What is GxP?

Kris Gösser

Chief Marketing Officer

February 8, 2018  |  GxP

GxP stands for “Good Practice” and is a set of operational controls for Life Sciences organizations working within the confines of the FDA.

The FDA publishes its regulations on the back of NIST, which is why GxP largely follows NIST standards. There is no one authoritative documentation source for GxP, like we have the 2013 Omnibus for HIPAA or Articles from the European Union on GDPR. Instead, GxP is an industry-accepted definition of best practices mapped to FDA regulations.

GxP Compliance

In many ways, GxP is where HIPAA was mid-2000s before HITRUST came along. Back then, HIPAA compliance was mostly whatever someone wanted to claim it was. “HIPAA Compliance” meant one lawyer’s word against another. It’s why business deals took six months just to get past the “But are you HIPAA compliant?” stage. Hundreds of consultants, auditors, and lawyers defined what they believed HIPAA compliance to be, and proceeded to use that as their definition for their jobs. You can imagine why HIPAA has been a mess for a long time. This is why HITRUST is such a boon: The industry is finally agreeing to a certified definition, which accelerates the 20-year-old mating dance.

GxP is still in that situation. There is no certifying body to GxP compliance, so it’s whatever someone wants to claim it to be.

eCFR — (Electronic) Code of Federal Regulations

The basis of cloud-based GxP audits stems from CFR Title 21 Chapter 11. CFR Title 21 is intended for the FDA, and Chapter 11 scopes to electronic records. When a cloud services provider—like Datica—claims to be GxP compliant, the company is claiming that they were audited against an interpretation of CFR Title 21 Chapter 11.

The bulk of the controls in a GxP audit are administrative and not technical. Whereas HIPAA, and HITRUST in particular, get very deep in the weeds of encryption, intrusion detection, and so on, GxP focuses mostly at processes and procedures to ensure quality.