THE XNAT EXPERTS

ICH E6 Good Clinical Practice

XNAT Works is committed to offering platform solutions and operations that comply with the Good Clinical Practice (GCP) Standard for designing, conducting, recording, and reporting data in clinical trials involving human subjects. XNAT Works Inc. has implemented these practices to support its clients and partners, ensuring the protection of trial participants’ rights and safety. To uphold this high-quality standard, XNAT Works Inc. carries out the following functions:

• Secure data collection, quality control (QC), processing, curation, and reporting
• 21 CFR Part 11 compliance features
• Data monitoring, review, and QC capabilities
• Data backup management based on client requirements
• Data retention in accordance with client and regulatory requirements
• Comprehensive data reporting tools
• Ability to remove data when necessary
• Integration with randomization vendors and project-specific labeling options
• Ongoing annual training for XNAT Works Inc. staff on policies and guidelines
• Utilization of a Risk-Based Quality Management System and Standard Operating Procedures
• Established Quality Assurance and Quality Control protocols
• Annual audits
• Support for multicenter trials

FDA 21 Code of Federal Regulations Part 11

XNAT Works is committed to offering platform options that comply with 21 CFR Part 11. This section of the Title 21 Code of Federal Regulations sets forth the FDA’s rules governing electronic records and electronic signatures. In regulated research environments, it is crucial for investigators and researchers to ensure that electronic data is captured within a system that meets these regulations to maintain data integrity. XNAT Works Inc. ensures compliance with 21 CFR Part 11 through the following measures:

• Audit-ready validation
• Comprehensive audit trails
• System change logging
• Electronic signatures
• Client system change/upgrade approval workflows
• User access controls
• Field-level edit checks
• Provision of user training materials
• Query tracking features
• Data locking
• Staff training and adherence to regulatory policies

Health Insurance Portability and Accountability Act (HIPAA)

XNAT Works is committed to complying with the Health Insurance Portability and Accountability Act (HIPAA), including the subsequent expansion through the Health Information Technology for Economic and Clinical Health (HITECH). Under HIPAA, XNAT Works may be considered a Business Associate when contracted to store and transmit Protected Health Information (PHI) and Customers request a signed Business Associate Agreement (BAA).  The XNAT Works target audience is primarily scientific researchers with the intended use of handling de-identified data.  However, it is possible that PHI is stored in the XNAT Works Inc. system, intentionally or inadvertently.  With that in mind, our goal is to work closely with the Covered Entity to ensure that we jointly meet our respective obligations under HIPAA and to safeguard PHI held and transmitted under contract by XNAT Works Inc. from misuse or unauthorized disclosure.

Under the current form of the legislation, no software or hardware can be inherently “HIPAA Compliant”. The Covered Entity achieves compliance through guidelines, policies and procedures, user training and proper security protocols. Some ways XNAT Works is ensuring adherence are outlined below:

• De-identification features available prior to data archival to database 
• PHI/PII/IIHI review feature during data upload prior to data  archival
• Ability to review image snapshots and headers for PHI/PII/IIHI
• Ability to remove PHI/PII/IIHI as needed following written policies 
• Full suite of HIPAA Standard Operating Procedures and policies
• Annual XNAT Works Inc. staff training on procedures, policies and regulations

HIPAA Privacy

In the course of routine business operations, XNAT Works Inc. and its staff may have access to Protected Health Information (PHI) from contracted clients and/or their authorized users, who are classified as providers of health and medical services under HIPAA (referred to as “Covered Entities”). XNAT Works Inc. will work closely with the Covered Entity to uphold the confidentiality and privacy rights of research subjects. All research subject information will be treated as confidential and will only be shared with authorized users for approved purposes. The minimum necessary information will be used to fulfill assigned responsibilities. Access to and disclosure of PHI will occur solely as outlined in an executed Business Associate Agreement.

As a contracted Business Associate, XNAT Works is dedicated to safeguarding the privacy of research subjects whose confidential information is stored and transmitted using our services. In accordance with the executed Business Associate Agreement, PHI generated by the Covered Entity and stored within XNAT Works solution will only be accessible to XNAT Works employees and users authorized by the Covered Entity, for administrative purposes or approved disclosures.

XNAT Works has established and enforced policies and procedures that align with HIPAA regulations. A comprehensive HIPAA Compliance Policy has been communicated to all employees, and ongoing employee awareness initiatives and periodic training will be conducted to ensure compliance. XNAT Works has implemented the necessary physical, technical, and administrative safeguards to maintain confidentiality and privacy. XNAT Works Products and Services are also designed to allow clients to manage their data in adherence to HIPAA laws. 

HIPAA Security

XNAT Works’ solutions are fully compliant with HIPAA Security guidelines. To ensure compliance and protect Protected Health Information (PHI), XNAT Works implements a range of security measures, including:

• Role-based Hierarchical Access Controls (RBAC)
• Authentication integrated with Covered Entity’s Identity systems
• No storage or access to user passwords by XNAT Works Inc.
• Encryption for both Data-in-Motion and Data-at-Rest
• Event reporting for failed login attempts and potential security breaches
• Controlled access to equipment containing PHI
• Restricted access for visitors
• Comprehensive access logging (user, accessed objects, access type, date/time)
• Adherence to secure coding practices

EU General Data Protection Regulation (GDPR) and UK GDPR

XNAT Works is committed to complying with the EU and UK General Data Protection Regulation. Under GDPR, XNAT Works may be considered a data processor when contracted to store and transmit Protected Health Information (PHI).  The XNAT Works target audience is primarily scientific researchers with the intended use of handling de-identified data.  However, it is possible that PHI is stored in the XNAT Works Inc. system, intentionally or inadvertently.  With that in mind, our goal is to work closely with the Covered Entity to ensure that we jointly meet our respective obligations under GDPR and to safeguard PHI held and transmitted under contract by XNAT Works Inc. from misuse or unauthorized disclosure.

Under the current form of the legislation, no software or hardware can be inherently “GDPR Compliant”. The Covered Entity achieves compliance through guidelines, policies and procedures, user training and proper security protocols. Some ways XNAT Works is ensuring adherence are outlined below:

• De-identification features available prior to data archival to database 
• PHI/PII/IIHI review feature during data upload prior to data  archival
• Ability to review image snapshots and headers for PHI/PII/IIHI
• Ability to remove PHI/PII/IIHI as needed following written policies 
• Full suite of HIPAA Standard Operating Procedures and policies
• Annual XNAT Works Inc. staff training on procedures, policies and regulations

We are committed to ensuring the privacy and security of personal data. As part of our dedication to transparency, we adhere to the principles set forth in the General Data Protection Regulation (GDPR) and the UK GDPR. Our practices are designed to create products and services allowing our clients to safeguard the rights and freedoms of individuals and to ensure that personal data is processed fairly, lawfully, and transparently. 

Some Key Principles:

1. Lawful, Fair, and Transparent Processing: Our products and services allow for processing personal data in a manner that is lawful, fair, and transparent.
2. Purpose Limitation: We collect and process personal data only for specific, legitimate purposes and do not use it in ways that are incompatible with those purposes.
3. Data Minimization: Our features allow for the collection of only the personal data that is necessary to fulfill client objectives and do so in a way that limits any unnecessary exposure or risks to patient privacy.
4. Accuracy: Our product features ensure that the personal data being collected is accurate, up-to-date, and complete.
5. Storage Limitation: Clients can hold data only for as long as necessary to meet the purposes for which it was collected, in compliance with the GDPR’s retention guidelines.
6. Integrity and Confidentiality: We implement appropriate technical and organizational measures to ensure that data is secure and protected from unauthorized access, alteration, or loss.
7. Accountability: When applicable, we are committed to being accountable for the personal data we handle and will cooperate with supervisory authorities when required. We continuously review and improve our practices to maintain compliance with the GDPR and UK GDPR.