15 Jan 2020

Data Integrity Risk Management for Life Sciences Companies

By: Scott Bass and Deeona Gaskin, Sidley Austin LLP

This article addresses key topics related to the management of data by drug, biologic, and medical device companies whose products are regulated by the U.S. Food and Drug Administration (FDA). This includes strategies for identifying potential data integrity compliance gaps and questions to ask drug, biologic, medical device, and other life sciences clients.

ALTHOUGH THIS ARTICLE FOCUSES PRIMARILY ON THE FDA’s approach to data integrity, you and your client should be aware that other agencies in Europe, China, Japan, and Australia have adopted similar approaches in trying to ferret out sneaky or sloppy record-keeping practices by drug and medical device companies. To the extent that your client’s business operations extend to countries other than the United States, you and your client must understand the applicable laws, regulations, and agency guidance in those other jurisdictions. Where necessary, consult with an attorney with expertise in advising clients in those jurisdictions.

Overview of Data Integrity Enforcement

In the 1970s, the FDA finalized the current good manufacturing practice (GMP) requirements for drugs. The FDA included specific data integrity requirements in the GMPs and the related good laboratory practices (GLP) regulations.

In the late 1980s, Congress investigated allegations of widespread fraud in the newly emergent generic drug industry. Wholesale document forgeries and manufacturing lapses were discovered. Senior executives went to jail, and companies closed down.

The FDA then finalized a policy entitled “Fraud, Untrue Statements of Material Facts, Bribery, and Illegal Gratuities; Final Policy” (1991), which became known as the Application Integrity Policy (AIP). When the FDA decided that wrongful acts merited the withdrawal of an application or deferral of substantive review of an application, this was known as “Invoking AIP.” The FDA has publicly listed companies for which it had invoked AIP because of data reliability concerns, and this AIP policy continues today.

In 1997, the FDA finalized 21 C.F.R. pt. 11, which addresses, in part, controls needed to ensure the data integrity of electronic records.

The FDA is not the only regulatory agency focused on data integrity. Following the United States’ lead, many other regulators have developed guidance. For example, in 2018, the United Kingdom’s Medicines and Healthcare Products Regulatory Agency (MHRA) published “‘GXP’ Data Integrity Guidance and Definitions,” which emphasizes the importance of complete, consistent, and accurate data and Attributable, Legible, Contemporaneous, Original, and Accurate (ALCOA) principles. Similarly, Health Canada has a “Good Manufacturing Practices Guide for Drug Products.”

A bad inspection with a regulator in one country can have negative ramifications with regulators in other countries. For example, the FDA has mutual recognition agreements with many European Union (EU) countries, including the United Kingdom’s MHRA, France’s Agence Nationale de Sécurité du Medicament et des Produits de Santé, and Ireland’s Health Products Regulatory Authority.

Data Integrity and Good Manufacturing Practices

Data integrity requirements are found in the FDA’s GMP regulations located at, for example, 21 C.F.R. pt. 211, with greater detail in FDA guidance documents.

The FDA views data integrity compliance as essential to ensuring that drug and medical device products are safe, effective, and high quality. Noncompliance with data integrity rules affects the FDA’s ability to rely on and make sound decisions based on data provided by your client to the agency as part of an application or report.

Once the FDA raises a data integrity issue related to information provided by your client, the FDA no longer trusts your client. In practice, that means it will be significantly more challenging for you and your client to obtain necessary approvals from the agency, and your client may be subject to regulatory or enforcement actions (described further below).

Under GMPs, GLPs, and related guidance, a drug or medical device company’s quality assurance department is responsible for ensuring that its safety and manufacturing records accurately document the company’s actual operating procedures and reported results.

The FDA expects that your client’s data will be “attributable, legible, contemporaneously recorded, original or a true copy, and accurate.” This concept is referred to within the sciences industry as the ALCOA principle. Essentially, ALCOA means that data must be accurate and legible and contemporaneously recorded. For example, your client’s quality assurance team should be able to know from reviewing data included in internal batch records which operators completed specific tasks and the test results. Moreover, FDA investigators should be able to review batch records during inspections because the information is legible.

Additionally, data must be contemporaneously recorded, which means that manufacturing results are recorded as they occur and not hours or days later or before based on expected results.

ALCOA principles are not limited to internal GMP documents. Information submitted to the agency, like adverse event reports, new drug application supplements, or premarket approval supplements must also have accurate, legible information and must include originals or true copies of underlying, relevant data.

Under 21 C.F.R. § 211.100(b), your company’s production and process control procedures must (1) be followed in the execution of your company’s various production and process control functions and (2) be documented at the time of performance.

In addition, under 21 C.F.R. § 211.188(a), your client must keep “[a]n accurate reproduction of the appropriate master production or control record, checked for accuracy, dated, and signed.” To comply with this requirement, your client must make sure that copies are complete and match the originals. If the original record includes metadata, the copy must include this metadata as well.

Under 21 C.F.R. § 211.194, your client’s records must “include complete data derived from all tests necessary to assure compliance with established specifications and standards.” For example, in the laboratory, if there is a required test based on the specifications in the approved application and a failing test result occurs, the failing test result still needs to be recorded in the batch record, even if the test is later invalidated due to laboratory error.

Understanding the FDA’s Regulatory and Enforcement Tools

Data integrity violations can lead to serious consequences, including:

Bad press. Companies are put on a publicly accessible list and customers may refuse to deal further with the manufacturer. Since the products are rendered adulterated, both federal and state prosecutions, and private litigation, may follow a company’s failure to follow current GMP regulations related to data integrity.
Warning Letters. Increasingly, FDA Warning Letters have included data integrity violations. Often, these Warning Letters are a prelude to prosecution. They can also be considered by some states as evidence of consumer fraud or other statutory violations. This is the most common action FDA takes for violations uncovered during FDA inspections. An unsatisfactory response by your client could lead the FDA to take stronger actions, such as injunctions, seizures, or criminal prosecution. Although Warning Letters often come before prosecution due to internal agency guidelines, there is no requirement that a company receive a Warning Letter first.
Withdrawal or suspension of drug/device applications. The FDA has an AIP which includes the option of withdrawing an application in cases of material fraud. Data integrity problems uncovered during GMP inspections or prior approval inspections may also lead to delays in application or supplement approvals.
Stopping product at the border. The FDA can impose import alerts to prevent the import of the products by a manufacturer pursuant to Section 801(a)(3) of the federal Food, Drug, and Cosmetic Act. Once a product is subject to an import alert, it may be detained without physical examination at the time of entry.
Injunctions shutting companies down and imposing monitors. The FDA may enjoin a company from distributing product to the market and require that third parties audit and certify the facilities, and then that the FDA reinspect the facilities, before a company can resume manufacturing and selling product.
Seizure of product. This can take place at a customer’s warehouse or at the manufacturer’s premises. The FDA may administratively detain or request that the U.S. Marshals Service seize millions of dollars of product and the goods may be destroyed.
Senior executive criminal liability. Senior executives who have supervisory responsibility—even if they had no knowledge of the violations—can be prosecuted for strict liability misdemeanors¹ and in cases where mens rea is established, for felonies.
Billion-dollar penalties under health-care laws and possible onerous corporate integrity agreements. GMP has become a part of the fraud and abuse panoply of underlying health-care offenses. The U.S. Department of Justice also frequently charges criminal defendants under false statements theories. Exclusion from Medicaid and Medicare reimbursement is another possible consequence.

Risk Management Strategies

The following are basic steps a company can take to comply with the FDA’s data integrity regulations and guidance:

Perform data integrity assessments. Your client should perform an assessment, using internal resources or experienced third parties, to evaluate current data controls. Questions to ask include:
- Does your firm have a signature log?
- Are there unique usernames and passwords?
- How often are audit trails reviewed?
- Are spreadsheets validated? If gaps are identified, you can devise a plan to address them in a prioritized fashion based on risk.
Examine both lab and production activities. In the past, the FDA has focused on labs and the integrity of laboratory data. However, the FDA is increasingly focused on production processes and areas. Consider the controls in place throughout your facility, such as user access to equipment.
Institute a quality on the floor program. The presence of quality personnel during production can encourage personnel to comply with procedures describing how to appropriately generate and handle data. Quality personnel may also be able to witness critical activities that are being documented.
Be suspicious of data that is too perfect. Sometimes perfect data masks fraud. If your client never sees failing test results for a particular laboratory test, or if environmental monitoring data looks too good, or if employees are too efficient (too many steps are completed in too short of a time period), then your client should examine controls in place to prevent the falsification of data.
Create a culture where employees feel comfortable raising concerns. If an employee raises a legitimate concern, promptly investigate. Additionally, find ways to incentivize this behavior so that transparency is valued and rewarded. There have been times when the FDA investigators have begun an inspection with advance knowledge about specific data integrity lapses because they have received information from informants, who may be current or former employees. Bear in mind that employees may become whistleblowers if they feel that the quality issues they raise are ignored or if they believe that the company is engaged in wrongdoing.
Impose a 10,000-foot perspective. Complying with data integrity requirements is more than being able to say with confidence that no one at your company is committing fraud (e.g., intentionally falsifying records). The FDA cares about systemic controls. The FDA wants you to be able to prevent data integrity lapses and detect it if it ever occurs, even if you have no reason to believe any employee would engage in deceptive practices.

Responding to Data Integrity Violations

Take the following steps to adequately address and mitigate data integrity incidents and to ensure preservation of the attorney-client privilege and work product protection for certain company materials:

Open a documented investigation promptly. Make it a high priority to determine whether the incident could and does have a quality impact. If so, batches may need to immediately be put on hold and the FDA may need to be notified.
Determine the scope of the issue and the root cause. First, determine who was involved in the incident and how widespread the problem may be. Interview employees, under privilege as a best practice, to determine scope and root cause.
Determine appropriate corrective and preventive actions (CAPAs). Based on the root cause determination, CAPAs should be developed. An example might be additional training, with quizzes to ensure comprehension. A preventive action might be modifying standard operating procedures and batch records so that certain manufacturing steps require second person verification, meaning that another person must witness the event and document his or her involvement in the batch record. A corrective action could be performing a retrospective review of records to ensure that past records are accurate. Some corrective actions may be more systemic and take time to implement. You should consider whether interim controls are necessary. Also, you should work with your client’s human resources department to determine appropriate employment actions for employees involved in data integrity incidents.
Engage third parties. If the FDA discovers a data integrity issue before your client, then your involvement, the involvement of counsel specializing in life sciences data integrity investigations, or the involvement of a consultant becomes more important. The agency has stopped trusting what the company says, and many independent third parties have strong reputations with the agency. The FDA may request (in a Warning Letter, for example) that your client engage a third-party consultant. However, hiring a third-party consultant before the FDA requests that your client do so will show the agency that your client is committed to compliance and uncovering any systemic issues arising from a data integrity lapse.
Determine if FDA Disclosure is needed. If the data integrity violation impacts the quality of distributed batches or could lead to adverse health consequences, the FDA must be notified. Depending on the circumstances, a Field Alert Report, Adverse Event Report, Medical Device Report, or Biological Product Deviation Report may be the appropriate communication tool.

Scott Bass heads Sidley Austin’s Global Life Sciences team, coordinating pharmaceutical, medical device, food, and dietary supplement matters in the United States, Europe, and Asia. He is ranked internationally among the top authorities on FDA-related enforcement and regulatory issues and has led GMP audits and investigations in the United States, EU, and China. Deeona Gaskin served as Associate Chief Counsel for Enforcement at the U.S. FDA and is now a senior associate in Sidley’s Food, Drug and Medical Device Compliance and Enforcement group. She handles current Good Manufacturing Practice, Quality System Regulation, data integrity, product recalls, and adverse event reporting matters on several continents, and also represents companies in False Claims Act enforcement actions and investigations.

To find this article in Lexis Practice Advisor, follow this research path: