We have had a number of questions from our users asking whether the Practice Fusion Electronic Health Record (EHR) system is “Part 11 compliant.” This question has surfaced in part because of audits by the Food and Drug Administration (FDA) that are starting to take place.
Background: what is “Part 11”?
Title 21 CFR Part 11 of the Code of Federal Regulations deals with FDA guidelines on electronic records and electronic signatures in the United States. “Part 11,” as it is commonly called, defines the criteria under which electronic records and signatures are considered to be trustworthy, reliable and equivalent to paper records. When 21 CFR Part 11 was released in 1997, it was hailed as a landmark regulation that finally made e-records and e-signatures as valid as paper records and handwritten signatures.
The rule covers areas under FDA jurisdiction, and generally applies to drug makers, medical device manufacturers, biotech companies, and others, to follow specific rules to ensure the accuracy and validity of their electronic recordkeeping systems.
The FDA has announced that it will start conducting inspections in late 2010 and early 2011 for Part 11 compliance, relating to human drugs. It is being carried out by the FDA’s Center for Drug Evaluation and Research (CDER), which is the agency that assures that all prescription and over-the-counter drugs are safe and effective, and evaluates all new drugs.
Whether the FDA audits apply to areas outside medical drug trials and medical device testing remains uncertain – however, the FDA has claimed a position that software deployed on consumer devices (like smartphones and iPads), and which collects clinical data, renders that device a “medical device” (a Medical Device Data System, or MDDS), falling under the FDA’s jurisdiction for ensuring safety, efficacy and regulation.
What is needed for Part 11 compliance?
Part 11 compliance includes both technical controls (data validation, time stamps, maintenance of records, and capture of electronic signatures), as well as administrative and procedural controls (notification, training, Standard Operating Procedures, and administration). A vendor can offer the technical controls. The user must provide the administrative controls.
Part of Meaningful Use (one of the Core requirements, to which there are no exceptions) is for the clinician to “conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
The CFR item referenced in Meaningful Use is different than the one the FDA is referencing for Part 11. However, doing all the things needed for Meaningful Use (45 CRF 164.308) will more than satisfy the narrower scope of 21 CFR Part 11.
What should Practice Fusion users do?
The technical elements needed for Part 11 compliance are already built into the product. There is unlimited record retention and storage, with automatic data backup at the vendor end of the product. Electronic signatures, which timestamp, sign and seal each chart note entry, are part of the core product. Even addenda to completed and signed notes are themselves signed, sealed, and time-stamped. In addition, all the encryption and security requirements part of Meaningful Use are also in place. Practice Fusion has been Certified to conform to all the safety and security elements required by the ONC.
The administrative steps needed to be carried out (and documented) by the clinician need to be done. We have put together a document that can be freely downloaded and used as a checklist and guide to satisfy the Meaningful Use requirement. Upon completion, this will also withstand an FDA Part 11 audit.
Robert Rowley, MD
Chief Medical Officer
Practice Fusion EMR
Pingback: Buy Facebook Fans