An MD&DI May 1999 Column
Understanding FDA's Electronic Records and Signatures Regulation
The implementation of FDA's 1997 rule raises legal and regulatory issues for device companies.
Jeffrey N. Gibbs and Kate Duffy Mazan
On March 20, 1997, FDA published a final rule on electronic records and signaturesa document that will have a profound effect on device companies. This rule (21 CFR 11) establishes the criteria under which FDA will deem electronic records and electronic signatures equivalent to paper records and traditional handwritten signatures. If electronic signatures and associated electronic records meet the requirements of the regulation, FDA will consider these electronic signatures equivalent to handwritten signatures, initials, and other general signings, unless specifically exempted on or after August 20, 1997 (21 CFR 11.1(c)).
The new rule applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted to the agency under the requirements set forth in agency regulations. It also applies to electronic records submitted to the agency under the requirements of the Federal Food, Drug, and Cosmetic (FD&C) Act and the Pubic Health Service Act, even if such records are not specifically identified in agency regulations. The regulation does not apply, however, to paper records that are, or have been, transmitted by electronic means, such as faxing (21 CFR 11.1(b)).
In addition to meeting the regulation's criteria, official FDA submissions that consist of electronic records are acceptable only if the type of record being submitted has been identified in a public docket (No. 92S-0251) as one that FDA is ready to accept in electronic form (62 FR:13465). If the type of record has not been identified in the public docket, official submissions must be on paper. For records that are maintained but not necessarily submitted to FDA, electronic records can substitute for paper records as long as they meet the criteria set forth in the rule (62 FR:13435).
Individuals are also expected to consult the appropriate FDA division before proceeding with submission of records in electronic form (21 CFR 11.2(b)(2)). Furthermore, the regulation stipulates that computer systems (including hardware and software), controls, and attendant documentation maintained under the rule are subject to FDA inspection (21 CFR 11.1(e)).
In the preamble to the final rule, FDA explained that there are significant differences between electronic records and signatures and traditional paper systems that necessitated additional controls. Specifically, FDA's concerns focused on the relative ease with which electronic signatures and data sets can be falsified or altered. For example, FDA expressed concern that:
- Database elements can be changed at any time to misrepresent information without evidence that a change was made and in a manner that destroys the original.
- More staff may have access to electronic records than to paper records.
- Electronic signatures can be falsified more readily than traditional handwritten signatures. An electronic signature based on a combination with an identification code can be loaned or lost. Falsification is easier to achieve and cannot be detected (62 FR:1343213433).
The regulation's controls are designed to ensure the authenticity, integrity, and confidentiality of electronic records and minimize the possibility of easy or inadvertent repudiation of the electronic record by the signer. This article describes the historical development of FDA's electronic record and signature rule, provides a summary of the rule's specific requirements, and discusses the legal and regulatory issues that device companies face when using electronic records to comply with the FD&C Act and accompanying regulations.
DEVELOPMENT OF THE REGULATION
The concept of an FDA policy on electronic records and signatures originated in 1991, when the pharmaceutical industry expressed the desire to use electronic alternatives to handwritten signatures. Industry representatives were interested in maintaining electronic record systems, specifically in the area of current good manufacturing practices (CGMP) regulations. They believed that electronic records offered many potential advantages to companies. This inquiry prompted FDA to create a task force on electronic identification and signatures. The task force was directed to develop an agencywide policy on the acceptability of electronic signatures (62 FR:13430).
In 1992, the task force issued a progress report recommending that FDA publish an advance notice of proposed rulemaking to gather public comment on the issue. That notice of proposed rulemaking was published in July 1992 and focused on electronic signatures. The proposed rule followed on August 31, 1994, and was somewhat broader in scope in that it focused on electronic records in general, not just electronic signatures.
In the preamble to the final rule, published on March 20, 1997 (effective date of August 20, 1997), FDA defended the expansion of the scope of the rule on three grounds. First, the reliability and trustworthiness of electronic signatures depends on the reliability and trustworthiness of the underlying electronic records. Second, FDA concluded that reliability and trustworthiness in electronic records is as important as in paper records, regardless of whether the records are "signed." Third, the agency is concerned about falsification of both signed and unsigned electronic records (62 FR:13438).
The electronic records subpart of the regulation describes the controls required for closed systems and the additional controls required for open systems (see sidebar for definitions of these systems). The controls for closed systems establish the minimum controls for all electronic records.
Closed System Controls. The regulation sets forth the following controls for those maintaining closed systems (21 CFR 11.10(a)(k)):
- Validate the systems to ensure accuracy, reliability, consistency, intended performance, and the ability to discern invalid or altered records. This includes validation of commercially available software.
- Maintain the ability to generate accurate and complete records in both human-readable (records that are read by a person as opposed to a machine) and electronic form so that FDA may inspect, review, and copy the records.
- Protect records so that they are readily retrievable throughout the required retention period.
- Limit system access to authorized individuals.
- Record changes in a manner that does not obscure previous entries.
- Use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions (audit of write-to-file operations is not required). The audit trail must also be available for FDA review and copying and must be retained for at least the same period as the records. Currently, FDA allows source audit trails to be within the organization that creates the electronic record; however, the agency has suggested that use of third-party systems (public electronic notary services) may be required.
- Use operational system checks to enforce sequencing steps.
- Use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system, alter a record, or perform the operation at hand.
- Use device checks to determine the validity of data input or operational instructions.
- Ensure that authorized users have the appropriate education, training, and experience.
- Establish and follow written policies that deter record and signature falsification.
- Establish adequate controls over access to all system documentation as well as over the distribution and use of such documentation. Most importantly, establish controls over highly sensitive documentation, such as instructions on how to modify system security features.
- Establish adequate controls over revisions and changes, and maintain audit trails of modifications to system documents.
FDA has also suggested that when a device company permits access to its system by public phone lines, "it would be prudent to implement additional security measures," such as input device checks, caller identification checks, call backs, and security cards (62 FR:13441).
Open System Controls. Open systems that are used to create, modify, maintain, or transmit electronic records must employ all of the controls required for closed systems. In addition, the regulation suggests that document encryption and the use of digital signatures be considered, as necessary (21 CFR 11.30).
In the preamble to the final rule, FDA emphasized that the use of digital signatures is not required; however, when they are used, the appropriate digital signature standard should be applied. Because the development of digital signature standards is complex, FDA does not expect firms to develop their own standards. The agency noted the existence of some standards, but indicated that it does not seek to certify or approve such programs. FDA also indicated that it will work with companies to develop appropriate procedures for providing keys used in encryption and digital signatures (62 FR:13452).
Signature Manifestations and Record Linking. Electronic records that are signed must adhere to all of the controls listed for electronic records. In addition, the signed electronic records must include the name of the signer, the date and time of the signature (the signer's local time), and the meaning of the signature (e.g., review, approval, authorship) (21 CFR 11.50(a)). This information must be included in any human-readable copy of the record (21 CFR 11.50(b)). Electronic signatures and handwritten signatures executed to electronic records must be linked to their respective electronic records to ensure that they cannot be falsified (21 CFR 11.70).
The electronic signatures subpart of the rule is further divided into three parts: general requirements, electronic signature components and controls, and controls for the identification codes and passwords.
General Requirements. Each electronic signature must be unique to the individual and should not be reused or reassigned. The preamble to the final rule states that an identification code may be reassigned as long as the combined identification code and password remained unique; however, FDA advised against such reassignment (62 FR:13455). Organizations must verify an individual's identity prior to assigning or sanctioning that individual's electronic signature.
Persons using electronic signatures must certify to FDA that the electronic signature is a legally binding equivalent to their traditional, handwritten signature. The certification must be submitted to FDA in writing. A separate certification is not needed for each electronic signature; however, if FDA requests certification of a particular electronic signature, it must be submitted. A single certification may be stated in broad terms that cover the electronic signatures of all current and future employees. As is the case with all FDA certifications, the signer should take adequate steps to ensure the accuracy of the certification. A person who submits a certification known to be false may be subject to prosecution.
Electronic Signature Components and Controls. The following electronic signature components and controls are set forth in the regulation (21 CFR 11.200(a),(b)):
- If electronic signatures are not based on biometric identification, they must consist of two distinct components (e.g., an identification code and a password).
- In one continuous session, the first signing must use all components, but subsequent signings may use just one component.
- In noncontinuous sessions, each signing must use all components of the electronic signature.
- If electronic signatures are not based on biometric identification, they must be used by their genuine owner only. Electronic signatures that are based on biometrics must be designed so that they can be used by one individual owner only.
- The method of assigning electronic signatures must be such that any attempted use would require the collaboration of two or more individuals.
One of FDA's overriding objectives in the rule is to prevent fraud. The agency's concerns clearly emerge when the subject of collaboration to override a signature is discussed. One commenter suggested that the collaboration requirement be deleted so that a responsible person could override a subordinate's signature on his or her own initiative. Using uncharacteristically colorful language, FDA rejected the comment, saying that "the risks of betrayal and disclosure are greatly increased" (62 FR:13458) with the collaboration of two or more people, presumably since any illegal activities are more likely to come to light if more people know about them.
Identification Codes and Passwords. People who use electronic signatures based on identification codes in combination with passwords must employ controls to ensure the security and integrity of those electronic signatures. These controls shall include the following (21 CFR 11.300(a)(e)):
- Maintenance of unique combinations of identification codes and passwords so that no two people have the same combination.
- Procedures to ensure that identification codes and passwords are periodically checked, recalled, or revised.
- Management of lost, stolen, or missing tokens, cards, and devices, with replacements subject to rigorous controls.
- Prevention of unauthorized use of passwords and identification codes as well as detection and reporting of attempts at unauthorized use.
- Initial and periodic tests of tokens and cards for proper function and unauthorized alteration.
The substantive part of the electronic record and electronic signature rule must be read in conjunction with the definitions. Some of the principal definitions include the following:
Biometrics: "A method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable" (21 CFR 11.3(b)(3)). Voiceprints, handprints, and retinal scans are examples of biometric means of identifying an individual (see Electronic Identification Working Group, Progress Report, 4, February 24, 1992).
Closed system: "An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system" (21 CFR 11.3(b)(4)). This can include systems that permit dial-in access over public phone lines. FDA has cautioned, however, that where an organization's electronic records are stored on systems operated by third parties, such as commercial on-line services, access is under control of the third party, and FDA regards this system as open (62 FR:13441).
Open system: "An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system" (21 CFR 11.3(b)(9)). The definitional categoryopen system versus closedhas an impact on the requirements that must be met under the new rule.
Electronic record: "Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system" (21 CFR 11.3(b)(6)). FDA has suggested in public speeches that this definition includes voicemailhowever, this interpretation seems to go beyond the regulation.
Digital signature: "An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified" (21 CFR 11.3(b)(5)).
Electronic signature: "A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature" (21 CFR 11.3(b)(7)).
Handwritten signature: "The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument, such as a pen or stylus, is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark" (21 CFR 11.3(b)(8)). This definition does not allow the use of a stamp or other signature device. When one person authorizes another to sign a document on his or her behalf, the second person must sign his or her own name and include some notation that, in doing so, he or she is acting in the capacity of or on behalf of the first person (62 FR:13442).
LEGAL AND REGULATORY ISSUES
FDA's adoption and implementation of the electronic record and signature rule raises many legal and regulatory issues for affected companies. Device companies failing to comply with the regulation could face enforcement actions ranging from warning letters to criminal prosecution if FDA-mandated records are deemed unacceptable because they were developed with noncompliant computer systems.
But perhaps the most significant consequence of the rule is that FDA has effectively redefined the term record with respect to its own records requirements. Prior to adoption of 21 CFR 11, a document was a record if that document was specifically required by an FDA regulation; regulated companies largely determined which documents were kept for compliance with a specific regulation. Under part 11, the mere act of preserving information in virtually any medium controlled by a computer system renders the information a record and thus potentially subject to FDA review. As a result, the amount of information to which FDA can assert a right of access has increased substantially.
FDA defines an electronic record as "any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system" (21 CFR 11.3(b)(6)). The agency has gone to great lengths to defend this definition. In so doing, FDA did not define the term within the context of its own regulations, but rather turned to the American Heritage Dictionary's definition of record: "'an account made in an enduring form, especially in writing, that preserves the knowledge or memory of events or facts' or 'information or data on a particular subject collected and preserved'" (FDA, "Electronic Records; Electronic Signatures, 21 CFR Part 11 Answers to Frequently Asked Questions 2" April 21, 1998). Ultimately, FDA concludes that a record is "in essence, preserved information or data."
FDA has gone so far as to suggest that this may include voicemail systems. Thus, information that at one time was communicated verbally to an individual has now become a record simply by virtue of the fact that it is preserved by a computer system. The expansion of this definition has important implications for companies both in the context of their interactions with FDA and in other areas, such as product liability.
The application of part 11 may play a significant role in determining compliance with FDA records requirements. Despite FDA's repeated assertions that compliance with the rule is voluntary, any company that uses computer systems to generate FDA-mandated records or to support submissions to FDA must ensure that those systems comply with part 11. That is, the decision to keep electronic records is voluntary, but if electronic records are kept, compliance is mandatory.
Failure to comply with Part 11 means that the electronic form of the record is considered unreliable or untrustworthy, and thus, not acceptable to FDA. If the underlying data are considered untrustworthy because the system does not comply with part 11, paper printouts from those systems would also be considered unreliable. As a result, failure of the system generating the record to comply with part 11 renders the record invalid, and the company in violation of the underlying or predicate regulation requiring the record. Likewise, data included in a submission to FDA may be unacceptable to the agency if the system that generated it does not comply with part 11.
FDA Inspections. Part 11 also presents unique challenges for device companies in the context of FDA inspections, such as providing investigators with timely access to records. Although it can be difficult to locate and produce old paper records in a timely fashion, it may be even more difficult to produce older versions of electronic records. In the preamble to part 11, FDA asserted that it might need to inspect hardware and software, which may cause headaches for companies that move to new systems.
While FDA says it does not expect companies to keep obsolete systems simply to permit records inspections, it does expect them to have computer systems that will allow investigators to review electronic records for as long as they are retained. This could be a long time, as is the case with FDA's quality system regulation, which requires device companies to keep complaint records for the "expected life of the device" (21 CFR 820.180 (b)). Given that some devices have long lives, the need to allow agency access to old records may create some challenges for information technology personnel; therefore, companies will need to ensure that those records can be located and accessed with appropriate technology. Failure to turn over required records could have serious consequences, including criminal penalties (21 USC 331(e), 333).
Limiting FDA's access to only those records that are appropriate may also prove challenging. FDA's inspection authority includes the power to inspect records that are kept in an electronic format; however, FDA does not have the right to inspect all company records. Providing access to electronic records will make it more difficult to ensure that only required records are turned over to FDA because companies will no longer be able to narrow the scope of a request based on the volume of paper. As a result, it may prove much easier to inadvertently provide FDA with documents the agency is not entitled to inspect.
It has always been incumbent upon FDA-regulated companies to know the limits of the agency's inspection authority and to ensure that only appropriate records are provided to inspectors. Once records are provided to FDA, the agency can use them for any purpose, whether access to the records was required or not. In supplying paper records to FDA inspectors, company officials have always had the opportunity to review the documents individually before submission. To avoid supplying FDA with inappropriate records, companies could truthfully say that providing large quantities of records was unduly burdensome. With electronic records, companies must think carefully about how the records will be provided to FDA and about who will determine whether they are responsive, yet still appropriately limited in scope. Mock inspections may help companies understand the challenges of providing electronic copies of records in response to specific records requests.
As the reliance on electronic records grows, inspections may become more "virtual" in nature. In the preamble to part 11, FDA mentioned the possibility that, at some point in the future, it may seek remote access to electronic records on an open system. Thus, it is conceivable that device companies will some day be inspected by FDA without the investigator ever leaving the office. This could have a significant impact on FDA inspections of foreign facilities or other remote locations. Electronic inspections would represent a dramatic change from existing investigations in which inspectors lack the unfettered ability to rummage through company files.
Whether FDA is provided with electronic copies of records or has remote access to them, electronic access in any form will give the agency a greater opportunity to manipulate and analyze company records. FDA has emphasized the need to be on the same "technological plane as the industries it regulates" and has clearly stated its intention to use its access to a company's electronic records to conduct its own data analyses (62 FR:13446).
According to the agency, continued use of paper records will hamper audits, resulting in longer inspections and potentially delayed approval of new medical products. Device companies should understand, however, that FDA's ability to conduct its own analyses may also delay approval of new products or result in FDA concluding that there is an adverse product performance trend when the perceived trend is only a statistical artifact. Companies should be prepared to request that FDA provide the audit trail of its analysis to ensure that they can replicate and evaluate FDA's interpretation of the data.
Confidentiality Issues. Providing FDA access to records electronically also raises confidentiality concerns. A company's systems should clearly identify the electronic version of the records as confidential and ensure that any printout of records from those systems are automatically marked confidential as well. Likewise, computer disks, CD-ROMs, and data tapes must be clearly marked confidential. Making and distributing copies of electronic data without detection will be easier than making and distributing paper records. Although information leaking is rareand federal employees face criminal charges under 18 USC 1905 for release of confidential informationleaks do occur.
E-Mail Records. FDA's expanded definition of what constitutes a record may also have significant implications in the context of litigation. For example, the Microsoft antitrust litigation has shown the power of e-mail in litigation, as much of the evidence introduced by the two sides in this matter originated in the form of e-mail. This litigation illustrates the potential evidentiary power of electronic records that might be obtained by FDA and plaintiffs' attorneys.
Access to company e-mail may prove particularly damaging for device companies because company staff may not be used to thinking of e-mail messages as records. Also, e-mail often serves as a forum for discussion, in which differences of opinion may be voiced. For example, companies that have encouraged rigorous internal debate as a means of strengthening their decision-making processes may find early statements of concern about a particular device coming back to haunt them when used selectively by FDA or plaintiffs' attorneys. Thus, companies will need to evaluate current practices and establish clear policies about the appropriate use of e-mail.
Appropriate Use of Electronic Signatures. The electronic signature portion of the rule also raises potential legal issues for companies. Device companies wishing to use electronic signatures must certify that the electronic signatures used in their system are intended to be the legally binding equivalent of the signers' handwritten signatures (21 CFR 11.100(c)). FDA's intention is for companies to make a single certification for all current and future employees; therefore, an appropriate department will be responsible for ensuring that all employees understand the consequences of that certification. Specifically, employees will need to appreciate that their electronic signatures on company records could carry a criminal penalty under 18 USC 1001 if the information is later determined to be false. Other criminal charges, such as mail fraud under 18 USC 1341 or wire fraud under 18 USC 1343, could be added if the information is mailed (including deliveries via private carriers) or transmitted by any wire communication in interstate commerce.
As company employees become comfortable with the use of electronic signatures, they may be tempted to use those signatures in instances that may be inappropriate. For example, electronic signatures that may be valid for the purpose of FDA documents may not be valid under prevailing local law as legally binding signatures.
FDA's electronic records and electronic signatures rule offers companies the chance to take advantage of the efficiencies offered by electronic recordkeeping. The rule also presents its own challenges, and taking all the necessary steps to ensure compliance with the requirements will be demanding and expensive. Although FDA has vowed leniency and is giving companies an opportunity to bring themselves into compliance, the agency will some day actively enforce this regulation.
In the meantime, device companies should expect that FDA will want to see documentation of their efforts to comply with part 11. This documentation should include an inventory of all proposed and existing systems. New systems should be designed to comply, and existing systems should be evaluated, with the highest priority given to bringing systems that create mandated records and support submissions to FDA into compliance.
Device companies may need to assess the level of risk they are willing to take when deciding whether or not to bring individual systems into compliance. Once they have made the decision to bring their systems into compliance, however, they should establish plans with clear, but realistic, timelines to help them reach this goal.
Jeffrey N. Gibbs is a partner in the law firm of Hyman, Phelps & McNamara, P.C. (Washington, DC). He was formerly associate chief counsel of enforcement for FDA. Kate Duffy Mazan is an associate of the firm. They were assisted in preparing the article by Anne Marie Murphy.