Thanks for providing a complete reply. I especially appreciate your idea about asking the FDA about cybersecurity threats.
Original Message:
Sent: 21-Mar-2024 09:55
From: Kevin Randall
Subject: When an FDA investigator asks for electronic records
A great deal can be said about what the official escort should do if an FDA investigator (a.k.a., a law enforcement officer) wants access to a regulated firm's electronic records. In a nutshell, the firm (whether the official escort or anyone else at the firm) needs to assure that the firm's response properly attends to three key areas:
a) General observance of what I call "Good Response Practices" (GRP)
b) Regulatory compliance regarding electronic records and signatures
c) Cybersecurity
I give some corresponding overviews below.
Good Response Practices (GRP) is a deep, broad, multifaceted and crucial topic about which much can be said. Indeed, my firm gives our clients a dedicated training for this when we are helping them get ready for an upcoming inspection. For brevity, I won't detail all the details of GRP here. But in summary, the essence of GRP revolves around 1) assuring that FDA's questions and records-requests are within the limits of the FD&C Act and the U.S. Constitution, along with FDA's own internal operating procedures (such as those prohibiting the FDA investigator from personally accessing electronic records except in certain situations), and 2) assuring that the firm's responses are truthful, accurate, succinct, cooperative, aligned with the firm's legal counsel, and protective of the firm's intellectual property. Many specific tactics can be elaborated that must be employed to ensure these goals are met. More sophisticated firms often have a corresponding SOP(s) governing these activities, or else have an outside expert assist them during the FDA inspection.
Regarding regulatory compliance for electronic records and signatures, the firm must be in compliance with FDA's 21 CFR Part 11 (as reinterpreted by FDA's enforcement discretion) for any records requirements set forth in agency regulations and for any electronic records submitted to the agency under requirements of the FD&C Act and PHS Act. Again, much can be said about this, and my firm gives entire trainings. But in summary, Part 11 is aimed at assuring proper integrity (e.g., trustworthiness, reliability, etc.) around electronic records and signatures so as to assure that the trustworthiness and reliability of the electronic record/signature is the same as a paper version. Ultimately, the firm must properly navigate the Part 11 fundamentals when fielding FDA requests for electronic records. And again, much can be said in this area. For now, I'll just quickly mention my understanding that, for records which are in fact subject to Part 11, it may be deemed by FDA to be an illegal inspection refusal if the firm refuses FDA's electronic access to such electronic records. Thus, I recommend corresponding caution when refusing to grant FDA electronic access.
Regarding cybersecurity, the firm should ask the FDA to explain how the agency will protect the firm's electronic records against cybersecurity threats once the electronic records are in FDA's hands. FDA has internal operating procedures to protect itself and the firm against such threats. It doesn't hurt to make the FDA investigator refresh everyone about those cybersecurity procedures, as the firm and FDA often work together to achieve the cybersecurity as the electronic records are prepared for transfer.
------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 20-Mar-2024 17:13
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records
Bruce,
Thanks for sharing your experience. It is great to see what investigators in the field are doing these days.
------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
Original Message:
Sent: 20-Mar-2024 12:40
From: Bruce Platt
Subject: When an FDA investigator asks for electronic records
In my most recent investigation (October 2023), the FDA investigator requested that documents and records he wanted to be reviewed be presented in electronic form. We refused and only gave him paper copies to review. Our procedures require us to stamp the copies as confidential, and while possible we were not prepared to convert request to a pdf that could be marked as so. FDA accepted the paper copies.
------------------------------
Bruce Platt
Director Quality Assurance
Ocular Therapeutix, Inc.
Bedford MA
United States
Original Message:
Sent: 19-Mar-2024 18:47
From: Nancy Singer
Subject: When an FDA investigator asks for electronic records
An FDA investigator wants access to the company's electronic records. What should the official escort do?
------------------------------
Nancy Singer JD, FRAPS, RAC
President, Compliance-Alliance
Compliance-Alliance
Newport Coast CA
United States
------------------------------