Part 11 Compliance Shifts to Part of Broader Effort, Experts Say

The FDA’s lack of 21 CFR Part 11 enforcement should not leave the false impression that erecord integrity doesn’t matter so much anymore, experts recently stressed to PIR.

Part 11 compliance efforts have been joined with compliance efforts for other regulations including the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) — which does not mean there is less emphasis on Part 11, suggested Rebecca Herold, an information security, privacy and compliance consultant, and owner of Rebecca Herold & Associates.

In fact, for companies operating outside the United States, Part 11 and Part 11-related requirements such as access controls and edata protection are increasingly important. Enforcement of these issues is arguably tougher in Europe and Japan, among other places, experts told PIR.

For most FDA-regulated life sciences companies, the drivers for compliance have changed, said Neil McClenney, director with SEC Associates and a new member of PIR’s Editorial Advisory Board (see sidebar). Compliance efforts are now part of a broader erecord-keeping effort, he said.

When the FDA first issued Part 11 in 1997, and for several years thereafter, it emphasized the rule as central to its erecord regulation efforts. As a result, companies may have focused too much on Part 11 and less on a broader, holistic approach to erecords, experts have told PIR.

“The lexicon is different now,” McClenney said. He noted that in much of his own consulting work, he does not refer to Part 11 by name much, if at all. Instead, he focuses on what he calls “erecord and esignature” compliance efforts.

That broader approach makes more sense in an international setting, he added. For example, the term “predicate rules” does not mean the same thing to a Japanese regulator as it does to an FDA inspector, and Japan and other nations have their own erecord regulations that may overlap with — but are not called — Part 11, he said.

“The language is becoming more universal, and the focus is more across-the-board” to emphasize issues like erecord and esignature control, and not so much something literally called Part 11, he noted.

The relative lack of Part 11 discussion could also be chalked up to “competition” for time and resources from other regulations such as HIPAA and SOX, Herold suggested.

“I try to encourage organizations to approach compliance with a unified approach,” she said. That means identifying the commonalities required by Part 11, HIPAA, SOX and others and then developing the “components of compliance” based on those broader requirements.

Companies make a mistake if they focus their compliance efforts solely on Part 11 or any single rule, Herold and McClenney agreed.

Zeroing in on just Part 11, for example, often forces a company to adopt a less successful “piecemeal” approach to compliance, Herold said. The more successful compliance programs come out of companies that are more focused on ongoing, flexible efforts, she said.

Who’s Ahead?

While larger companies, especially pharmaceutical firms, generally addressed most Part 11 issues years ago, some of the smaller firms — and in particular newer biotech shops — have not yet done so, McClenney said.

The smart ones, he said, are instead focusing more on solid systems and erecord integrity. He also said more companies in the healthcare arena, not noted for being early adopters or particularly innovative when it comes to IT, are open to learning best practices that have worked in other industries.

In general, companies that have a history of heavy regulation tend to be in better shape when dealing with today’s erecord challenges, Herold said. The companies that are struggling tend to be new companies or companies that have been acquired by a larger parent from outside the healthcare arena. — Michael Causey

PIR Welcomes New Board Member Neil McClenney

Neil McClenney is a director at SEC Associates. He brings more than 15 years of IT experience, with 12 of those working in regulated environments. Over the past three years, he has worked with many of SEC’s Japan-based clients and played a key role in establishing and developing a strategic partnership with both the KnowledgeWare division of Yamatake and Integrity Solutions. Before joining SEC in 1999, he was the lead software analyst for the U.S. Navy’s Operational Test Command.