Records Information Management (RIM) is a process for the systematic management of information recorded on all media across its lifecycle.
While information was traditionally captured as paper and microfiche, recent years have expanded the scope beyond physical records with an explosion of digital information such as emails, web-based content, social media, unstructured data, and structured databases.
From a RIM perspective, compliance is ensuring that your records management policy is being adhered. One example of this is ensuring you are in accordance with your records retention schedule to keep and dispose of all records as required by laws. This is especially important in a highly regulated industry such as Pharmaceuticals.
Compliance is vital to the pharmaceutical and biotech industry.
Without compliance, Life Sciences organizations will take great financial and reputational losses. When a pharmaceutical company is being audited by a government entity, compliance with the appropriate regulations is a key item being verified. There must be awareness of the RIM program throughout an enterprise to drive the cultural change across the business to accomplish the goals of maintaining legal and regulatory compliance and balance the inherent risk and value of information through policy implementation.
#1 - Information Overload
Ever increasing numbers of electronic applications, records, information, and data are in use within and across organizations as technology evolves constantly. There are such large amount of always growing volume and types of data, information, and records that organizations don’t know what to do with it. Many times this information is duplicated, out of date, inaccurate, or disconnected and hard to find. In Pharma this is often research data or information kept in an older version of an application. The rising costs of eDiscovery, maintaining systems, and securing digital data will only be furthered with the internet of things on the horizon.
What can you do to stem the tide of information, decrease costs, and better locate the right information?
- Reduce the scope of information and data to lower eDiscovery costs by getting rid of dark data. Don’t waste money storing and maintaining redundant, obsolete, and trivial information (ROT).
- Ensure Personally Identifiable Information (PII), patient/trial records and research, and other sensitive information is secure and protected. This means not just storing everything on a file share that has widespread company access. A data lake can easily become a dumping ground. Avoid creating a “data swamp” by having governance and policies to control what goes in and how (metadata, security classifications, file formats, etc.) so you can mine data later with reliable insight.
- Use application decommissioning to streamline your information management approach and eliminate shadow IT and silos of information. The records and information from these systems should then be either migrated into a new active system, archived if it needs long term retention or is under a litigation hold, or disposed of if there are no business, legal, or regulatory requirements for keeping it. RIM programs usually do a well with physical records clean up but needs to partner with IT to extend that success to digital information clean up.
Read Also: 5 Steps to Protect Sensitive PII Information
# 2 - Big Data & Analytics
Information is a business asset. There is an increasing amount of big data that must be governed and harnessed to provide value through analytics in order to gain a competitive advantage. In the Pharmaceutical industry, information about drug development can be useful for making a similar but different drug, or using a drug to treat a different issue. For example, Viagra was originally studied for and had clinical trials for use in hypertension and angina but was later pivoted to be used for erectile dysfunction when the data and information found it to be more effective for that use.
Before you can harness the power of analytics and big data you must first make sure you have good/clean data. Get rid of ROT and prevent its proliferation so that you start with a smaller, refined data set. Garbage "in" means garbage "out" so you want to avoid bad data which will give you bad results and focus on quality over quantity. Raw data must be enriched in order to be used for analytics and this cleanup work takes time so build it into the information lifecycle during planning and creation. This makes it easier to attain further insight from the data and information you already have.
Applying analytics to “clean” information and data can not only be assist scientific research and development, but also has value in a pharmaceutical company’s marketing department as it can help determine what kinds of advertisements are working and where and when are they the most effective.
#3 - Reliability & Collaboration
RIM aims to reduce the time it takes for people to locate relevant content and allow them to make confident business decisions based on reliable information. Getting data and information (in all formats and media) to the correct people is essential to improving operational efficiencies and maintaining compliance on the pharmaceutical industry.
RIM works to assure the integrity of information and data shared and exchanged across an enterprise throughout its life cycle. The information lifecycle parallels drug development as records and information are created from laboratory discovery to marketed products. Digital preservation is necessary so that electronic records will be accessible and unaltered for years to come, especially important for product information that must be retained for years after a drug is discontinued.
Vast amounts of devices create a gigantic volume of data and information which needs the ability to integrate with company systems. This requires planning and visioning especially when dealing with the cloud and personal devices. RIM needs to partner with IT to ensure visibility, secure sharing, and collaboration of information across divisions. In the Life Sciences companies are growing and becoming more global but at the same time technologies are making the world smaller. Employees must communicate and work together even though they may not be in the same building or even the same time zone. The correct information needs to be available to the right people at the right time. The more time spent searching for information means less work time and therefore less productive and efficient workers.
Ease of use and simplicity are important to help streamline operational processes. RIM must balance the need for access and collaboration with information security and privacy needs to protect Intellectual Property and PII against external and internal threats.
One example of the need for collaboration and reliability of information and records in the Life Sciences is Electronic Lab Notebooks (ELN). ELN are used in Regulatory Submissions which have many parts and while more are straight forward in paper form can become more difficult to manage in the digital world. This is due to the separation of roles, metadata mapping, storage in different repositories, and need for long term or permanent retention.
#4 - Mergers, Acquisitions, and Divestitures
When preparing for or dealing with mergers and acquisitions, or M&A, keep in mind information overload and compliance. Know what you are taking in or transferring then when and how to receive or divest records. Mitigate risks by having RIM get involved as soon as possible starting with due diligence. The earlier you have a seat at the table the better you will be prepared for integration and training of employees coming into the company. Develop and use a M&A playbook and checklists that are repeatable and prepared before a merger, acquisition, divestiture, asset swap/transfer, or site closure. If an acquired company has a formal RIM program you will need an RIM integration strategy.
M&A comes with hidden risks and value in data. Being a data hoarder makes integration more difficult. Cleansing data and getting rid of ROT regularly makes you prepared for M&A challenges down the road as records assessment will cost less and be less time consuming with less trash to go through making it easier to locate information. The need for an abandoned records policy is especially important here to fight corporate amnesia as employees often leave during the course of M&A. Forgotten information and records need to be known by the business but often don’t have much metadata. These records could have PII in them and if being divested may require redaction.
#5 - Compliance
ISO Standard 15489 defines the concepts and principles from which approaches to the creation, capture and management of records are developed. Following these RIM standards is a necessary start to comply with laws and regulations.
Regional and global legal and regulatory compliance relevant to pharmaceuticals include GxP from FDA, European Medicines Agencies (EMA) HIPPA, Sunshine Act, Affordable Care Act, and requirements pertaining to ICH, EPA, OSHA, DEA, and ERISA. Life Sciences organizations must value and govern not only their clinical and R&D information but also records and information across all functional areas such as HR, operations, financial, legal, and marketing. There are different types of regulations and business requirements in these areas such as SOX, SEC rule 17a-14, Gramm-Leach-Bliley, FTC, FINRA, IRS, FRCP amendments, and the developing EU-US Privacy Shield following the end of Safe Harbor.
In order to comply with regulations you must be able to capture and preserve records and information from various forms and technologies such as texting, instant messaging, social media, and mobile devices. Ensure you can support e-signatures and that digital audit trails are tracked and logged. And remember that third parties and contractors create and manage company records and therefore need to be covered in your RIM policy.
#6 - Defensible Disposition
Compliance does not mean you should keep everything forever. Retention depends on country, domain, and regulations. Organizations are often scared to delete anything and will keep the same records in paper and electronic versions. This fear of non-compliance cripples companies from realizing the benefits of defensible disposition when the situation calls for it.
Beyond getting rid of records and information that do not require retention, defensible disposition can also be preventative maintenance for data breaches as you can’t leak information that is no longer needed and has been destroyed. To achieve defensible disposal, stakeholders from an organization’s RIM department must collaborate closely and transparently with IT, Legal, and business entities to construct an information retention and disposition strategy that is ideal for today’s digital enterprise.
- A recent example of defensible disposition in the Pharmaceutical industry is the 2013 lawsuit, MDL No. 2385 (Multidistrict Litigation formally known as In Re: Pradaxa (Dabigatran Etexilate) Products Liability Litigation).
- The litigation concerned a group of plaintiffs who took action against Boehringer Ingelheim related to the marketing of its blood thinning drug Pradaxa. A motion was filed to force the company to produce documents and e-mails associated with an ex-employee who was a vice president of marketing.
- However, Boehringer Ingelheim had deleted those documents and e-mails before the case was filed because it was following its enterprise records retention policy.
- The court’s final ruling was that the organization was right to delete those documents and e-mails which were past their retention period and that this was not spoliation.
- No violation of the law had occurred since there was no current, imminent, or foreseeable litigation, audit, or investigation concerning Pradaxa at the time of their disposition and no evidence the records were destroyed on bad faith.
- Therefore the organization’s RIM policy and program enforced defensible disposition to delete information that had no business, legal, or regulatory requirement for retention.
Are you involved in RIM in the Life Sciences? If so, your organization may want to join PRIMO (Pharmaceutical Records & Information Management Organization). PRIMO is a consortium of pharmaceutical companies dedicated to establishing effective, legally compliant, quality-driven information management programs through collaborative industry exchanges of best practices. For more information visit the PRIMO website http://pharma-rim.org.