Remember what you said about those test results in that email to your team on Tuesday afternoon…six years ago?
Neither did executives from Pfizer, Merck, and other firms recently taken to court and forced to publicly disclose millions of emails and company records. Having spent my share of long hours plowing through years-old email, meeting minutes and other documents as a result of lawsuits, I have the greatest empathy for what these executives are now struggling with; it’s a frustrating task that will last for years.
The question is, how can you avoid their fate?
Today, I offer FDA records compliance advice to executives trying to proactively handle these issues and litigation support services to firms that were too late.
These lessons deal directly with the pieces of paper in your office desk drawers and file cabinets, the emails you’ve held onto, and all the electronic files you store on your computer, your company network and elsewhere. These lessons are about your ability to comply with FDA regulations, make and sell safe products, and all the while protect yourself and your reputation. They are lessons that directly impact your bottom line.
Tobacco Litigation Lessons
In my corporate workshops and conference talks on records management and preparing for inevitable lawsuits in our litigious culture, I tell personal stories based on my experiences designing and implementing records management programs that covered not only regulatory requirements, but also court ordered actions and lawyer-requested steps.
Just crafting records management polices and holding training sessions is not enough because it is simply too easy for any of us to forget one crucial fact: in the eyes of the court, any notes you scrawl on a memo, meeting agenda, presentation, etc., are not your personal notes, but the notes from a company representative.
In other words, your scrawled private comment on a new initiative presentation, perhaps something like “ABC won’t work,” will come to light during a lawsuit and be interpreted by opposing litigants as “company personnel believed that ABC was only a smokescreen and that it would never work;” such a damning view of your private note will hold water with any jury primed to believe the worst of you and your colleagues.
And that gets to the crux of the issue: records in the possession of a company are very difficult to divide into an individual employee’s private musings and the company’s records. Courts have historically ruled that information in the company’s possession—in its offices, on its computers, etc.—are potential company records and subject to legal review.
If you don’t believe it, ask the tobacco industry’s sales and marketing personnel required to keep every record—even a grocery list—written on company time so that an outside, independent lawyer can review it to see if it has any bearing on current lawsuits. Handing your lawyer a check for $102 to review a pink Post-It note reading “bread, milk, diapers” is not a pleasant experience.
So take a moment and look around you. How many Post-It notes, emails, pieces of paper, binders and files are scattered around your office? If a lawsuit were filed tomorrow morning and you had to pay $102 (the average cost for legal review of a record) for someone to review each of those Post-It notes, pieces of paper, emails, and so on in your office, how much do you think that would cost? Now expand that to everyone you work with. And when you stretch that across your entire facility, division or company, the costs and time required are almost too much to grasp.
And those are just the out-of-pocket costs. They don’t include the damage to your company’s reputation in the public’s eye—that’s a long-term pain that the tobacco industry is still struggling with, and entails the kind of credibility cost that took down Enron, Arthur Anderson and others.
Discovery
When companies (such as Pfizer in the Neurontin case, Merck in the Vioxx trials, and so on) are sued, plaintiffs will immediately file what is known as a “discovery motion.” This is a request to the court to force the company being sued to preserve any internal—and often confidential—records that may be relevant. Outside experts are then brought in to review each record to determine its relevance.
Given the countless thousands of records that are usually involved, costs quickly escalate…even if the lawsuit is won or thrown out. Last year, Gartner research found that the average mid-size to large company must respond to 6-10 discovery requests per year at an average cost of $1.6 million each.
Amendments in 2006 to the Federal Rules of Civil Procedure now allow plaintiffs to also request that all electronically stored information be retained and reviewed for relevance as well. The result: your email from six years ago can now stand as proof of your intent to circumvent the rules.
So what to do? More training on records management? Clarify in your policy that people must “really” comply? Buy shredders for everyone and turn off all the computers and email?
Steps to Minimize Risk and Cost
Putting off a process to manage your records—including emails—comes with substantially enhanced risk, not just in the event of a lawsuit, but also when the inspector comes knocking. Failure to produce a record the inspector records generally results in a Form 483 observation.
When I advise clients on designing and putting in place an FDA-compliant records retention and management program, I bring my experiences with other clients and with my own history when I was accountable for setting a records management program up, running it, and then having to defend it to auditors and lawyers alike.
There are many steps to take to set up a good records management program, but two that I want to draw your attention to are not usually thought of by anyone who has never had experience defending the program to inspectors or litigators:
- An email and communications policy
- Regular record audits
And let me state now, any “records expert” who doesn’t recommend these two tactics is only going to lead you down the road to perdition.
Regular Record Audits
Take advantage of your current quality or compliance programs, and establish record audits as part of an internal quality or controls audit. This avoids duplicate internal audit efforts, and has the added benefit of helping prepare for compliance with the revised FDA Part 11 and EU Annex 11.
It is critical to ensure that these are independent reviews, not the usual “records review” that so many elementary records management programs discuss. This internal audit is designed to find out if your staff are really following the rules or not. When I work with clients to setup a program, or improve their current processes, I conduct an audit (typically under the guise of a mock FDA audit) that they can simply incorporate and adopt themselves into their quality systems internal audit program.
At minimum, structure your audit to examine the following:
- Completeness of record classification (e.g., are all the records that should be marked “confidential” so marked?)
- Proof of regular records reviews, archival and disposal activities (e.g., are people actually deleting files and throwing away records no longer required for retention by company policy?)
- Accuracy of your company record retention schedules vis-à-vis current laws, regulations and court rulings
Consider sampling the records of 10-15 random individuals in your company, from the scientist in the lab, the computer analyst in the cube, and the director in the corner office. You will need to work with your information technology (IT/ICT) group to ensure you review electronic files.
Consider also auditing the records of your critical suppliers as part of your supplier qualification program. News reports of the involvement of one of the big name consulting companies colluding with a biopharmaceutical company to hide data only lend further credence to ensuring that you audit your suppliers and partners, and have the proof to back that up.
Email and Communications Policy
Why is this important to records management?
Because emails will outnumber all the rest of your records by at least 10-to-1. In other words, you’ve got a 10x greater chance to find problems when you look at your email (which is why discovery motions today routinely include all email).
And while we all struggle to understand a complex risk assessment or detailed scientific analysis, an email that reads “I think we can limit problems by delaying telling anyone about this for as long as possible” is painfully clear to the inspector and anyone in the courtroom.
Like it or not, managing email needs to be a core focus for any records management program. An email and communications policy will help head off some of the problems you face. There are two concerns to address:
- Etiquette
- Privacy
Etiquette
Decorum in email and other communications has less to do with Ms. Manners and more to do with reputation. You may have trained the personnel who answer your phones or customer service areas, but have you reviewed your expectations with the rest of your company?
For instance, email content should be appropriate and not denigrate your company, employees, products, customers or anyone else you deal with. Emails have significant staying power and the last thing you’d like, particularly in a sensitive negotiation, is for an email you sent to someone else with your private opinions about your negotiating partner suddenly appearing in his hands.
FDA officials have commented that a good one-third of all complaints lodged about executives and companies come in the form of emails given to them by disgruntled personnel. Make sure yours are not among them.
Privacy
There is no such thing as a private email.
Let me repeat: there is no private email. Not because of any far-fetched risk of interception, but because you have no control over what happens to words you’ve written once they are in someone else’s hands.
The general counsel of a mid-sized Fortune 500 firm cautions all employees: “Do not put anything in your email your mother would be ashamed of seeing repeated in tomorrow morning’s paper.” Remind your staff: emails are records; in the eyes of the court, they hold just as much validity as the formally approved clinical protocol.
Final Thoughts
Ultimately, success of your efforts to prove compliance and protect yourself comes down not to designing a perfect records management program, but executing it. Would an internal records audit have caught the Merck documents that highlight decisions of dubious scientific motivation? The answer to that depends on if your internal records audit was undertaken as a cursory once-over or a real effort to uncover and correct poor practices.
Records compliance is a complicated, risky area involving company culture and personal habits. Not having experienced advice will cost you. A tricky balance must be struck between conducting your day-to-day business, proving compliance using your records, and guarding yourself from courtroom publicity.
Are you ready?
Adapted from articles in SmarterCompliance 2(8), August 2008 and 2(10) October 2008