Posted on: May 17, 2017in Blog
How to Comply with 21 CFR and HIPAA Data Retention Requirements
As corporations move rapidly towards digitizing internal records and gathering more and more data from their consumers, it’s no surprise that data privacy is a concern shared by nearly every industry. But the healthcare industry in particular faces extreme pressure to comply with increasingly rigid regulations around protecting personally identifiable information (PII) and protected health information (PHI).
Patients and consumers simultaneously want more access to data and confidence that data is being properly stored and shared, and regulatory bodies are constantly updating policies and protocol to address the changing data landscape. All of this pressure puts healthcare companies in a tough spot - navigating a minefield of regulations in a changing industry and using new technologies and methods to do it. It’s no wonder that, in a recent survey, nearly six in ten respondents said they lacked complete confidence in their ability to protect privacy, even as they also reported increases in data volume and data sharing.
In this post, I’ll dig into the specific challenges for handling PHI and PII that healthcare companies might come up against in order to stay compliant under a couple of the biggest regulations in the industry - HIPAA and 21 CFR Part 11 - and how to use an information governance strategy and technology to address those challenges.
Maintaining Compliance Under Healthcare Regulations
How to Maintain Compliance under the HIPAA Privacy, Security and Breach Notification Rules
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is US legislation that spells out provisions for safeguarding medical information and data privacy.
There are three components of HIPAA that are relevant to this discussion:
- the Privacy Rule, added in 2000;
- the Security Rule, added in 2003;
- and the Breach Notification Rule, added in 2013.
Each rule contains its own lengthy provisions for compliance, but for the sake of brevity, here is a summary of what all covered entities and their business associates must do in order to maintain HIPAA compliance under these three rules:
- Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain or transmit, and protect that data from reasonably anticipated threats or impermissible disclosures
- Notify patients about his or her privacy rights and explain to the patient how their health information can be used
- Establish and prove adherence to privacy procedures
- Ensure that any business associates or third-party service providers are aware of the parameters for accessing and sharing health information and are in adherence to privacy procedures
- Regularly administer HIPAA training to employees to ensure understanding with both federal and state laws, as well as the organization’s privacy procedures
- Appoint a Privacy Official to oversee the organization’s privacy program
- Notify affected individuals, the Secretary of the HHS (Health and Human Services), and even - in some circumstances - the media within specified periods of time in the event of a health information breach.
How to Maintain Compliance Under 21 CFR
Title 21, Part 11 of the Code of Federal Regulations, or 21 CFR for short, is a regulation that has been in effect since 1997 and defines the criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. This rule applies to all industries regulated by the FDA, including but not limited to medical device manufacturers, drug makers, biotech companies, and pharma/biotech/medical device research organizations.
Covered entities are required to protect regulated data by implementing certain controls in processing any electronic data required by the FDA, including the following:
- System validation to demonstrate fitness of use, consistency, and reliability, and full written documentation of system features and expected behavior
- Specific requirements and controls to manage regulated electronic records through their lifecycle - including creation, modification, archiving, and transmission
- Strict physical and technical security measures to limit access to regulated systems
- Audit trails to prove the integrity of electronic records and signatures
- Specific requirements for any use of electronic signatures
- Certification and training for all individuals with access to systems
The controls required by 21 CFR can put a major burden on companies affected, especially from a technical perspective. For example, system validation and documentation required by 21 CFR requires that documentation be maintained constantly, even after a system has been phased out or deemed obsolete. Implementing audit trails according to the FDA’s requirements can also be very difficult for a company starting from scratch since compliant systems must be able to track and timestamp all changes to electronic records in an automated manner that cannot then be modified by users, as well as make those audits available for export.
The Burden of Regulatory Compliance on Healthcare Organizations
As the amount of data being electronically stored, shared, and made available to individuals increases, the complexity and burden of regulatory compliance on healthcare and medical companies also increases. Additionally, the widespread use of mobile devices, networked medical devices, and personal/work computers makes it nearly impossible to know exactly where PHI and PII might be located and because of that nearly impossible to ensure adequate protections are in place.
Other challenges that healthcare companies face when trying to maintain compliance are that medical processes are in constant flux, healthcare companies often lack sophisticated technology infrastructure, and even when they do, technology is ever-changing and frequently updated.
Also, the culture of, say, a large hospital management group or pharmaceutical company might not support spending increasing time and energy on something they perceive as an “IT issue” or secondary to larger business goals. And the larger the company, the more work is required to maintain compliance and the higher the risk if they do not. According to
Use Thorough IG Policies to Protect PHI and PII
There’s a great deal of overlap between what is necessary for compliance under these two regulations, and the overlapping items all fall under the category of thorough information governance policies, including:
- Conducting regular inventories of where and how electronic records, particularly those with PHI, are stored on your company network
- Implementing controlled user access - unique identifiers and complex, frequently updated passwords - to all electronic record management systems
- Implementing tools for encryption and decryption
- Ensuring physical security of all computers and servers where electronic records are stored
- Securing your company network with firewalls and strict policies around mobile devices, personal computers, bringing company computers home, etc.
- Auditing all activity that takes place in systems where electronic records are collected, stored, and transmitted
- Restricting third-party access to electronic records (by parent companies, vendors, business associates, etc.)
- Establishing protocol for reporting and assessing security incidents and breaches
- Regularly training employees on company security policies, particularly protocol around viewing and sharing of electronic records
- Maintaining and updating documentation around proper use of systems where electronic data and PHI might be stored
All of the above practices will ensure that you have baseline procedures for protecting PHI and the integrity of electronic records at your organization, but management of electronic records becomes infinitely more complicated and high-risk when a corporation is involved in litigation. As soon as a legal hold is put into effect, mountains of data start piling up and being sent to third parties for analysis, review, and production leading up to litigation. If any sensitive information like PHI is leaked or if the integrity of your electronic records is called into question because of poor auditing or system validation, your company is going to find itself faced with sanctions, fines, and even lawsuits (not to mention severe reputational damage).
It is particularly important for healthcare companies to safeguard data during the eDiscovery process, which is why it’s crucial that you have confidence that your third-party service providers are implementing similar strict security policies of their own. There are also tools your service provider can offer - like automated redaction technology - to ensure total protection of PHI while simultaneously reducing the cost of your review.
The amount of electronic data being gathered and shared in the health industry is only going to increase exponentially in coming years, and with it, you can expect regulations like HIPAA and 21 CFR to change frequently. The more you know about the tools, technologies, and information governance best practices available to you, the more prepared you’ll be to navigate the minefields of compliance.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review
Posted November 10, 2017
What You Need to Know About Managed Review and the eDiscovery Process
Posted November 02, 2017
7 Steps to Help You Defensibly Migrate eDiscovery Data
Posted October 27, 2017
CLE Webinar with Lewis Brisbois: How to Do Social Media Collection and Presentation Right
Posted October 26, 2017
Despite Clawback, Defendant’s Reckless Abandon of Rule 502 Bites Back
Posted October 20, 2017
How to Use the eDiscovery PST Export Tool in Office 365 E3
Posted October 12, 2017
Recent eDiscovery Cases for Mobile Phones and Social Media
Posted October 05, 2017
Raising Objections to the Format of ESI Productions: Do it Early and Do it Clearly
Posted September 27, 2017
5 Reasons eDiscovery Alternative Fee Models Make Sense for You
Posted September 22, 2017
Why it's Crucial to Have a Corporate Mobile Device Policy