OSHA:

Employer Responsibilities
Under the OSH law, employers have a responsibility to provide a safe workplace. This is a short
summary of key employer responsibilities:

 Provide a workplace free from serious recognized hazards and comply with standards, rules and
regulations issued under the OSH Act.

 Examine workplace conditions to make sure they conform to applicable OSHA standards.

 Make sure employees have and use safe tools and equipment and properly maintain this
equipment.

 Use color codes, posters, labels or signs to warn employees of potential hazards.

 Establish or update operating procedures and communicate them so that employees follow
safety and health requirements.

 Employers must provide safety training in a language and vocabulary workers can understand.

 Provide medical examinations and training when required by OSHA standards.

 Post, at a prominent location within the workplace, the OSHA poster (or the state-plan
equivalent) informing employees of their rights and responsibilities.

 Keep records of work-related injuries and illnesses. (Note: Employers with 10 or fewer
employees and employers in certain low-hazard industries are exempt from this requirement.

 Provide employees, former employees and their representatives access to the Log of Work-
Related Injuries and Illnesses (OSHA Form 300). On February 1, and for three months, covered
employers must post the summary of the OSHA log of injuries and illnesses (OSHA Form 300A).

 Provide access to employee medical records and exposure records to employees or their
authorized representatives.

 Provide to the OSHA compliance officer the names of authorized employee representatives who
may be asked to accompany the compliance officer during an inspection.

 Not discriminate against employees who exercise their rights under the Act. See our
"Whistleblower Protection" webpage.
HIPAA:
The Health Insurance Portability and Accountability

A DEFINITION OF HIPAA COMPLIANCE

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient
data protection. Companies that deal with protected health information (PHI) must have physical,
network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered
entities (anyone providing treatment, payment, and operations in healthcare) and business associates
(anyone who has access to patient information and provides support in treatment, payment, or
operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related
business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or
Standards for Privacy of Individually Identifiable Health Information, establishes national standards for
the protection of certain health information. Additionally, the Security Rule establishes a national set of
security standards for protecting specific health information that is held or transferred in electronic
form.

The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and
nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-
PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security
Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

HHS points out that as health care providers and other entities dealing with PHI move to computerized
operations, including computerized physician order entry (CPOE) systems, electronic health records
(EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than
ever. Similarly, health plans provide access to claims as well as care management and self-service
applications. While all of these electronic methods provide increased efficiency and mobility, they also
drastically increase the security risks facing healthcare data.

The Security Rule is in place to protect the privacy of individuals’ health information, while at the same
time allowing covered entities to adopt new technologies to improve the quality and efficiency of
patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement
policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and
risks to patients’ and consumers’ e-PHI.
PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data.
These physical safeguards include…

 Limited facility access and control with authorized access in place

 Policies about use and access to workstations and electronic media

 Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for
authorized personnel to access ePHI. Access control includes…

 Using unique user IDS, emergency access procedures, automatic log off, and encryption and
decryption

 Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place
to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key
components that ensure that electronic media errors and failures are quickly remedied so that patient
health information is recovered accurately and intact. One final technical safeguard is network, or
transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI.
This safeguard addresses all methods of data transmission, including email, internet, or private
networks, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health
Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health
organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to
the development of health technology and the increased use, storage, and transmission of electronic
health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

The need for data security has grown with the increase in the use and sharing of electronic patient data.
Today, high-quality care requires healthcare organizations to meet this accelerated demand for data
while complying with HIPAA regulations and protecting PHI. Having a data protection strategy in place
allows healthcare organizations to:

 Ensure the security and availability of PHI to maintain the trust of practitioners and patients

 Meet HIPAA and HITECH regulations for access, audit, integrity controls, data transmission, and
device security

 Maintain greater visibility and control of sensitive data throughout the organization
The GCP International Standard specifies general requirements:
 Protect the rights, safety and well-being of human subjects,
 Ensure the scientific conduct of the clinical investigation and the credibility of the clinical
investigation results,
 Define the responsibilities of the sponsor and principal investigator, and
 Assist sponsors, investigators, ethics committees, regulatory authorities and other bodies
involved in the conformity assessment of medical devices.

GDP
Maintain adequate records (21 CFR 812.120 (a))
 This is cited time and time again in FDA 483 and warning letters: “Failed to prepare and maintain
adequate and accurate case histories”, “No documentation of protocol-required procedures: no
proof labs were completed”, “Inconsistencies in source and CRFs”

 Source documentation is where the information is first recorded (ICH GCP E6 1.52)
That’s right! It doesn’t matter where it’s written- just where it is first recorded. A colleague
recently told me that as a research coordinator she was required to enter all “source” data into
the medical records. If it wasn’t in the medical records, it didn’t happen as true source were
medical records only. This is not what ICH GCP says. ICH GCP states true source is where the
information is first written regardless of if it’s the medical record, a source worksheet or a post-it
note.

 Data must be verifiable and follow an audit trail

Documentation should tell the whole story. It should also not contradict any other source data.
The following was cited in an FDA warning letter “source documentation and CRFs contain
discrepant information.”

 ALCOA- data should be attributable, legible, contemporaneous, original and accurate

This is an important guideline for those in clinical research, and quality assurance professionals.
FDA auditors are taught to use this guideline during inspections.

 Corrections to source documents and CRFs should be lined through, initialed and dated (ICH
GCP 4.9.3) and never use white out
In a 483 warning letter, one investigator was cited for “CRFs being incomplete with various cross-
outs and changes by multiple authors, and an occasional use of white-out.” “Altered source
documents with no explanation”

 Never destroy original documents

As cited in a 483 warning letter, “you failed to maintain documents evidencing informed
consent.” Remember the statement, “if it’s not documented- it’s not done”- this is the truth! If
you are doing something, take credit for your work and document everything. In this case there
is no such thing as too much information.
 Keep study records secure yet accessible
It’s important to know who has access to study records. These should be limited to the study
research team and kept in a safe area away from public access. Remember anything with patient
information is subject to HIPAA and HITECH rules.