Whistleblower protection

The FDA recently completed its “Internal Review of Agency Actions Related to the U.S. Infant Formula Supply.”

In general, this report has few real planned actions and does not fill me with the hope of internal changes driving improvement.

One of the recommendations really stood out to me. Finding 2 states “Inadequate processes and lack of clarity related to whistleblower complaints may have delayed the FDA’s response to those complaints. A complaint sent via mail and other delivery systems by a confidential informant to agency leaders at FDA’s White Oak campus was not delivered to the addressees.”

Recommendation: The FDA should identify clear definitions for the terms “whistleblower,” “confidential informant,” and “informant,” and develop policies and provide training to staff regarding how to identify, escalate, and appropriately manage confidentiality of such complaints. The agency should also consider connecting complaints from such individuals to information received from product safety complaints, and product manufacturing concerns systems to support more complete access to all safety information. The FDA is evaluating how best to integrate this data to gain a holistic view of all FDA-regulated products and/or manufacturing facilities. The FDA should also review and update its mail and package delivery procedures to ensure that all mail and packages are delivered and received by addressees in a timely manner.
FDA Evaluation of Infant Formula Response

There is a real lack of whistleblower protection in this industry. Often when you hear about a crisis, from baby formula to Theranos to the opioid epidemic you have you have to ask “where were the good people at that company.” It can be rather disheartening. It has long been worrisome that the FDA does not have strong whistleblower protection in place, and to see how definitely that contributed to this debacle is just plain scary.

Being Small and Speciality Does not Exempt from the GMPs

Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.

The warning letter highlights:

Failure to validate the process
Failure to test to specification
Failure to exercise sufficient controls over computerized systems

All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.

Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.

The last observation really stood out to me:

“Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”

This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:

Documents should be stored in a manner which ensures appropriate version control.
Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
Document issuance should be controlled by written procedures that include the following controls:
- details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
- ensuring that only the current approved version is available for use;
- allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
- where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
- critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
- where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document

There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.

Requirements on Privacy in Clinical Trials

Been thinking a lot recently of privacy in regard to clinical trials. As you do, I started with gathering some requirements together. Here is what I have:

Brief Standard Identifier	Description of Industry Standard	Regulation/Guidance/ Source
Subject Identification in Data Systems	The business has SOPs to ensure that data collection instruments and databases utilize an unambiguous subject identification code that allows identification and linkage of all the data reported for each subject. Data tools and systems do not contain personally identifiable information, except the unique subject identification code to link data across the study.	GCDMP – Data Privacy; ICH 5.5.5
Patient Diaries Review	The business has and utilizes SOPs to ensure that the Investigator site personnel review paper-based patient diaries prior to sending the diaries to Data Management to confirm that no personal identification information is present.	MHRA 8.2.7
Confidentiality of Subject Records	The business utilizes formal procedures and practices to ensure that the confidentiality of records that could identify subjects is protected in accordance with the applicable regulatory requirement(s).	ICH 2.11
Informed Consent Prior to Data Collection	The business has a process to establish expectations with the site and confirm that informed consent is obtained from every subject prior to clinical trial participation and prior to processing clinical data. The process should provide direction for withdrawal and revocation of consents.	ICH 2.9, 4.8.8, 6.5.3 21 CFR 50
Privacy and Personal Data Protection Policy	The business has a Privacy and Personal Data Protection Policy and a Chief Privacy Officer/ Data Protection Officer to ensure compliance with EU GDPR and other country, local, and Independent Ethics Committee-required privacy, and data protection practices.	US HIPAA EU 1995 Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan 2016 Act on the Protection of Personal Information- US Privacy Act
Privacy and Personal Data Protection Documented Practices	The business has documented procedures, standards, documentation requirements, and responsibilities for defining and ensuring confidentiality, protection, and security of personal data (including but not limited to employee, client, investigator, and patient data) and applying Privacy by Design requirements into procedures that include: definitions of personally-identifying information descriptions of personal information collected the purposes for which it is collected the lawful basis (in the EU) for its collection/use the types of persons to whom it will be released the countries to which it may be transferred privacy and security safeguards the rights of individuals with respect to their personal information compliance monitoring	US HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan’s Law Concerning the Protection of Personal Information – 2005; Japan Act on the Protection of Personal Information- 2016
	The business has documented procedures, standards, documentation requirements, and responsibilities for conducting Privacy Impact Assessments, including when they are implemented, or documentation regarding why they are not applicable.	EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Personal Data Processing, De-identification and Pseudonymization	The business has documented procedures, standards, documentation requirements, and responsibilities for enhancing privacy and protecting personal data, both at the time of determining the means for processing data and at the time of actual processing, by adherence to the data minimization principle (i.e., ensuring that only data needed for a clinical trial are collected from clinical trial subjects’ records), encryption at rest and during transit, de-identification and pseudonymization. Where pseudonymization is deployed, the business has appropriate technical (e.g., encryption, hashing, or tokenization) and organizational (e.g., agreements, policies, privacy by design) measures in place to separate pseudonymous data from identification keys.	EU GDPR 2016/679
Personal Data Capture and Data Flow Procedures	The business has written procedures for documenting the data flow for the organization/for individual projects. The data flow comprises what personal data the organization holds, where it came from, and with whom they share it.	EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Individual Privacy Notice or Consent	Ensuring that individuals are informed of all required privacy provisions in Privacy Notice or Consent, including: their right to confirm if and how their data are processed, including the right to object to (or limit use of) processing and the right of erasure; plans for data retention; the right to receive a copy of their personal data and to have them transmitted to other organizations; and the complaint process.	US HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Support for Personal Data Subject Requests	Receiving, processing, and responding to Personal Data Subject Requests submitted by Data Subjects per their rights under GDPR, and/or assisting the Client to fulfill Client’s obligation to do so: right of access right to rectification restriction of processing erasure (“right to be forgotten”)data portability objection to the processing, or the right not to be subject to automated individual decision making	EU GDPR 2016/679 Directive 1995/45/EC
Privacy and Personal Data Breach Procedures	Detecting, reporting, and investigating personal data breaches, and communicating confirmed data breaches to impacted parties within timelines dictated by applicable regulations (72 hours for regulatory authority reporting) and agreements. Sponsor will be notified of any data breach in association with sponsor projects, including breaches at subcontracted vendors, according to pre-defined timing.	EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Privacy and Personal Data Protection Training	The business trains all individuals who have access to personal data on the policy and practices that ensure confidentiality, protection, and security of personal data.	EU Data Protection Directive 1995/45/EC EU GDPR 2016/679

GMP Lab Warning Letter – A Baseline of Expectations

A February 2022 FDA Warning Letter to Accu Bio-Chem Laboratories provides a great baseline for what your audit programs should look at and what your own labs should focus on:

Handling of OOS results – 21 CFR 211.192
Analytical Life Cycle Management (verification of test methods) – 21 CFR 211.165(e)
Integrity of electronic data – 21 CFR 211.68(b)

Throw in a good lab instrument qualification review, and supplier/raw materials management, and you have a pretty solid program.