Sarbanes-oxley, 21cfr part 11, hipaa, pharmaceutical cgmps for the 21st Century: The industry has been hit in the past three
years with a regulatory load unprecedented in its depth, breadth, and complexity. And because record-keeping, security of
records, and auditability are at the core of what the federal government seems to be trying to accomplish, information technology
is at the core of pharma's response. Across the industry, companies are scrambling to gain more complete control over their
In truth, say technology providers, the problem is even more complex than many in the industry realize. On the one hand, pharma
faces far more compliance issues than the usual culprits. Not only are there complex new regulations emerging on the state
level, but also pharma is increasingly forced to respond to customers, standards organizations, and internal initiatives in
ways that mirror what is happening on the federal regulatory front. And the double whammy of Sarbanes-Oxley and 21CFR Part
11 looks less like a pair of difficult regulations, and more like a single push toward comprehensive control over records
of all sorts.
No wonder compliance is front-of-mind for IT executives—and others—at pharma companies. For companies large and small, one
of the most pressing challenges of the next few years will be to understand compliance at a much deeper level, to obtain the
tools to make it possible, and to turn those tools to solid business advantage going forward.
Dennis Constantinou, senior industry director, life sciences, for Oracle, suggests that it is best to look at compliance as
having four levels:
Generic regulations These include Sarbanes-Oxley, the regulations of the Occupational Safety and Health Administration (OSHA), and other regulations
followed by a wide range of businesses, not just pharma.
Recent Compliance Regulatory Legislation and Guidance for Life Science
Industry-specific regulations These include not just FDA regulations, but also regulations from the Drug Enforcement Agency (DEA), the requirements of the
Health Insurance Portability and Accountability Act (HIPAA), international pharmaceutical regulations, and the specific requirements
of organizations such the as the International Standards Organization. A particular area of concern these days is state-level
regulation, which is rapidly increasing.
Internal procedures "These include equipment safety procedures, self auditing, self imposed quality procedures," Constantinou says.
Customer requirements, such as contracts "Pharmaceutical companies maintain strong relationships with distribution companies for their pharmaceutical products, both
domestically and internationally, as well as compliance with the federal government in terms of contract regulation and pricing,"
Constantinou says. "How do you work with those customers, even if they're contract manufacturers or suppliers, on quality
assurance, on contract management, on electronic data interface and exchange of information?"
Speeding "time to peak efficiency"—How Serono set a new IT goal for itself.
The different forms of compliance may not all be backed by the power of governments, but all of them require retention of
secure records and the ability to locate specific pieces of information and generate reports. "They're all interrelated,"
explains Constantinou. "If you don't have your compliance for the FDA in order, then you run into problems with customer requirements,
and potentially you'll run into problems with other regulations." Companies need to look past their response to individual
regulations toward a broader strategy of maintaining, analyzing, and protecting data.
One of the hot issues for CIOs today is the Public Company Accounting Reform and Investor Protection Act, better known as
Sarbanes-Oxley (SOX), enacted in 2002, which aims to improve the reliability of the audit process.