Data Quality, Records Management & FDA Recordkeeping Laws

Be compliant with these US regulations and statutes on data integrity and recordkeeping in order to avoid stiff penalties and preserve corporate value.  If you need expert help with FDA recordkeeping compliance, please see our FDA records retention advisory services.  If you need expert help with electronic data integrity, please see Cerulean’s data integrity and Part 11 expert services.

Regulations and statutes protecting data quality and data integrity

21 CFR Part 11 Electronic Records; Electronic Signatures
Requires validated controls to ensure that e-signatures and e-records are attributable, contemporaneous, legible, original, and accurate – in other words, can be relied upon in the same way as paper records and pen & ink signatures (the European version of this regulation is Annex 11). FDA also has a Part 11 FAQ on retention of paper versus electronic records

Application Integrity Policy (AIP)
Issued in 1991, this little known FDA rule allows the agency to stop all reviews and processing of any pending regulatory submissions that contain (or are supported by) data with questionable integrity – you may also be interested in the agency’s points to consider when it comes to how to review submissions for data integrity

Electronic Signatures in Global and National Commerce Act (ESIGN)
Assures that electronic records and contracts have the same legal validity and protection as paper records and contracts

Uniform Electronic Transactions Act (UETA)
A law individually adopted by 47 states, the District of Columbia, Puerto Rico, and the US Virginia Islands that harmonizes differing state laws regarding retention of records and the validity of electronic signatures

Uniform Photographic Copies of Business & Public Records as Evidence Act
Reproductions of records have the same legal significance as the original record

Rules 16, 26, 33, 34, 37 & 45 of the Federal Rules of Civil Procedure (FRCP)
Governs the discovery and disclosure of information (both in hard-copy and digital versions) relevant to civil actions; rules 26 & 34 are the most frequently cited

Regulations and statutes mandating records retention and document controls

36 CFR Parts 1220-1239 NARA Regulations
These regulations lay out requirements for records and data management controls for US Federal agencies; as such they can serve as a benchmark of minimum expectations for private industry

Uniform Commercial Code (UCC)
Harmonizes state laws regarding business transactions, primarily with goods and property such as sales and leases, plus contractual agreements; sets forth minimum retention periods for receipts and other related records

Uniform Preservation of Private Business Records Act (UPPBRA)
Enacted by multiple states; clarifies that business records no otherwise specified by regulation, statute or court order may be destroyed after the expiration of three years

Sarbanes-Oxley Act of 2002
Requires effective internal controls over financial data, including audits and reviews; see also 17 CFR 210 Retention of Records Relevant to Audits and Reviews

Stored Wire and Electronic Communications and Transactional Records Access
Lays out access and storage requirements, along with civil punishments for destruction thereof, for records that organizations are required to retain

Healthcare Insurance Portability and Accountability Act (HIPAA)
Governs the use and disclosure of individually identifiable health information

Export Administration Regulations (EAR)
Requires firms in the US doing business internationally to ensure the secrecy and confidentiality of protected technology, including preventing advanced manufacturing and materials know-how (“deemed exports”) from being inadvertently acquired by customers and suppliers overseas

Title VII (ADEA, GINA, EPA)
Governs the retention of employee files and personnel training records in order to prove an organization has not engaged in discriminatory behavior.  Make sure your organization is aware of the impact on its records from the 2008 SCOTUS ruling on Title VII’s statute of limitations

FDA regulations covering recordkeeping requirements

Bioterrorism Act of 2002
Establishes requirements – including recordkeeping and regulatory agency access – for registration and traceability of select chemicals and toxins that could pose threats to safety and health

Federal Food, Drug and Cosmetic Act (FDCA)
Creates the US Food & Drug Administration and provides it authority over medicinal products (drugs and devices), cosmetics, and most food products

Prescription Drug Marketing Act (PDMA)
Contains a series of recordkeeping requirements associated with marketing and advertising drugs, including presenting risk information, etc. FDA clarified a number of record retention requirements in its 2006 PDMA FAQ-based guidance.

Food and Drug Administration Amendments Act of 2007 (FDAAA)
Reauthorizes the FDA, its user fees, its regulations, and provides additional powers of enforcement such as the ability to levy civil fines against organizations and individuals

Food and Drug Administration Safety and Innovation Act of 2012 (FDASIA)
Reauthorizes PDUFA, MDUFA, clarifies elements of the supply chain that FDA is most concerned about, and provides additional records requirements for firms

Food Safety Modernization Act (FSMA)
Amends the FDCA with twelve separate rules plus other mandates and requirements, including granting FDA record access authority (Sections 101/204). FDA has published a guidance set of FAQs regarding recordkeeping and access. Note that most requirements center around retaining records for 2 years after they are superseded or otherwise obsoleted

Current Good Manufacturing Practices (cGMPs)
Series of regulations and guidance documents governing the production of dietary supplements, pharmaceutical and biotechnology drugs; 21 CFR Part 111, 21 CFR Part 210 and 21 CFR Part 211 make up the core of the cGMPs but are supplemented by rules on drug labeling (21 CFR Part 201), drug marketing and advertising (21 CFR Parts 202 & 203), etc., and should not be taken in isolation

Current Good Laboratory Practices (cGLPs)
Regulations (primarily 21 CFR Part 58)  and series of guidance documents that govern the controls for laboratories and research organizations to ensure consistency and reliability of laboratory studies; in addition, the Environmental Protection Agency (EPA) also enforces good laboratory practices through 40 CFR Part 160 FIFRA and 40 CFR Part 792 TSCA

Current Good Clinical Practices (cGCPs)
Regulations and guidance documents that protect the safety of human test subjects and the integrity of clinical trials for both drugs and devices; the core GCP regulations are 21 CFR Part 50 Protection of Human Subjects and 21 CFR Part 56 Institutional Review Boards

Biologics, Blood and Vaccine Regulations
Set of regulations and guidance documents in addition to the GMPs, GLPs, and GCPs that govern biotechnology drugs, vaccines, and blood products; these include general biological product regulations (21 CFR Part 600), biologics licensing (21 CFR Part 601), biologics release standards (21 CFR Part 610), and so forth

Medical Device and Diagnostics Regulations
Regulations and guidance documents governing compliance requirements for designers and manufacturers of medical devices; the core rule 21 CFR Part 820 Quality System Regulations should not be taken in isolation; other aspects of medical device regulation include device premarket approval (Part 814), medical device reporting (Parts 803 & 806), and so on

Family Smoking Prevention and Tobacco Control Act of 2009
Provides authority for the FDA to regulate certain aspects of tobacco products; currently the FDA is issuing tobacco guidance documents rather than specific regulations

International harmonization guidelines

These guidelines are enforced and cited by FDA, EMA, Health Canada, and other health agencies involved in international regulatory harmonization efforts:

GHTF SG3.N17 Guidance on the Control of Products and Services Obtained from Suppliers
Medical device harmonized standard that identifies types of raw materials and components documentation and supplier management and oversight records to retain

GHTF SG3.N99 Quality Management Systems – Process Validation Guidance
A harmonized medical device regulatory standard that provides suggested retention requirements for policies, SOPs, and process validation documentation

ICH E6 Good Clinical Practice
Biopharmaceutical standard that clarifies types of records to retain associated with clinical trials

ICH Q7 Good Manufacturing Practice for Active Pharmaceutical Ingredients
Harmonized standard for biotechnology and pharmaceutical firms that identifies records to be retained under current Good Manufacturing Practices (cGMPs)

ISO 15489: Records Management Standard
An international industry consensus standard that provides a high level framework for records retention

Additional state regulations and statutes

California SB-1386 Law
Requires businesses to disclose to their customers in California details of any record security breach that is reasonably believed to have resulted in the acquisition of personal information by unauthorized individuals

California Health & Safety Code 119402
Requires pharmaceutical and medical device firms to maintain a training program (and supporting records) in compliance with the US Office of Inspector General’s Compliance Program Guidance for Manufacturers, including an annual certification of compliance

District of Columbia Code 3-1207.41-45
Washington, D.C. law that defines the types of records that pharmaceutical sales personnel must keep

Massachusetts 201 CMR 17.00
Regulates the way organizations store, transfer, and protect the personal information of state residents

Nevada Revenue Statute 639.570
Requires pharmaceutical and medical firms to maintaining a training program on either the PhRMA or the AdvaMed Code, as well conduct and retain annual audits of compliance

New York Information Security Breach and Notification Act (A04254)
Governs the protection of New York state consumers’ personal data

Washington SB-6043 Law
Regulates disclosure standards concerning data security breaches involving personal information of Washington state residents

Recent court cases with specific record-keeping implications

United States v. Palazzo, February 2009
Affirmed the precedent that noncompliance with the good clinical practice record-keeping requirements contained in FDA regulations is a criminal violation, and management is accountable for poor recordkeeping under the Park Doctrine