An Admin by Any Other Name: Making Lab Data Attributable

By: Steve Ferrell, Chief Compliance Officer
data integrity

“My name is Connor, here’s my letters: C-O-N-N-O-R!”

To my four-year-old, attribution is fundamental to his daily interactions. He is often surprised and bemused when he meets other Connors and even more so when they spell their name with only one ‘n’. The importance of being unique and identifiable is something we all learn early in life, and while it may get a little less exciting as we get older, it doesn’t get any less important.

So what’s in a name, anyway? Depending on your cultural background, you might have a last name that denotes a long forgotten family trade, or suggests you might be the heir to a European royal dynasty. If your family is decidedly modern, you may have some innovative uniquely-spelled moniker with no historical baggage at all.

Given how important our names are in defining who we are, it’s very curious that in the 24/7 hustle of the lab, so many people are willing to forgo their name and to be identified simply as “Admin”.

Admin is the most ubiquitous of all lab users, a nebulous force of unlimited power, able to alter the validated state of a system at a whim, imbued with the authority to ‘fix’ results and – like a benevolent dictator – grant the many powers of the Admin to others.

The problem, of course, is that whether ‘Admin’ is being used in a QC Lab or a Test Lab the breadth of their capability is matched only by the anonymity of their actions. An army of Admins is an army of chaos. It doesn’t matter how effective a test method is or how well-calibrated an instrument is, it doesn’t even matter if you’ve invested wisely in a RURO lab solution – because if all users are admins, your data is completely lacking in integrity.

Properly attributing action to person is absolutely critical to ensuring that the qualitative aspects of your data are matched with true integrity, and this is not a matter that labs can afford to take lightly. More serious even than the legal consequences are the risks to patient safety and the efficacy of data.

In the Pharmaceutical context, losing the ability to determine who tested/released a batch or sample is not only dangerous – it’s illegal. In the US, 21 CFR Part 11 is not a suggestion, it is a legal statute, the violation of which can lead to civil and criminal penalties and even debarment from the industry. In the EU, one would fall immediately afoul of GDPR if the data processor could not be attributed back to the individual’s data they had transacted.

Further failure to properly attribute actions can cause major patient safety and liability issues during the forensic part of a field action or a recall.

In your local test lab it’s really no different. Having no way to attribute information or actions to the lab tech responsible for them immediately impacts the chain of custody of the specimen. Both the validity of the sample and the patient’s rights under HIPAA (in the US) and GDPR (in EU) are immediately impinged upon.

To combat this, lab managers need to ensure that the all-powerful title of ‘Admin’ is limited exclusively to true administrators, and that the number of folks with that assignation are as limited as possible. The software labs use must support this requirement by adding user validation checks into their workflows to ensure that attributable fields are transparent from an audit perspective, and as practically prohibitive as possible.

Each of us already knows that identity isn’t just a string of letters in a certain order. Identity is knowing who we are and accounting for what we do, and it’s imperative that we learn to carry that concept over into the lab, rather than abandoning it at the door to become a sea of admins.