Regulatory Compliance

Q.1 Is certification of document copies a regulatory requirement under EMA or MHRA guidelines?

Answer: Certification is not explicitly mandated in EMA or MHRA regulations. However, EMA’s Reflection Paper on TMF and guidance from national regulators (e.g., MHRA, BfArM, ANSM) emphasize the importance of traceable document destruction and complete audit trails. As a result, certified copies and certificates of destruction are considered best practices to meet inspection readiness expectations.

Q.2 In the Certified Copy requirement, does “EU” refer to the European Union, and is the Certified Copy concept specific to EU regulations?

Answer: The term “EU” in the Certified Copy requirement refers to European regulatory best practices, specifically those outlined by agencies such as EMA, MHRA, BfArM, and ANSM. It does not imply the concept is exclusive to the European Union. Certified Copies are recognized in both EU and FDA frameworks. While certification is not explicitly required by regulation, it is widely expected as part of inspection readiness, particularly to demonstrate traceability in document destruction and audit trails. The use of "ET" in earlier documentation was a typographical error and has been corrected to "EU" to align with these expectations.

Q.3 Is “EU” the correct term in the requirement, and what does it refer to?

Answer: Yes, “EU” is correct. It refers to European regulatory best practices (e.g., EMA, MHRA) related to certified copies and inspection readiness.

Q.4 What is HITRUST?

Answer:

HITRUST (Health Information Trust Alliance) is a framework specifically designed to help organizations manage data, information risk, and compliance, particularly in the healthcare sector. While it was originally developed to address the regulatory requirements of healthcare, like HIPAA (Health Insurance Portability and Accountability Act), HITRUST has expanded to be adopted by organizations in various industries.

Q.5 What is ISO 27001?

Answer:

ISO 27001 is an international standard that sets the benchmark for managing information security. Developed by the International Organization for Standardization (ISO), it’s a framework that can be applied to any organization, big or small, across any industry. The goal? To establish, implement, and continuously improve an Information Security Management System (ISMS).

Q.6 How does HITRUST compare to ISO 27001?

Answer:

Q.7 Does HITRUST and ISO 27001 certifications differ from a compliance perspective?

Answer:

Yes, HITRUST and ISO 27001 address different aspects of security and compliance. ISO 27001 focuses on an Information Security Management System (ISMS) and general corporate information security practices. On the other hand, HITRUST is more specific to services and technologies used to process sensitive data like Protected Health Information (PHI). HITRUST is considered more comprehensive as it includes requirements for HIPAA and PHI, which ISO 27001 does not directly cover.

Q.8 Can HITRUST be considered a more comprehensive certification than ISO 27001?

Answer:

Yes, HITRUST can be considered more comprehensive than ISO 27001, particularly because it not only covers the foundational aspects of information security but also incorporates specific industry regulations like HIPAA and GDPR. While ISO 27001 provides a solid information security framework, HITRUST builds upon it with additional controls tailored for industries that handle sensitive data, making it more aligned with specific compliance needs.

Q.9 Why is it important to prioritize HITRUST over ISO 27001 when discussing compliance?

Answer:

HITRUST should be prioritized over ISO 27001, especially in industries that handle sensitive data like Protected Health Information (PHI). HITRUST is an enhanced version of ISO 27001, offering broader coverage, including compliance with regulations such as HIPAA and GDPR. This makes HITRUST particularly relevant for industries that must meet stricter regulatory requirements. Discussing HITRUST first helps position the organization as more compliant and aligned with industry needs, as it is becoming increasingly expected in sectors dealing with sensitive data.

Q.10 How can we securely share compliance certificates, like HITRUST or ISO 27001?

Answer:

A Virtual Data Room (VDR) is an excellent way to securely share compliance certificates and NDAs with clients. VDRs provide a controlled environment where only authorized users can access sensitive documents. By uploading certificates and the NDA to the VDR, you can set permissions to ensure that only specified clients or parties can view, download, or print the documents. Additionally, VDRs typically offer audit trails, allowing you to monitor who accessed the documents and when ensuring full traceability and security.

Q.11 What certifications do Trial Interactive and any service or hosting providers hold that are applicable to Trial Interactive?

Answer: AWS, the selected hosting provider, provides virtual servers in their own SSAE 16 SOC 2 (formerly SAS 70) data center that is configured per Trial Interactive specification and requirements during the deployment and configuration process. Once the software is deployed, the application is managed according to Trial Interactive policies and procedures, including the SDLC and Change Management processes.

Q.12 Are there any additional requirements that a customer will need to complete to remain compliant with the EU 95/46 data privacy directive?

Answer: No. Trial Interactive will continue to operate as a Data Processor and our customers will remain Data Controllers. Trial Interactive neither adds nor subtracts any requirements beyond those normally assigned to a data controller.

Q.13 Is Trial Interactive compatible with new European GDPR privacy regulations?

Answer: TransPerfect QA is currently looking closely at GDPR to understand the impacts on our business. At this time, we do not anticipate any major effort necessarily to ensure compliance for ourselves and our customers. When we complete our analysis, we will inform customers about any impacts that we find, and provide a statement on our compliance assessment.

Q.14 Is the Trial Interactive implementation of Electronic Signatures compliant with Electronic Record/Electronic Signatures regulations and guidance (e.g., US FDA 21 CFR Part 11)?

Answer: Yes. Trial Interactive provides system controls necessary to meet Title 21 CFR Part 11 compliance for Electronic Records and Electronic Signatures. A separate document is available that provides specific discussions around this compliance, as well as any applicable GxP regulations.

Q.15 Besides the Trial Interactive report and acceptance of the User eSignature agreement, does Trial Interactive make it easier for customers to meet the agency requirement for eSignature agreements?

Answer: The report may be used to easily maintain these agreements with the agencies. For example, the FDA accepts one certificate from an organization (vs. requiring individual certificates from each person or User) provided the certificate makes it clear what Clinical Site Users will be covered by the certificate. The preambles to the regulation explain 21 CFR 11.100, in that the most responsible organization can submit one certificate that covers all of the external organizations where persons will use electronic signatures () A single certification may be stated in broad terms that encompass electronic signatures of all participants, thus obviating the need for subsequent certifications submitted on a pre-established schedule. Example certification: "Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of organization] intends that all electronic signatures executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures."

Q.16 What will the Trial Interactive Privacy Policy be?

Answer: A privacy policy is a legal document that discloses how a party retains, processes, discloses, and purges customer's data, such as emails, personal information, credit card details, etc., and is standard fare for online websites and applications. The Trial Interactive privacy policy will be the same as TransPerfect's and delivered with the product via a link at the bottom of the screen, and will basically state that information obtained will be only used for internal business purposes, and not shared with third parties except for relevant Users/customers for the purposes of managing a quality process.

Q.17 What will Trial Interactive do with all this Trial Interactive User data?

Answer: Trial Interactive is deployed and managed as a multi-tenant SaaS application, providing our customers with a highly scalable and accessible platform for eTMF. Trial Interactive can use a multi-tenant architecture that allows efficient sharing of application software and hardware resources, while providing complete partitioning of each customer's data and local Trial Interactive connection.

Q.18 Are all uploaded documents stored in a secure and reliable location? Are they protected from attacks and theft?

Answer: Yes. All document attachments are carefully checked for virus and trojan attacks, and are encrypted in-place within Trial Interactive, and in-transit outside the Trial Interactive service.

Q.19 Please describe the documentation strategy related to company quality policies, Standard Operating Procedures (SOPs), guidelines (e.g., working practices, Work Instructions (WI), and policy. Documents that outline, in general terms and not step-by-step instructions, how specific GCP aspects (such as documentation, training, and software development controls) are implemented. Are employees and contract staff trained on new or modified SOPs?

Answer: An SOP is a step-by-step sequence of instructions for how to perform operational processes or activities that were described in general terms in a policy statement. A Restricted Document is a document that facilitates carrying out a process and therefore needs to be readily available to personnel in the performance of their job duties, but which is not a Controlled Document and therefore not subject to the same level of control. Examples include Work Instructions, training materials, job aids, and external standards such as programming guides.

Trial Interactive requires all employees to be trained on procedures that impact their job role. Re-training is mandatory whenever applicable SOPs are updated. Some members of the staff are trained on applicable regulations as they apply to a particular job role. Trial Interactive' staff regularly attends seminars in their area of focus, subscribe to publications, utilize the internet news feeds and blogs and attend user group meetings.

As part of Trial Interactive quality system documentation, SOPs are under the direct control of our quality assurance organization. Departmental managers responsible for given procedures are the only one with the authority to approve changes to these procedures. Internal staff that are required to utilize procedures are trained as per Trial Interactive training matrix. Customers may review procedures in an audit setting only with direct supervision of the Trial Interactive Quality Assurance organization, procedural documents are not distributed outside of the Trial Interactive Application Services environment.

Q.20 Will Trial Interactive accommodate customers for software audits? How will this process work?

Answer: Trial Interactive will ensure the appropriate level of security and privacy measures are in place at the third party through vendor audit and formal assessment procedures. As per Trial Interactive audit policy, customers may visit the corporate office for formal audits of our policy and procedures. An audit of the remote hosting facility is accomplished primarily through standardized documentation such as the SSAE 16 SOC 2 assessment.