Appreciating FDA Data Integrity Requirements

The Food and Drug Administration (FDA), which falls under the umbrella of the U.S. Department of Health and Human Services (HHS) has a significant number of requirements, which align with  the HIPAA and the HITECH Act. The FDA is in charge of implementing the Food, Drug and Cosmetics Act, which includes the overseeing of clinical trial investigations, Institutional Review Boards (IRBs), and facilities involved in the manufacturing, processing and distributing of FDA regulated items.

Notably, areas that the government has indicated need regulative improvement include:

  • Preservation of confidentiality
  • Integrity
  • Availability of electronic data.

The Code of Federal Regulations (CFR) provides the scope of the requirements related to electronic records and electronic signatures. The regulations laid out in the CFR can relieve anyone who is familiar with HIPAA requirement. This is because the government standards that are referenced in the HIPAA Omnibus Rule, are implied here, too.

For example, Section 11.10(e) Controls for Closed Systems, mirrors the security control requirements of HIPAA –

“Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.”


Not having the necessary technical, administrative and physical standards in place can cause violations to be issued by the FDA, in addition to a potential HIPAA violation.

Potential FDA data integrity violations are issued in two ways:

  1. A Form 483
  2. A Warning Letter

A Form 483 is an audit form used by the FDA during its oversight process. After a Form 483 is received, the recipient may respond and request to have the adverse observations removed from the record. If the response is not accepted, then a Warning Letter is issued.

Interestingly, there has been an increase in FDA letters that focus on data integrity issues, with a particular focus on the “failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.”

Some inadequate regulatory measures that the FDA mentioned included:

  • Lack of audit trails
  • Ineffective risk assessment
  • Inadequate documentation practices.

These blunders can be detected by conducting a comprehensive risk analysis – ultimately preventing the company from being in a troubled position with a government agency.

Think Smarter with Centre Technologies

Centre Technologies strives to be proactive – conducting third-party risk assessments and working with clients to provide solutions that meet their needs and regulatory obligations. Do you need help with a regulatory strategy? Reduce your risks with Centre Technologies. Contact us today.  


Originally published on September 15, 2015

Be a thought leader and share:

Subscribe to Our Blog

About the Author

Centre Technologies Centre Technologies

Centre Technologies is a full-service IT consulting and managed services provider headquartered in Texas, with a focus on mid-sized businesses. As a trusted IT partner for well over a decade, Centre is recognized for its local experience and enterprise-grade cloud and cybersecurity solutions. Centre is committed to helping organizations harness the power of technology to maximize their operational efficiency and exceed their business goals. Learn more about Centre Technologies »

Follow on LinkedIn »