“What makes an electronic signature vendor 21 CFR Part 11 compliant?”
This is a common question in the pharmaceutical industry, and the answer isn’t always immediately clear. Several e-signature vendors claim to be compliant, but upon closer inspection, that’s not always true.
21 CFR Part 11 is a regulation published by the FDA to establish requirements for electronic records and electronic signatures to make sure they have at least the same controls as their paper-based counterparts.
There are a lot of different parts of the regulation, but we’re going to address the ones that stand out compared to regulations in other industries. These regulations go far beyond the simple requirements set by the ESIGN Act and UETA.
Must Have a Detailed Audit Trail
“Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.” —21 CFR Part 11, Subpart B, Sec. 11.10, Part E
CFR 21 Part 11 requires that electronic signatures come with a detailed history of the document—an audit trail. The purpose is to show accountability and to have the history to go back at any point in time to see what the state of that record was.
Every audit trail must log all of the events in the document’s lifecycle, including:
- Transaction creation
- Signers consent to use e-signatures
- Signers authenticate their identity
- Each signature and initial on the document
- Cancellations and opt outs
- Document deletion
This level of detail will give your company protection if anyone tries to claim “I didn’t sign that.”
Must Be Protected Against Tampering
“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.” 21 CFR Part 11, Subpart B, Sec. 11.10
If you think about a hardcopy record on paper, what you see is what you get. If somebody makes a change, it tends to be obvious. In an electronic system without the proper controls, a change could be made to the record and no one would ever know. That’s why the FDA requires that electronically signed documents be protected by a feature called “tamper evidence.”
With tamper evidence, if someone tries to change any part of the document (even something as simple as capitalizing a word) there’s proof that tampering took place. The FDA requires that documents be protected from tampering not just at the end of the signing process but throughout the process. Today, SIGNiX is the only electronic signature vendor on the market to offer this level of tamper evidence.
Must Verify Identity for Each Signature—“Click to Sign” Isn’t Enough
“… subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.” —21 CFR Part 11, Subpart C, Sec. 11.200
In some less-regulated industries, the type of electronic signature you use isn’t all that important. Many people use a type of electronic signature that only requires you to click a button to sign a document. While that’s all well and good when it comes to your kid’s field trip permission slip, it doesn’t cut it in the pharmaceutical industry.
The FDA has very specific guidelines about what counts as a signature. You don’t just need to prove your identity when you first log in to the system, you also have to prove it every time you sign. That means you have to enter you username and password every time you sign. Simply clicking a button without proving your identity isn’t enough.
Must Use Multi-Factor Authentication
“[Must] employ at least two distinct identification components such as an identification code and password.” —21 CFR Part 11, Subpart C, Sec. 11.200
When you do business online, you need to know who you're doing business with, and electronic signatures are no exception. If a signed document is challenged in court, you'll have to prove the signer’s identity. That’s why the FDA requires that you use at least two types of authentication to prove signers’ identities. Common types of authentication include:
- Email Authentication: The signer confirms their identity by clicking a link to prove they have access to their email account.
- Shared Secret Questions: The signer answers a question that you choose when you send the document. Common questions include the last four digits of an account number, the signer’s mother’s maiden name or any other questions that help verify the signer’s identity.
- Mobile Phone Authentication: The electronic signature vendor sends a text message to the signer with a randomly generated code. The signer is authenticated when they enter the correct code into the signing interface.
- Knowledge-Based Authentication (KBA): The signer enters their date of birth or social security number and is then prompted with a set of four questions based on a database of 30 years of records. This is a well-known authentication method that pulls information from credit reports, public health records, town hall records and more.
Using at least two of these methods (a technique called multi-factor authentication), gives you the most evidence to prevent fraud.
What to Look for in a Vendor
Who is responsible for compliance? You might think the electronic signature vendor is responsible, but the law says that the people who own the data are ultimately responsible for compliance. If an electronic signature vendor lies to you and says they’re compliant when they aren’t, they aren’t the ones that will pay—you will!
The good thing is that you can leverage the electronic signature’s services to become compliant. How do you do that? You need to do your due diligence when it comes to the vendor. Here are some key questions to ask during your audit of an electronic signature company:
- What information is stored in the audit trail?
- Is each signature and initial time-stamped?
- Is each signature and initial represented in the audit trail?
- Can the audit trail be accessed without an Internet connection?
- How do you prove the identity of the signers?
- Does every signature and initial require a password or PIN of some kind?
- How are the documents protected against tampering?
- Are the documents protected from tampering during the signing process?
You should also develop a robust service level agreement with the electronic signature vendor, which will make sure they support your efforts to be 21 CFR Part 11-compliant. You should include topics like:
- Your right to audit the vendor’s systems
- How they’re going to manage security
- How they’ll separate your data from other customers’ data
Internal Policies Essential for Compliance
But compliance isn’t just about which vendor you choose. It’s also about the policies you put in place and how your employees interact with the software. If you don’t address these issues internally, the electronic signature service won’t give you a fully compliant solution. You should consult with a compliance expert to create an electronic signature policy for your company.
Here are the parts of the regulations that can only be completely achieved by a company-wide policy:
- Protection of records to enable their accurate and ready retrieval throughout the record retention process
- Limiting system access to authorized individuals
- Use of operational system checks to enforce permitted sequencing of steps and events
- Determination that the people who develop, maintain and use the system have the proper education, training and experience
- Written policies to hold individuals accountable for things they agreed to do to deter record and signature fraud from within the company
- Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
- The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.
With these tips in mind, you can be sure to choose an electronic signature vendor that meets the requirements set by 21 CFR Part 11.