Watson Health Quality and Compliance Program
Dedication to delivering high quality solutions
Dedication to delivering high quality solutions
We at IBM Watson Health strive to strengthen our client-centric culture and bring value to our customers. Our commitment to our customers is to provide outstanding industry-specific and innovative software products and services that are built to the highest software development standards around privacy, security and compliance.
We know that software quality is important and security by design is paramount to patient safety, product quality, and data integrity. Our products are tested extensively to identify flaws or defects prior to their release to a production environment in order to strengthen the trust our clients have in our products and services.
As we work to address the business challenges our clients face, here is how we define quality, quality standards and regulations:
Quality involves listening to our clients to design products and services that meet their needs.
Quality standards provide a shared vision for creating a high quality solution, plus procedures and vocabulary for meeting quality expectations.
Regulations are rules made by entities, governmental agencies and executive departments.
The following are the regulations and standards that our teams strive to follow as we deliver software solutions and services to our clients.
GxP refers to a collective set of globally accepted good practices with respect to quality. This includes good manufacturing practices (GMPs), good clinical practices (GCPs), good laboratory practices (GLPs), good pharmacovigilance practices (GPVPs), good engineering practices (GEPs) and other quality.
The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI and e-PHI). Entities that are subject to HIPAA must implement a set of technical, administrative and physical controls that are designed to secure this protected health information.
The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework, which is a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent, streamlined manner.
As part of the European Union's General Data Protection Regulation (GDPR), IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes. This work also strengthens existing controls to limit access to personal data, including mobile applications that rely on default settings to prevent sharing of personal data.
The LGPD (Lei Geral de Proteção de Dados Pessoais) comes into effect in August 2020 and is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data.
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
IBM works with local, state, national and international regulations based on the customer’s requirements. Please contact the Compliance Department for other regions that are covered.
The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal is to ensure that products and services are safe, reliable and of good quality.
An international standard dedicated to Quality Management Systems (QMS). It outlines a framework for improving quality and provide products and services that consistently meet the requirements and expectations of customers. The QMS is a combination of all the processes, resources, assets, and cultural values that support the goal of customer satisfaction and organizational efficiency.
This standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.
This standard defines the best practices for information security management processes. The ISO 27001:2013 standard specifies the requirements for establishing, implementing and documenting Information Security Management Systems (ISMS) controls.
This standard provides guidelines for information-security controls applicable to the provisioning and use of cloud services as well as implementation guidance for both cloud service providers and cloud service customers.
This standard establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.
The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), which results in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.
Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).
Title 21 CFR Part 820 outlines the current good manufacturing practice (CGMP) guidelines for developing medical devices. It governs the methods, facilities and controls used for medical device design, manufacture, packaging, labeling, storage, installation and service.
A standard for the design, conduct, performance, monitoring, auditing, recording, analyses, and reporting of clinical trials that provides assurance that the data and reported results are credible and accurate as well as that the rights, integrity, and confidentiality of trial subjects are protected.
IBM establishes and manages an organizational structure to ensure business continuity and the availability of those resources to respond in the case of an event.
Yes. IBM Watson Health has a full QMS with procedures that describe the key process steps that govern the solution lifecycle, including change management, data privacy and data security.
IBM Watson Health has disaster recovery plans in place to protect and restore business critical technologies after a disaster to enable a quick recovery of services.
Software-related issues are handled through IBM’s defect management processes. Controls are in place for the handling of defect identification through resolution. Customer complaints are investigated appropriately according to established procedures.
IBM Watson Health will retain and control all records or documents to provide evidence of conformity with requirements and retention time periods. The retention of records is based on the customer records retention requirements or the procedure, which ever timeframe is longer.
IBM Watson Health’s ISO 9001:2015 QMS adopts related healthcare validation standards, such as the FDA’s General Principles of Software Validation.
The IBM WH ISO 9001:2015 quality management system gets regularly inspected by a body that is accredited by the ANSI National Accreditation Board.
Tell us what you'd like to talk about, choose a time and we'll call you.