Text

NEI 05-10 (Revision 3)

September 2011 DRAFT (for review/comment) - 2022-7-25 1

SFAQ 2022-01 HHS Lab Audits Security Frequently Asked Questions (SFAQ)

Request Form SFAQ Number: 22-01 (Industry Panel Chair to complete)

(Requestor to Complete)

Licensee:

NEI Date Submitted:

01/24/2022 Licensee

Contact:

Johnny Rogers Phone: 202-739-8032 e-mail: jdr@nei.com NRC

Contact:

Brian Zaleski Phone: 301-287-0638 e-mail: Brian.Zaleski@nrc.gov Potentially relevant existing SFAQ numbers:

This question involves:

(check all that apply)

Design Basis

, Force-on-Force

, Training Access

, Security Plan

, Cyber

, Other FFD Description of Question: 10 CFR 26.41(g) states that licensees and other entities may jointly conduct audits or may accept audits of [contractors/vendors] C/Vs and [U.S. Department of Health and Human Services] HHS-certified laboratories that were conducted by other licensees and entities who are subject to 10 CFR 26 if the audit addresses the services obtained from the C/V or HHS-certified laboratory by each of the sharing licensees and other entities. 10 CFR 26.41(g)(4) states: Each sharing licensee and other entity shall maintain a copy of the shared audit and HHS certification inspection records and reports, including findings, recommendations, and corrective actions. Finally, 10 CFR 26.41(d)(2) states, in part, that an HHS-certified laboratory may reasonably limit the use and dissemination of any documents copied or taken away by the licensee's or other entity's auditors. It has come to our attention that some HHS-certified drug screening laboratories will not provide auditors with facsimiles (i.e., exact copies) of HHS inspection reports. Instead, auditors are permitted to examine inspection reports and take handwritten notes on relevant portions of the reports (including hand-copying excerpts from relevant portions of the reports). In such situations, may a sharing licensee or other entity rely upon the handwritten notes of an auditor, as opposed to a facsimile of an HHS inspection report or record, to comply with the requirement to maintain copies of HHS certification records and reports in 10 CFR 26.41(g)(4)?

Justification: The word copy is not defined in 10 CFR Part 26. Licensees are uncertain if handwritten notes meet the intent of 10 CFR 26.41(g)(4) which states that licensees shall maintain a copy of shared audit and HHS certification inspection records and reports.

Additionally, licensees are unclear if the shared audit containing the auditors notes requires each licensee to individually verify the content of the original notes. Clarity on these two elements would provide licensees the desired guidance and confidence that program components are met.

Proposed Solution: In situations where HHS-certified drug screening laboratories will not provide auditors with a facsimile of HHS inspection reports, relying upon hand-written notes of auditors describing the findings, recommendations, and corrective actions resulting from such inspections should be considered an acceptable method of complying with the requirement in 10 CFR 26.41(g)(4).

NEI 05-10 (Revision 3)

September 2011 DRAFT (for review/comment) - 2022-7-25 2

SFAQ Evaluation and Resolution Section Security Frequently Asked Questions (SFAQ)

Request Form SFAQ Number: 22-01 (Industry Panel Chair to complete)

Resolution of SFAQ Under 10 CFR 26.41(c), a licensee or other entity must audit its HHS-certified laboratory on a nominal 12-month frequency. The auditing requirement is limited to the services that the licensee or other entity uses that were not covered by the most recent HHS inspection of the laboratory.

The HHS National Laboratory Certification Program inspects each HHS-certified laboratory every 6 months.

Because many licensees and other entities contract with the same HHS-certified laboratory to perform required testing under 10 CFR Part 26, 10 CFR 26.41(g) allows a licensee or other entity to meet the annual auditing requirement by accepting the audit of that same HHS-certified laboratory that was completed by another licensee or other entity, if the audit addresses the services obtained from the HHS-certified laboratory by each of the sharing licensees and other entities. To accept another licensees or other entitys audit (a shared audit), 10 CFR 26.41(c)(2) requires the recipient licensee or other entity to review the audit records and reports to identify if any laboratory services were not covered by the shared audit. Any laboratory services not covered by the shared audit then must be audited by the recipient licensee or other entity on a nominal 12-month frequency.

Under 10 CFR 26.41(g)(4), the recipient licensee or other entity of a shared audit must maintain a copy of the shared audit and HHS-certification inspection records, reports, including findings, recommendations, and corrective actions. In the 2008 10 CFR Part 26 final rule (73 FR 16966, 17030; March 31, 2008), the NRC contemplated that a facsimile (i.e., an exact copy of a document) of all records reviewed during a licensees or other entitys 10 CFR 26.41(c) audit of an HHS-certified laboratory might not be possible. Therefore, 10 CFR 26.41(d)(2) recognizes that an HHS-certified laboratory might reasonably limit the use and dissemination of any documents copied or taken away by a licensees or other entitys auditors to protect proprietary information and the privacy of donors. As a result, if a facsimile of a record is not permitted, the auditors of a licensee and other entity should take appropriate means to accurately reflect the pertinent information in the HHS-certified laboratory inspection report, including the findings, recommendations, and corrective actions to ensure that a recipient licensee or other entity can meet the 10 CFR 26.41(c)(2) requirement described above. The hand-written notes of an auditor describing the findings, recommendations, and corrective actions resulting from an HHS-certified laboratory inspection is an acceptable approach if the notes legibly and accurately reflect the information reviewed. The audit report should include a statement that the HHS-laboratory did not permit a facsimile of the HHS-certification inspection records and reports.

Issue presented at Joint NRC/NEI Security Question Panel: Date

NEI 05-10 (Revision 3)

September 2011 DRAFT (for review/comment) - 2022-7-25 3

As described above, because 10 CFR 26.41(c)(2) requires a recipient licensee or other entity of a shared audit to review the HHS laboratory inspection records and reports to identify if any laboratory services were not covered by the shared audit, the recipient licensee or other entity of the shared audit would need to review an auditors notes on the HHS laboratory findings, recommendations, and corrective actions.

(NRC Security Question Panel Chairman)

Approved by:

Date:

(Industry Security Question Panel Chairman)

Approved by:

Date:

SFAQ closed in tracking system and SFAQ database updated: Date: