Andrew Ho wrote:
1) My reading of the regulations (21 CFR Part 11) indicates that (under the heading=Applicability) the regulation does not apply to clinical information sytems - but are limited to systems that are used to manufacture, produce, develop medical devices/drugs regulated by the FDA.
Yes, Andrew has it correctly, I believe. Debate on FDA regulation is often intense, re: the herbal supplements marketplace. At least with herbs one can claim they 'spring natually' from the environment, unlike software which is always a human creation. The scope of the regulation is the thing to pay attention to. Another branch of the HHS organization does the HIPAA regulations. These are clearly in the scope of clinical information systems, but are so complex and frought with unintended consequences as implementations begin, that I wonder really if any definitive statement can be made right now.
There is a further situation that bears watching: Both FDA and HIPAA regulations, combined with the activities of the standards complex could actually start cross pollinating one another in such a way that many folks will decide that from a security standpoint, the only possbile approach is to take the most restrictive subset of all of them and apply them unilaterally across entire domains and organizations. Remember, this is well known behavor pattern of large organizations.