Sarbanes-oxley, 21cfr part 11, hipaa, pharmaceutical cgmps for the 21st Century: The industry has been hit in the past three years with a regulatory load unprecedented in its depth, breadth, and complexity. And because record-keeping, security of records, and auditability are at the core of what the federal government seems to be trying to accomplish, information technology is at the core of pharma's response. Across the industry, companies are scrambling to gain more complete control over their data.
In truth, say technology providers, the problem is even more complex than many in the industry realize. On the one hand, pharma faces far more compliance issues than the usual culprits. Not only are there complex new regulations emerging on the state level, but also pharma is increasingly forced to respond to customers, standards organizations, and internal initiatives in ways that mirror what is happening on the federal regulatory front. And the double whammy of Sarbanes-Oxley and 21CFR Part 11 looks less like a pair of difficult regulations, and more like a single push toward comprehensive control over records of all sorts.
No wonder compliance is front-of-mind for IT executives—and others—at pharma companies. For companies large and small, one of the most pressing challenges of the next few years will be to understand compliance at a much deeper level, to obtain the tools to make it possible, and to turn those tools to solid business advantage going forward.The Basics Dennis Constantinou, senior industry director, life sciences, for Oracle, suggests that it is best to look at compliance as having four levels:
Industry-specific regulations These include not just FDA regulations, but also regulations from the Drug Enforcement Agency (DEA), the requirements of the Health Insurance Portability and Accountability Act (HIPAA), international pharmaceutical regulations, and the specific requirements of organizations such the as the International Standards Organization. A particular area of concern these days is state-level regulation, which is rapidly increasing.
Internal procedures "These include equipment safety procedures, self auditing, self imposed quality procedures," Constantinou says.
The different forms of compliance may not all be backed by the power of governments, but all of them require retention of secure records and the ability to locate specific pieces of information and generate reports. "They're all interrelated," explains Constantinou. "If you don't have your compliance for the FDA in order, then you run into problems with customer requirements, and potentially you'll run into problems with other regulations." Companies need to look past their response to individual regulations toward a broader strategy of maintaining, analyzing, and protecting data.
Sarbanes-Oxley One of the hot issues for CIOs today is the Public Company Accounting Reform and Investor Protection Act, better known as Sarbanes-Oxley (SOX), enacted in 2002, which aims to improve the reliability of the audit process.