Clinical Research Advisory Notices

Office of Compliance Services - Clinical Research Advisory Notice: 21 CFR Part 11 Compliance

September 1, 2016

Title 21 CFR Part 11 is the part of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures. Part 11 defines the criteria under which electronic records and electronic signatures would be considered reliable, consistent and equivalent to paper records (21 CFR 11.1 (a)).

Part 11 requires that controls, system validations, audit trails, electronic signatures, and documentation be implemented for software and systems involved in the processing of electronic information and data that FDA predicate rules require to be maintained. A predicate rule is any requirement delineated in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11.

As a result of a thorough review and analysis, the UCLA Health Sciences Enterprise Compliance Oversight Board believes that UCLA's EPIC system is compliant with 21 CFR Part 11 requirements.

If you are contacted by a study sponsor or another party seeking certification of compliance with 21 CFR Part 11 pertaining solely to the UCLA EPIC System, you may rely upon and provide the attached document to the requester, without completing additional sponsor/requester provided forms. This compliance statement document may also be printed out and maintained with other required research records.

In the event the sponsor or requester is seeking certification of compliance with 21 CFR Part 11 pertaining to the other electronic systems used by UCLA clinical investigators (e.g. REDCap, OnCore, etc.), please contact the Office of Compliance Services at: ComplianceEveryone@mednet.ucla.edu; or 310-794-6763 for assistance.

Thank you,

Derek H. Kang
Chief Compliance Officer for
UCLA Health System and
David Geffen School of Medicine
Office of Compliance Services

Privacy Advisory Notices

Office of Compliance Services - Patient Privacy Advisory Notice: How you can Protect Patient Privacy

Protecting Patient Privacy is Part of Patient Care

Protecting Patient Privacy means:

• You may access, use, and disclose a patient’s information only if it is necessary to perform your job duties; and
• You may access, use, and disclose only the minimum amount of patient information necessary.

You may access, use, and disclose PHI in order to carry out your work duties for the purpose of:

• Patient Treatment – (e.g. being part of a patient’s care team, registering a patient, or taking a patient’s vitals)
• Payment and Billing Services
• Health Care Operations – (e.g. teaching, quality assessment activities, internal auditing)

You must not access a patient’s medical record in CareConnect, or other sources where patient information is stored, without a work related reason.

You must not use, discuss, or disclose a patient’s medical information without a work related reason.

Thank you all for your continued commitment to protecting patient privacy.

Derek H. Kang
Chief Compliance Officer for
UCLA Health System and
David Geffen School of Medicine
Office of Compliance Services