Compliance

Compliance – How MaxxVault Solutions Help You Meet Your Compliance Requirements

One of the key benefits of implementing MaxxVault is the radically improved records management capabilities. More and more stringent document handling and management laws have come into place requiring careful handling of documents or risk stiff penalties. MaxxVault provides the tools to make maintaining compliant records easy. Below we have provided a brief overview of some of the legislation to be aware of when drafting your document handling policies.

HIPAA – the United States Health Insurance Portability and Accountability Act of 1996: There are two sections to the Act. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems. In the information technology industries, this section is what most people mean when they refer to HIPAA. HIPAA establishes mandatory regulations that require extensive changes to the way that health providers conduct business.

HIPAA seeks to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.

GDRP – The European Union General Data Protection Regulation of 2016: The General Data Protection Regulation (GDPR) (EU) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two-year transition period, becomes enforceable on 25 May 2018.

GDRP also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data-protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data-protection compliance regime with severe penalties of up to 4% of worldwide turnover. The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.

21 CFR Part 11 compliance: Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES). Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. Practically speaking, Part 11 applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries. It requires that they implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain. A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11. The predicate rules mandate what records must be maintained; the content of records; whether signatures are required; how long records must be maintained, etc. If there is no FDA requirement that a record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.

The Sarbanes-Oxley Act of 2002 (often shortened to SOX): is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.

The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.” The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.

FINRA – The Financial Industry Regulatory Authority 2007: In the United States, the Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization (SRO). FINRA is the successor to the National Association of Securities Dealers, Inc. (NASD) and the member regulation, enforcement and arbitration operations of the New York Stock Exchange. It is a non-governmental organization that regulates member brokerage firms and exchange markets. The government agency which acts as the ultimate regulator of the securities industry, including FINRA, is the Securities and Exchange Commission. The Financial Industry Regulatory Authority is the largest independent regulator for all securities firms doing business in the United States. FINRA’s mission is to protect investors by making sure the United States securities industry operates fairly and honestly. FINRA oversees about 4,250 brokerage firms, about 162,155 branch offices and approximately 629,525 registered securities representatives.