Phoenix Ambulatory Blood Pressure Monitor Project
Regulations on Medical Data

Disclaimer: all commentary on this page regarding FDA, HHS and WHO regulations are the opinion of the author.

 

Regulatory agencies around the world differ on their requirements for the handling of medical records. For example, the World Heath Organization (WHO) and US Food and Drug Administration (FDA) have different standards. However, in terms of medical devices most regulatory bodies have similar requirements. That is, they are generally more concerned that the product, procedure or service does not harm the patient, rather than if it meets any particular specifications. Enforcement of product specifications is generally left up to the device manufacturer (i.e. the industry).

In the United States the regulatory issue is further complicated by the fact that some medical data is controlled by the Food and Drug Administration, and some by the Department of Health and Human Serivces (HHS).

US Food & Drug Administration (FDA) Regulations

In the United States, regulations regarding medical devices are enforced by the Food and Drug Administration through Section 21 of the Code of Federal Regulations (21 CFR). The regulations vary in terms of the application of the data, with medical devices being most concerned with diagnostic, calibration and design history file records. Copies of the regulations can be found on-line from the US Government Printing Office web site (www.gpo.gov).

The regulations vary from device-to-device, and generally depend on how it affects the patient if it fails. Devices are rated using a three tiered class system, where Class I has the least rigorous testing requirements and Class III has the greatest. Table 1 broadly describes the three classes.

 Table 1. FDA Device Classes.

 Class

Description

 I
Class I devices are subject to the least regulatory control. They present minimal potential for harm to the user and are often simpler in design than Class II or Class III devices. Examples of Class I devices include elastic bandages, examination gloves, and hand-held surgical instruments.

 II
Class II devices are those for which general controls alone are insufficient to assure safety and effectiveness, and existing methods are available to provide such assurances. Examples of Class II devices include powered wheelchairs, infusion pumps, and surgical drapes.

 III
Class III is the most stringent regulatory category for devices. Class III devices are usually those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury. Examples of Class III devices include implantable pacemaker pulse generators and replacement heart valves.

 

 

Regulations under 21 CFR 820.30 (FDA): Design Validation

Section 21 CFR 820.30 mandates that a design history file (DHF) be kept for all medical devices. The purpose of this file is to maintain procedures and records that control the design of the device. This assures that design requirements are met . Section (g) specifies that every medical device must undergo a design validation:

21 CFR 820.30(g) Design validation. Each manufacturer shall establish and maintain procedures for validating the device design. Design validation shall be performed under defined operating conditions on initial production units, lots, or batches, or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions. Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the DHF.

 

Regulations under 21 CFR 820.70 (FDA): Production & Process Controls

Section 21 CFR 820.70 covers the production and process control quality of medical devices. Section (i) is particularly relevant to the software validation process as it specifies that:


21 CFR 820.70(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.

 

Regulations under 21 CFR Part 11 (FDA): Electronic Records

Section 21, Part 11 of the Code of Federal Regulations (FDA/HHS) generally covers electronic records and signatures used for medical records. It can also be viewed as the mechanism (procedure) for turning uncontrolled documents are into legal documents that have an auditable paper trail. An excellent source of this information can be found on-line at: http://www.21cfrpart11.com/.

For example, software source codes obtained from public sources (e.g. Linux operating system components) are considered uncontrolled documents. However, once the software is validated for use in a medical device they must be controlled under the provisions of 21 CFR Part 11. At that point they are considered legal documents with an auditable paper trail.

 

Types of Records

While these regulations are generally thought of as pertaining to diagnostic records (e.g. blood pressure data), they are used for all types of data as listed in the regulations, including records in the design history file. This includes documents such as validated software source code, manuals, reports and so forth. Section 21 CFR 11.1(b) specifies that:

21 CFR 11.1(b) Scope (partial quote). This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means.

 

Audit Trail

Each medical record must maintain an audit trail. In general, the audit trail is attached to the data and is made part of the record itself. This can include data such as:

 

Signature (Paper or Electronic)

All documents must be signed by their respective owner, either by paper (handwritten) or electronic means. The signature must be linked to the data record. This is an important part of the audit trail because it establishes and verifies that an authorized entity (person or corporation) created the document. If electronic signatures are used, then minimum requirements for authentication of individuals are presented as well.

Open and Closed Systems

21 CFR Part 11 defines controls for two types of systems: closed and open. A closed system is one where system access is controlled by the persons who are responsible for the content of records that are in that system. For example, if files are maintained by a company on its own computer using its own software and personnel, then it's a closed system. If the files are maintained on someone else's system (e.g. via the internet), then it's an open system.

 

US Health & Human Serivces (HHS) Regulations

In the United States some medical data regulations are controlled by the US Department of Health and Human Services (HHS). These are covered under the Health Insurance Portability and Accountability Act (HIPPA). Relavant sections include 45 CFR parts 160 and 164: Standards for privacy of individuals. A good resource of information about HIPAA regulations can be found at: http://www.ihs.gov/.

 

About This Page

This page is maintained by Wade D. Peterson. It was last updated on 21 Nov 2004.

The author(s) provide this information as a public service, and agree to place any novel and useful inventions disclosed herein into the public domain. They are not aware that this material infringes on the patent, copyright, trademark or trade secret rights of others. However, there is a possibility that such infringement may exist without their knowledge. The user assumes all responsibility for determining if this information infringes on the intellectual property rights of others before applying it to products or services.

(C) 2004 Wade D. Peterson. Copying and distribution of this page is permitted in any medium, provided this notice is preserved.

Back to the Phoenix Home Page