The Assessment: Our client is a biotech startup revolutionizing the treatment of solid cancer tumors with patented, proprietary technology. Before they could begin clinical trials and receive patient data, they needed a robust clinical data management environment to ensure that they had the appropriate compliance framework in place. Furthermore, they had to be both HIPAA and 21CFR11 compliant. Aware that the complexity of these requirements demanded a demanded a consultative approach from a team of data experts, our client reached out to DSS to help lead and to implement the new compliance framework.
The DSS Solution: We began the engagement by conducting workshops and interviews with business owners and stakeholders to document the current business requirements and policies for protected health information (PHI). We then performed a detailed PHI data flow discovery to document how PHI is used as well as its life cycle. This led us to create workflow diagrams that reflected our proposed state of PHI information through their ecosystem after implementation of our solution.
Leveraging the commonly accepted compliance framework from the National Institute of Standards and Technology (NIST), we developed a 48-page Written Information Security Program (WISP). Customized for our client’s specific environment and needs, this document outlined all of the areas required to structure PHI compliance and conform to HIPAA and 21CFR11 requirements.
The WISP was instrumental for our next step: performing a gap analysis between the current desired state of our client’s data ecosystem by comparing their existing PHI security framework against HIPAA regulations. Once we performed this analysis, we summarized our findings in a report.
Finally, we then began to work on closing the gaps with recommendations for remediation. Working closely with our client, we drafted additional standard operating procedures (SOPs) and proposed new corporate policies to ensure ongoing HIPAA compliance. DSS also reached out to our client’s business partners to collect statements of HIPAA compliance such as Business Associate Agreements (BAAs) to ensure compliance throughout the entire ecosystem.
We completed the entire engagement on time and within the original budget proposed to the customer.
The DSS Difference: Our in-house compliance expertise added significant value to this undertaking. Our ability to provide a comprehensive compliance framework including documentation for laboratory, data, and security left our client confident that they would be able to meet their regulatory compliance obligations. In addition, our efforts freed our client’s staff from labor and time-intensive tasks, allowing them to focus on other critical business objectives.