How to Comply with 21 CFR and HIPAA Data Retention Requirements
This blog was originally published by D4 Discovery.
As corporations move rapidly towards digitizing internal records and gathering more and more data from their consumers, it’s no surprise that data privacy is a concern shared by nearly every industry. But the healthcare industry in particular faces extreme pressure to comply with increasingly rigid regulations around protecting personally identifiable information (PII) and protected health information (PHI).
Patients and consumers simultaneously want more access to data and confidence that data is being properly stored and shared, and regulatory bodies are constantly updating policies and protocol to address the changing data landscape. All of this pressure puts healthcare companies in a tough spot – navigating a minefield of regulations in a changing industry and using new technologies and methods to do it. It’s no wonder that, in a recent survey, nearly six in ten respondents said they lacked complete confidence in their ability to protect privacy, even as they also reported increases in data volume and data sharing.
In this post, I’ll dig into the specific challenges for handling PHI and PII that healthcare companies might come up against in order to stay compliant under a couple of the biggest regulations in the industry – HIPAA and 21 CFR Part 11 – and how to use an information governance strategy and technology to address those challenges.
Maintaining Compliance Under Healthcare Regulations
How to Maintain Compliance under the HIPAA Privacy, Security and Breach Notification Rules
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is US legislation that spells out provisions for safeguarding medical information and data privacy.
There are three components of HIPAA that are relevant to this discussion:
the Privacy Rule, added in 2000;the Security Rule, added in 2003;and the Breach Notification Rule, added in 2013.
Each rule contains its own lengthy provisions for compliance, but for the sake of brevity, here is a summary of what all covered entities and their business associates must do in order to maintain HIPAA compliance under these three rules:
Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain or transmit, and protect that data from reasonably anticipated threats or impermissible disclosuresNotify patients about his or her privacy rights and explain to the patient how their health information can be usedEstablish and prove adherence to privacy proceduresEnsure that any business associates or third-party service providers are aware of the parameters for accessing and sharing health information and are in adherence to privacy proceduresRegularly administer HIPAA training to employees to ensure understanding with both federal and state laws, as well as the organization’s privacy proceduresAppoint a Privacy Official to oversee the organization’s privacy programNotify affected individuals, the Secretary of the HHS (Health and Human Services), and even – in some circumstances – the media within specified periods of time in the event of a health information breach.
How to Maintain Compliance Under 21 CFR
Title 21, Part 11 of the Code of Federal Regulations, or 21 CFR for short, is a regulation that has been in effect since 1997 and defines the criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. This rule applies to all industries regulated by the FDA, including but not limited to medical device manufacturers, drug makers, biotech companies, and pharma/biotech/medical device research organizations.
Covered entities are required to protect regulated data by implementing certain controls in processing any electronic datarequired by the FDA, including the following:
System validation to demonstrate fitness of use, consistency, and reliability, and full written documentation of system features and expected behaviorSpecific requirements and controls to manage regulated electronic records through their lifecycle – including creation, modification, archiving, and transmissionStrict physical and technical security measures to limit access to regulated systemsAudit trails to prove the integrity of electronic records and signaturesSpecific requirements for any use of electronic signaturesCertification and training for all individuals with access to systems
The controls required by 21 CFR can put a major burden on companies affected, especially from a technical perspective. For example, system validation and documentation required by 21 CFR requires that documentation be maintained constantly, even after a system has been phased out or deemed obsolete. Implementing audit trails according to the FDA’s requirements can also be very difficult for a company starting from scratch since compliant systems must be able to track and timestamp all changes to electronic records in an automated manner that cannot then be modified by users, as well as make those audits available for export.
The Burden of Regulatory Compliance on Healthcare Organizations
As the amount of data being electronically stored, shared, and made available to individuals increases, the complexity and burden of regulatory compliance on healthcare and medical companies also increases. Additionally, the widespread use of mobile devices, networked medical devices, and personal/work computers makes it nearly impossible to know exactly where PHI and PII might be located and because of that nearly impossible to ensure adequate protections are in place.
The most thorough mobile device management policies will have accounted for each popular device’s unique retention scheme. Use this white paper to gain insight into those nuances, and create a policy that helps control data to comply with industry regulations.
Other challenges that healthcare companies face when trying to maintain compliance are that medical processes are in constant flux, healthcare companies often lack sophisticated technology infrastructure, and even when they do, technology is ever-changing and frequently updated.
Also, the culture of, say, a large hospital management group or pharmaceutical company might not support spending increasing time and energy on something they perceive as an “IT issue” or secondary to larger business goals. And the larger the company, the more work is required to maintain compliance and the higher the risk if they do not. According to one IT security professional and HIPAA expert, compliance “is a journey, not a destination,” and that journey could take years for a large organization starting from scratch.
Compliance under 21 CFR can become extremely costly; according to analysts, the cost could range from $5 million to $400 million depending on your company’s size and requirements.
Use Thorough IG Policies to Protect PHI and PII
There’s a great deal of overlap between what is necessary for compliance under these two regulations, and the overlapping items all fall under the category of thorough information governance policies, including:
Conducting regular inventories of where and how electronic records, particularly those with PHI, are stored on your company networkImplementing controlled user access – unique identifiers and complex, frequently updated passwords – to all electronic record management systemsImplementing tools for encryption and decryptionEnsuring physical security of all computers and servers where electronic records are storedSecuring your company network with firewalls and strict policies around mobile devices, personal computers, bringing company computers home, etc.Auditing all activity that takes place in systems where electronic records are collected, stored, and transmittedRestricting third-party access to electronic records (by parent companies, vendors, business associates, etc.)Establishing protocol for reporting and assessing security incidents and breachesRegularly training employees on company security policies, particularly protocol around viewing and sharing of electronic recordsMaintaining and updating documentation around proper use of systems where electronic data and PHI might be stored.
All of the above practices will ensure that you have baseline procedures for protecting PHI and the integrity of electronic records at your organization, but management of electronic records becomes infinitely more complicated and high-risk when a corporation is involved in litigation. As soon as a legal hold is put into effect, mountains of data start piling up and being sent to third parties for analysis, review, and production leading up to litigation. If any sensitive information like PHI is leaked or if the integrity of your electronic records is called into question because of poor auditing or system validation, your company is going to find itself faced with sanctions, fines, and even lawsuits (not to mention severe reputational damage).
It is particularly important for healthcare companies to safeguard data during the eDiscovery process, which is why it’s crucial that you have confidence that your third-party service providers are implementing similar strict security policies of their own. There are also tools your service provider can offer – like automated redaction technology – to ensure total protection of PHI while simultaneously reducing the cost of your review.
The amount of electronic data being gathered and shared in the health industry is only going to increase exponentially in coming years, and with it, you can expect regulations like HIPAA and 21 CFR to change frequently. The more you know about the tools, technologies, and information governance best practices available to you, the more prepared you’ll be to navigate the minefields of compliance.