IT Audit stays abreast with relevant regulatory requirements that may impact the higher education and healthcare sectors. Some of the regulatory requirements noted below are long-standing in nature whereas others have only recently been enacted. This page will be updated as new relevant regulations are issued.

HIPAA Security Rule: The HIPAA Security Rule was first proposed on August 12, 1998, with the final Rule enacted on February 20, 2003. Compliance with the HIPAA Security Rule became mandatory on April 21, 2006.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The Rule has often been cited as being vague in terms of knowing whether implemented controls would be sufficient under regulatory scrutiny. The IT Audit team provides consultation to Penn Medicine on HIPAA Security Rule-related matters and has performed projects to evaluate compliance with selected Rule requirements. Additionally, the IT Audit team provides consultation, and occasionally performs HIPAA Security Rule related work, for covered entities on the University side.

Gramm-Leach-Bliley Act (GLBA) Safeguards Rule: The Safeguards Rule requires institutions to have measures in place to ensure the security and confidentiality of nonpublic personal information related to its customers. It also requires that institutions protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to information that could result in substantial harm or inconvenience to any customer. Penn is therefore responsible for developing its own safeguards and taking steps to ensure that external service providers and other affiliates safeguard customer information in their care as well.

IT Audit has performed work on the University side in evaluating compliance with each of the elements outlined within section §314.4 of the Safeguards Rule. These elements are as follows:

A. Designate an employee or employees to coordinate the information security program (ISP).

B. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of an organization’s operations, including:

      1. Employee training and management.
      2. Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
      3. Detecting, preventing, and responding to attacks, intrusions, or other systems failures.

C. Design and implement information safeguards to control the risks identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

D. Oversee service providers, by:

      1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and.
      2. Requiring service providers by contract to implement and maintain such safeguards.

E. Evaluate and adjust the information security program in light of the results of the testing and monitoring required by paragraph (C) above; any material changes to the organization’s operations or business arrangements; or any other circumstances that the organization knows or has reason to know that may have a material impact on the information security program.

National Institute of Standards and Technology (NIST) Special Publication 800-171 (SP 800-171): The Defense Federal Acquisition Regulation Supplement (DFARS) specifies requirements regarding the protection of Controlled Unclassified Information (CUI) in non-federal information systems and organizations. This requirement establishes the NIST Special Publication 800-171 (SP 800-171) as the minimum security standard for protecting both CUI and Covered Defense Information. Contractors’ deadline for compliance with the DFARS clause was December 31, 2017.

The NIST publication provides federal agencies with recommended security requirements for protecting the confidentiality of CUI residing in non-federal systems and organizations. The security requirements apply only to components of non-federal systems that process, store or transmit CUI or that provide security protection for such components. The security requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and non-federal organizations.

National Security Presidential Memorandum-33: NSPM-33, issued on January 14, 2021, is a directive from the President requiring all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards. In addition, it also mandates the establishment of research security programs at major institutions receiving federal funds. NSPM-33 requires a certification from research organizations awarded in excess of $50 million per year in total Federal research funding that they have implemented a research security program that includes the four elements highlighted in NSPM-33:

            • Cybersecurity
            • Foreign travel security
            • Research security training
            • Export control training

In conjunction with the implementation of NSPM-33, the Subcommittee on Research Security of the Joint Committee on the Research Environment, or JCORE, released “Recommended Practices for Strengthening the Security and Integrity of America’s Science and Technology Research Enterprise,” known as the JCORE report. With respect to research security programs, this document contains recommended practices that provide guidance on how research institutions can meet the requirements of NSPM-33. https://www.whitehouse.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf (see pages 18-20 within the document)

The IT Audit team will provide NSPM-33 advisory support to the Office of the Vice Provost for Research and other relevant University functions, where appropriate, during FY2023.

21 CRF Part 11: Electronic Records; Electronic Signatures: Often referred to as Part 11, the Electronic Records; Electronic Signatures regulation went into effect in 1997.  Part 11 defines the criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. 

Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in predicate regulations, such as the cGMPs (Current Good Manufacturing Practices), GLPs (Good Laboratory Practices), and GCPs (Good Clinical Practices).

The Part 11 regulations were intended to permit the widest possible use of electronic technology.  FDA has recommended a narrow and practical interpretation of Part 11 requirements, as explained in guidance documents published in 2003 and 2017.  Generally, FDA regards the validation of electronic systems, the ability to generate complete and accurate copies of records, the ability to archive records, and the use of audit trails as powerful tools for ensuring the quality, authenticity, and reliability of electronic records from their point of creation to their modification, maintenance, archival, retrieval, or transmission. 

The following are some useful links to the Part 11 regulations and related guidance documents.  The IT Audit team is also able to provide consultation on questions related to system validation and the application of specific Part 11 requirements.

21 CFR Part 11 regulations:  https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11

Part 11 Electronic Records; Electronic Signatures – Scope and Application Guidance for Industry (September 2003):  https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application

Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers, Draft Guidance (June 2017):  https://www.fda.gov/files/drugs/published/Use-of-Electronic-Records-and-Electronic-Signatures-in-Clinical-Investigations-Under-21-CFR-Part-11-%E2%80%93.pdf

General Principles of Software Validation; Final Guidance for Industry and FDA Staff (January 2002):  https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-software-validation