typically trigger extensive and potentially expensive remedial action to assure the agency that problems have been adequately resolved.
Recent years have also seen a number of high-profile consent decrees and permanent injunctions relating to cGMP violations, including multiple actions against various dietary supplement manufacturers in 2014. During 2015, similar actions were taken against drug compounding and medical device companies, likewise premised on cGMP violations.
While it may be debatable whether a company has complied with cGMPs on a particular point, if FDA determines that a manufacturer failed to comply with the cGMP requirements, then that manufacturer’s products will be deemed “adulterated” unless the company is able to successfully challenge the agency’s finding, or otherwise correct the violations and show that the affected products were not rendered unsafe or ineffective despite the violations.
In an appropriate case, however, FDA can and will bring enforcement actions “even where there is no direct evidence of a defect affecting [a] drug’s performance.” In other words, even “technical” breaches of cGMP standards that did not, in practice, result in a product or patient concern are potentially subject to enforcement actions, up to and including criminal prosecution. As explained below, FDA and DOJ action is typically scaled to the severity of the offense and the risk to patient health, but this is subject to a wide degree of enforcement discretion on the part of the government. Enforcement actions beyond a Warning Letter can include product seizures, withdrawal of product approvals, plant shutdowns, holds placed on pending applications of the company, civil injunction proceedings, civil money penalties, debarment of individuals from future employment by FDA-regulated companies, and criminal prosecution. Violations of the FDCA can also trigger exclusion from participation in federal healthcare programs.
Criminal prosecution under the FDCA
“Adulteration,” including cGMP failures, can also be prosecuted as a criminal offense under the FDCA. Even unintentional relatively minor violations, and violations of which a company was not aware, can potentially be prosecuted as misdemeanors, with both criminal penalties and a prison term of up to one year, because of a strict liability provision of the FDCA. Those who engage in such conduct a second time or who act with the intent to defraud can potentially be exposed to felony liability, leading to heightened criminal fines and imprisonment up to three years.
For individual executives, the risk calculus has changed rather substantially in recent years, with the risk of criminal prosecution increasing. Starting in 2010, a series of FDA and DOJ officials pledged publicly to increase the use of the “responsible corporate official” doctrine to underpin “misdemeanor prosecutions…to hold responsible corporate officials accountable.” This policy shift was putatively based on the Park doctrine, grounded in the eponymous Supreme Court decision in United States v. Park, 421 U.S. 658 (1975); in the context of the FDCA, a corporate officer who stands in a “responsible relation” to misconduct may be held criminally responsible for that misconduct even without any direct role in it. Since 2010, FDA and DOJ have embraced such cases with vigor.
For the first few decades after 1975’s Park decision, almost all such prosecutions involved defendants who were at least aware of the conduct giving rise to the violation, but failed to correct it. These cases, and their relative restraint, reflected the institutional views of FDA and DOJ. In 2011, however, FDA substantially lowered that bar. FDA now states that Park liability may be charged not only “without proof that the corporate official [had] actual knowledge of” the underlying violation, but also without any proof even of the individual defendant’s “negligence.” In other words, it is FDA’s position that it can − as a matter of both legal precedent and agency policy and discretion − seek to hold corporate officers strictly criminally liable for cGMP violations about which they had no personal knowledge.
And this policy shift is not merely academic: in 2012, the DC Circuit seemingly embraced the government's application of the Park doctrine in this context in the case of three pharma executives who had pled guilty to misdemeanor misbranding of OxyContin “solely as responsible corporate officers”; the government ultimately stipulated that the individual executives did not have personal knowledge of the misbranding. The corporate entity paid nearly $600 million to settle the overall case, and the individual executives were sentenced to probation and fines totaling $34.5 million. While they avoided jail time – a decision the sentencing judge termed “a close one,” notwithstanding the lack of knowledge – the DC Circuit subsequently held they could be permissively excluded by the Department of Health and Human Services from participation in federal healthcare programs. Exclusion effectively bans an individual from working in the industry. The DC Circuit also stated flatly that “[m]isdemeanor misbranding does not necessarily require a culpable mental state” because the responsible corporate officer doctrine “entails strict liability,” and an executive “may therefore be guilty of misdemeanor misbranding without knowledge of” the conduct.
Since 2012, there have been a number of other prosecutions of drug and food company executives under the FDCA’s strict liability provision with no allegations of knowledge or notice, resulting in criminal convictions, fines, debarments, and, in a few instances, jail time. For example, in April 2015 two officials from Quality Egg, LLC, were each sentenced to three months in prison (and a $100,000 fine) as a result of a salmonella epidemic attributed to tainted eggs, notwithstanding the fact that the government stipulated in its plea agreements that the executives lacked personal knowledge that the eggs were contaminated.
In addition to this somewhat more aggressive application of the venerable Park doctrine by FDA and DOJ to hold corporate officers liable for misconduct within their own corporations, FDA has recently begun citing Park in Warning Letters focused on misconduct by the corporations' contractors. FDA has for a number of years expressed the sentiment, in a variety of settings, that a company cannot “outsource” or contract away its ultimate responsibly for compliant products. Now it is reciting this mantra in the same breath as it references Park. This development gives corporate officers additional motivation to ensure that their company has rigorous vendor qualification and oversight processes.
The spate of Park doctrine prosecutions is likely to increase. The public is calling for individual corporate executives to be punished for their companies’ wrongdoing. Moreover, the September 2015 memorandum from Deputy Attorney General Sally Yates (the so-called Yates Memo) outlined changes to DOJ policy that will increase the agency’s focus on charging individuals. In this atmosphere, it could be tempting for DOJ to charge high-ranking food, drug, and medical device executives using FDA’s responsible corporate officer approach.
The False Claims Act
Failure to comply with cGMPs also can, in the government’s view, give rise to a violation of the False Claims Act. In recent years, pharmaceutical companies have paid hundreds of millions of dollars to resolve FCA matters regarding alleged manufacturing deficiencies. Although the Fourth Circuit has held that a cGMP violation cannot support an FCA action unless the federal payment is expressly conditioned on compliance with these regulations, the government’s position is that where cGMP violations are “significant, substantial, and give rise to actual discrepancies” in the quality of the drug or device, those violations may indeed result in FCA liability.
A growing focus on data integrity as part of cGMPs: Draft Guidance specifics
The data integrity component of cGMP has come to the fore in part because of recent high-profile data integrity violations uncovered by FDA, including a number of egregious and intentional instances of falsified tests and other data, clustered largely but not entirely in India and China. As many as 15 India-based companies face what is effectively a ban on importing their products to the US (“import alerts” that result in any attempted imports being detained, and subject to “refusal of admission”) because of various problems with their data, as do numerous Chinese companies. FDA has issued at least 13 Warning Letters that it characterized explicitly as involving “data integrity” issues (which is no doubt under-inclusive) in 2015-16.
Common data integrity problems flagged by FDA in Warning Letters and otherwise include:
- failure to provide adequate controls to prevent manipulation and omission of data
- failure to enable (or affirmatively disabling) computerized audit trail functions on high performance liquid chromatography and other systems
- multiple analysts sharing a single username and password
- the use of “unofficial” or “rough” notebooks or other paper records for documenting cGMP relevant data
- instances of deletion of data or the mere ability to do so
- “instances on non-contemporaneous documentation” of cGMP activities (i.e., backdating)
- failure to maintain adequate written records of major equipment maintenance.
The Draft Guidance states expressly that “"[i]n recent years, FDA has increasingly observed cGMP violations involving data integrity during cGMP inspections,” a “troubling” trend that has “led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.” European and other regulators have noted the same. The Draft Guidance is an attempt to reverse this trend by highlighting the importance of data integrity to cGMP and emphasizing the degree to which FDA will continue to focus on these issues.
The Draft Guidance also underscores that the concern is not just falsification of data but the necessity to protect crucial data from even carelessness, inattention, or inadequate safeguards, a point FDA has also made explicitly in certain Warning Letters. The goal, as FDA has stated before, is to ensure that data is attributable, legible, contemporaneously recorded, original, and accurate (“ALCOA”). The Draft Guidance stresses the importance of capturing and maintaining “all associated metadata required to reconstruct the cGMP activity,” the role of audit trails in helping a company demonstrate that its “cGMP-compliant record-keeping practices prevent data from being lost or obscured,” and the necessity of “appropriate controls to assure that only authorized personnel [can] make changes” to cGMP records and that such actions “are attributable to a specific individual.” The agency makes clear that any “blank forms” used (such as worksheets and laboratory notebooks) should be treated as controlled documents, and that companies should have procedures to detect “unofficial” notebooks being kept, as well as any gaps in notebook pages. The Draft Guidance gives specific direction on how and when cGMP data is to be recorded and stored, to reduce the opportunity for manipulation. For example, “chromatograms should be sent to long-term storage (archiving or a permanent record) upon run completion instead of at the end of a day’s run”; more generally, data “that are automatically saved [initially] into temporary memory do not meet cGMP documentation or retention requirements.”
Unambiguously putting companies on notice − takeaways
The Draft Guidance is a timely reminder that data integrity in the cGMP context is a top-line concern of FDA. The Draft Guidance unambiguously puts drug and medical device companies, and their executives, on notice. Record keeping may not be glamorous, but the Draft Guidance shouts loud and clear that “ensuring data integrity is an important component of industry’s responsibility to ensure the safety, efficacy, and quality of drugs” and medical devices. Even the largest and most sophisticated companies may have potential issues lurking, and it behooves all companies to discover them before the next time FDA is at the door.