Literary Warrant for Functional Requirement #12a
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation Department of Health and Human Services Food and Drug
Administration 21 CFR Part 11 [Docket No. 92N-0251] Electronic Signatures;
Electronic Records
Pages 11.10
Extract Controls for closed systems. Closed systems used to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the authenticity, integrity,
and confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the
signed record as not genuine. Such procedures and controls shall include the following: (c)
Protection of records to enable their accurate and ready retrieval throughout the records retention
period.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 94
Extract Not only must the information systems security measures control the availability of data, they must
also ensure that the data is available in the first place. Unavailability of data may be as a result of a
loss of data for reasons previously defined. It may also be the case that the data exists but has not been
set up to be accessed by those who have a legitimate need for access. Unavailability in this situation
may simply be the result of having set the wrong access levels for particular individuals.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 338
Extract LACK OF ACCESSABILITY The final objective of data management is to make information
available to those who have a right to this information. A great deal of time is spent discussing the
prevention of access. However, just as much thought should go into the granting of access and making
sure that barriers to access are not built inadvertently. Barriers to access can result from a variety of
reasons, including: * The data is not available within the data base. * The user has not been
granted access to the data elements that produce the required information. * The data base has been
structured incorrectly. For example, allowing users access to information to which they are entitled
would mean having to grant access to data to which they are not entitled.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 9
Extract The following goals should be considered to implement effective LAN security.... Maintain the
availability of data stored on a LAN, as well as the ability to process and transmit the data in a timely
fashion;
Citation Condition of Participation: Medical Records Services, Health Care Financing Administration, 42
CFR, Chapter 4, 482.24
Extract (2) The hospital must have a system of coding and indexing medical records. The system must
allow for timely retrieval by diagnosis and procedure, in order to support medical care evaluation
studies.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems: "Part II: Performance Guideline for the Acceptance by Government Agencies of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1993; Association
for Information and Image Management.
Pages 11
Extract 3.5.1 Availability of records Records must be available for inspection for the full period required
by law. The life expectancy of the media, per se, has no bearing on the legal status or legal acceptance
of the records. The information maintained on the media and the system used to produce the records
must achieve the required retention period. This means that for some technologies it may be necessary
to periodically convert, regenerate, copy or transfer the information from one medium or technology to
another to preserve the information for the required period.