Netherlands compliance update

MedTechOn 13 January I presented the yearly complaince update for the Netherlands to the Medtech Europe Compliance Network in Brussels. Since the presentation is no secret know-how, I thought I’d share it on the blog, with an overview of the developments discussed in it.

Can’t ask what can’t be offered

2014 was the year in which most of the healthcare professionals (HCPs) in the Netherlands had to come to grips with the fact that their professional assocations had adhered to the GMH Code, thus solving the much lamented problem that HCPs were asking for benefits that the industry was not allowed to offer. Since 1 January 2014 HCPs cannot ask anymore what industry cannot offer. This closes an important gap that tends to undermine industry’s support of selfregulation.

The new version of the GMH code is here, and a track changes version of the code showing the changes for 2015 compared to 2014 is here.

2014 and 2015 are the years in which the Sunshine transparency requirements in the medical devices sector evolve and are implemented. If you read Dutch, you can read about it in detail in the Minister of Health’s update and the GMH’s plan for implementation, and if you don’t in slightly less detail in my below presentation:

Duty to report

A pilot project started as of 1 January that requires reporting of financial contributions by industry to costs of participation of HCPs in meetings. Any arrangements made have to be laid down in writing and must be reported to the HCP’s employer or board of healthcare institution.

Requirement of prior approval

As of 1 January all interactions that require payment of more than 500 Euro to an HCP for services rendered have to be set out and approved in writing by the HCP’s employer or board of the HCP’s healthcare institution.

External transparency

As of 1 january 2015 the GMH code started a pilot project of Sunshine transparency limited to certain implantables and certain HCPs, which requires that:

  1. manufacturers of ICDs, stents, pacemakers and hip-/knee replacements;
  2. have to track and report consultancy and sponsoring (of other activities than meetings, like education) interactions;
  3. with a total value per HCP of more than 500 Euro per year;
  4. with HCPs admitted in the Netherlands for the specialities of orthopedics and cardiology; and
  5. publish the interactions in the healthcare transparency register (Transparantieregister Zorg) as of 1 January 2016, before 31 January 2016.

Also, there is a prohibition to incorporate clauses in agreements that prevent publication of the relevant details in the transparency register. The GMH code offers model clauses to be incorporated in agreements that address the publication of personal data of the HCPs concerned.

Maximum HCP consultancy fees and costs

Then there is another requirement that you do not see back in the Minister of Health’s report about developments in transparency nor in the GMH plan of implementation: maximum fees and costs for consultancy by HCPs. This caused industry significant concern because this requirement for 2015 was added at the very last moment before adoption of the changes to enter into force on 1 January 2015 without much notice or possiblity to respond. The concerns mainly relate to the fact that the mandatory maximum rates are supposed be normal market value, which, is the common objection, they mostly are not. However, these were the rates that the code body for the pharmaceutical industry had already agreed with the Healthcare Inspectorate for the pharmaceutical field, so these were assumed transposable according to the explanatory notes to the new rates.

The maximum hourly rates are as follows:

  • professor – 200 Euro
  • medical specialist – 140 Euro
  • general practitioner – 100 Euro
  • pharmacist – 100 Euro
  • dentist – 85 Euro
  • nurse – 70 Euro

In case your marketing department thinks it’s clever and says that if the P goes down the Q can go up to achieve the same result, that may not work because the explanatory notes to the GMH code say that also the Q of hours paid should be reasonable given the “nature, qualifications and expertise of the HCP”. However, this qualification sounds more to me like a factor that would impact on the hourly rate than on the quantity of hours (at least in my own business of lawyering: the more experienced and specialised, the higher the hourly rate).

The maximum travel costs that can be reimbursed are

  • Car – 0,37 Euro per kilometer
  • Plane – no 1st class, only business class on intercontinental flights
  • Train – 1st class
  • Taxi – all, but ‘in addition to public transport’ (so no taxiing the whole distance between A and B if public transport is available?)

These costs come from the rules for Dutch civil servants. As tax payer to the Dutch state it is highly reassuring that apparently all Dutch civil servants can always fly business class on intercontinental flights. It’s allowed to compensate additionally for loss of income due to travel (unclear whether the maximum hourly rates apply, because the loss of income is often higher) but it’s not allowed to facilitate double dipping (pay for travel time and for preparation time if the travel time can be used for preparation).


Things are happening in compliance requirements in the Netherlands. Medical devices companies with implants concerned that have sponsoring and/or consultancy arrangements with Dutch HCPs in the fields of orthopedics and cardiology have to keep track of payments in 2015, and report during the first month of 2016. The Netherlands has thus joined a growing group of countries requiring sunshine transparency of HCP payments, albeit with a limited pilot.

Want more information? Just let me know.

More on 3D printing of medical devices – seminar in Amsterdam with DSM and Materialise

Because we see a huge increase in interest in regulation of 3D printing and biofabrication (which I have blogged and taught about), my firm decided to organise a seminar about it.

As you are used from us, it’s free, we don’t want anything in return, we love it if you show up and if you don’t that’s fine too – ask us for the slides if you would like to receive them (you can have mine in any event; you can have the others too if the other speakers agree to provide them). However, if you want the full story, it’s always best to attend because there will be drinks afterwards too at which you can network with other companies in the field.

We are very grateful for the cooperation of two companies at the forefront of developments in this field, Materialise and DSM Biomaterials, who will discuss case studies about their own products and services and provide insights into technical challenges.

To subscribe to the seminar, just send an email to the email address in the invitation below. You can bring as many colleagues, friends or contacts as you like; please just let us know in advance so we can have a name badge for everyone to improve your networking experience and ensure that there are enough chairs, drinks and snacks!

I hope to see you there.150204_3Dprinting_and_Biofabrication_edited-1

More on EU medical devices cybersecurity regulation

In a previous post I promised more on cybersecurity, so here it is.

Spoiler alert: the conclusion of this post is that cyber security requirements for medical devices in Europe are currently an overlapping patchwork of different statutes with little attention for system and network security. So the conclusion is: there is nothing specific, except the security requirements in the EN 62304 harmonized standard for Medical device software — Software life-cycle processes. Compared to what the FDA is currently working on the EU is seriously lagging behind, which is strange considering the ambitions that the EU has in eHealth, which will necessitate a lot of medical devices being networked into the Internet of Everything.

Personal data rules

That doesn’t mean that there are no general rules that manufacturers of medical devices must observe in the EU that touch upon cybersecurity. Currently there is quite an acquis being built up in terms of privacy by design obligations for networked devices that process personal data. This is the main approach to cybersecurity for medical devices in the EU at the moment.

Why the personal data nexus? Obviously, medical devices that form part of the internet of things (IoT) will process sensitive personal data in the form of personal health data. In addition to privacy by design requirements that I blogged about earlier, the Article 29 WP has now also issued guidelines for IoT devices that do focus on system security.

But, we are still not there because we are still waiting for the GDPR to drop, which will provide a framework for processing of personal health data that will apply throughout the EU. The Article 29 WP guidelines, as helpful as they are, remain non-binding guidelines.

NIS directive

The NIS directive is a new piece of legislation that will have particular relevance for companies that provide medical devices as a service or provide information society services that consist of monitoring, readout of devices at a distance, etc.

The Parliament has proposed to exclude software developers and hardware manufacturers from the scope of the directive. However, as I have observed many times now, medical devices manufacturers less and less mere widget pushers these days. As a consequence any medical device manufacturer that operates a service in relation to medical devices would be caught under the NIS directive. And the directive is not final yet, so things may still change.

Presentation to summarise

The whole above story is a summary of my below presentation at the MD Project Active Devices event on 9 December that raised some eyebrows in the audience and provoked comments that it’s impossible to meet all these requirements without considerable additional resources.

The extra long disco version of the material in the presentation can be found in my article in eHealth Law and Policy, which you can view for free if you take a free trial subscription.

The time to act is yesterday

Excuse me? Humbug you say? Medical devices is an industry in which hackers do not operate? All the succesful hacks that have happened so far took place only under controlled circumstances in unlikely usability scenarios?

I’ll speak with you again when your company does an e.g. Sony by being hacked painfully publicly several times in a single year and losing massive amounts of sensitive data (because that’s what hackers are after these days) or has the dubious honour of being the first company faced with ransomware holding active implantable devices of patients hostage.

Thinking that this will not happen to you is one of the oldest security fallacies in the book. Having been caught out ignoring this will not look good on a company, especially if you trust the company’s devices literally with your life.

And don’t forget, all the above does not only apply to the new devices yet to be placed on the market, but also to the vast amount that is already out there, with hardcoded admin passwords and less than stellar security measures built in. This means that – literally – the time to act is yesterday.

So Happy New Year – something should and hopefully will happen when we roll the dice in EU cybersecurity policy next year. Otherwise it may well become painfully obvious why we need specific and clear rules for this.

An X-traordinary New Year to you


The devices have landed – and some promotion

European CommissionSo, it took a while but the devices have finally landed. During the EPSCO council of 1 December it was confirmed that the medical devices policy has indeed moved to DG ENTR. I have also heard Commission officials tasked with medical devices at DG SANCO say they are in transition now.

It also became clear that the ambitious Italian pre-pack first reading plan had failed because no common position was reached. The progress report for the meeting was approved and the Italian presidency expressed the hope that the Latvian presidency can build on its work.

The Dutch in 2016

Since it became already clear that the Latvian and Luxemburg presidencies do not have great ambitions in this matter, the scenario that I have sketched that the Dutch presidency in the first half of 2016 will try to make a difference becomes more and more likely.

As you can see in the progress report, there is still a lot of work to be done. Even though all chapters of the proposed regulations have been tossed repeatedly like a regulatory salade niçoise (every chapter and every annex of both proposals (20 chapters, 187 articles and 29 annexes) have been discussed two times each at the end of the Presidency), no agreement was reached and a number of political bones of contention remain, which include:

– Aesthetic devices;

– Ingested products;

– Reprocessing of single-use devices;

– the Unique Device Identification System (“UDI”);

– Mechanisms for surveillance and appointment of the Notified Bodies responsible for conformity assessment of Medical devices and In vitro diagnostic medical devices;

– the Scrutiny mechanism for certain high risk devices;

– Clinical investigations;

– Post-Market Surveillance;

– Tasks of the proposed Medical Device Coordination Group; and

– Role of expert panels and reference laboratories.

The progress report will show you exactly where the differences are for each of these categories. The politically most difficult ones are MDCG, UDI, notified bodies’ role and post market surveillance.

Impact assessment

One of the interesting statements during the EPSCO council was the statement of the Dutch delegation that they thought that with all the amendments on the table it would be a very good idea to revise the impact assessment underlying the original proposals. I cannot applaud that enough, because as I have argued time and again, the so far fact-free amendments of the Parliament should have a basis in reality and it should be made clear what these amendments mean for industry, costs of healthcare and the patient/payor. It would be very interesting to see what the Parliament’s amendments amount to when they are assessed for impact. It will probably show, for example, that the hazardous substances amendment will add nothing in terms of safety but will only cost a lot in terms of compliance for compliance sake exercises.

Prediction for 2015

My prediction for next year (2015) is a year of quiet diplomacy in the background to pre-cook a final agreement during the Dutch presidency. It may happen that the trilogue finally kicks off during the last half of 2015, now that the Parliament voted to be ready for it on 5 November 2014. 2015 will also be the year of eHealth and mHealth, with the Commission starting to translate the feedback to the Green Paper on mHealth into policy actions, part of which may be fed back into the discussions regarding the medical devices regulations, e.g. on the definition of ‘medical device’. The Council and the Commission may also realise how ill-equipped the current proposals for the medical devices and IVD regulations are to deal with modern devices as a service, standalone software and the nexus with

Also, the unannounced audits will become established practice and the notified bodies will continue to increase their clinical evidence requirements as a result of the joint audits under the Joint Action Plan.

Finally, new production techniques like 3D printing will need to find a place in the regulations one way or the other, or we will need to accept that from a regulatory perspective there is no difference.

So how to keep track of all that?

Here are some suggestions

for the end and beginning of the year, to stay on top of all these developments:

I hope to see you at one or more of these very worthwhile events!

EU Council also thinks genetic testing amendment in IVD regulation proposal is outside competence EU

380px-EU_Consilium_Logo.svgIn a previous blog I have addressed the genetic testing amendment to the IVD regulation proposal and have provided argumentation why this proposal is outside the scope of the legislative competence of the EU. To make it interesting I have also explicitly challenged the author of the amendment, rapporteur for the IVD regulation proposal Peter Liese, to prove me and my colleague Julian Hitchcock wrong in our conclusions (executive summary here).

We were actually right

Nothing happened and nobody challenged our conclusions. That may be because we were actually right. So we were not challenged by the University of Passau that admitted that their report’s conclusion that provided the foundation for the Parliament’s amendment was wrong (which it is, and the report was commissioned because the rapporteur himself also doubted that the EU had this competence in the first place). Nor did Mr Liese admit that he had misjudged EU competence.

Rather, the EU’s sovereign member states comprising the Council backed us up. The Dutch government recently stated in answers to the Dutch Parliament (in Dutch, sorry – we’re working on a translation) that a majority of member states in the EU Counsel consider this proposal outside the scope of EU legislative competence, on the exact same grounds that Julian and I concluded in our report: subsidiarity and proportionality prevent posing medical-ethical requirements for national practice of medicine with genetic testing.


The Dutch government states that it looks like the Counsel can accept a compromise to the effect that member states may deal with this matter themselves at national level, much like where things look to be  going with respect to reprocessing of medical devices.

Insufficient attention for IVDs

Also, the Dutch confirm a point that I have lamented often on this blog: the lack of attention for the IVD regulation in the legislative process. The Dutch say that the negotiation process regarding the IVD regulation is though going (“moeizaam“), and that there has been little attention for IVDs in the whole revision process so far because priority is given to the medical devices regulation. This is also painfully obvious in the progress report of the Counsel for preparation of the Employment, Social Policy, Health and Consumers Council meeting on 1 December 2014 (more about this progress report in a future blog).

Cause for concern

The Netherlands thinks that this is a cause for concern and will give efforts to ensure that sufficient time is dedicated to this important subject during this presidency and the following ones. I agree. It would be useful if there would be more attention for the IVD regulation. Not only will there be very big changes for the IVD industry as a result of the IVD regulation proposal, but the importance of IVDs in modern personalized medicine is enormous. IVDs are just too important for society to be overlooked and underprioritised this way.

What happens next?

Well, the Parliament may realize that you cannot conjure competence to legislate out of thin air under rule of law and revoke its proposal because it has no legal basis to be adopted.

Except that this is not how politics work, because this amendment will of course not be revoked but will go in the big horse trading mix between the Commission, the Council and the Parliament. Let’s hope that the Commission and the Council keep in mind that negotiation can only take place with bargaining chips that actually exist and that there really is nothing to negotiate on this point: the comprise on the table is actually just explicit codification of the current situation at member state level.

In, on and near body networks EU regulation

Medica logoI had the pleasure of being invited to speak at the Health IT forum at the MEDICA conference last week on regulation of in, on and near body networks. Most of my day at the MEDICA I spent in the health IT hall, catching up on developments, particularly in the interesting Wearable Technology Pavillion with all its cool gadgets, and talking to clients with booths in the hall or out and about there.

The Health IT forum session about “Healthcare in the age of IOTS. Exploring the added Value of IOTS in Healthcare research, policy and service delivery” put me on a panel with SAP, Microsoft, IBM, Bosch, the illustrious Fraunhofer Institute and my friends at the Continua Health Alliance. It was a lot of fun. The MEDICA will probably put the video recording on its site sooner or later.

Here is my presentation (it was pretty difficult to jam it into 15 minutes but I managed by excluding all the breathing pauses), focusing on what I think are currently the three hot regulatory issues in healthcare and the Internet of Things (IOTS): medical devices regulation, cybersecurity / draft NIS directive and personal (health) data:

So let’s look at each of these three categories in a bit more detail and context.

Medical devices regulation

In terms of medical devices regulation there is the of course by now completely worn out record of the medical devices regulations (at least on this blog it is), which are getting interesting again now that the Italian presidency is rumored to be engaged in a major push behind the scenes to still clinch the pre-pack first reading that they were planning. Also, the Commission has in the mean time published what they think of the Parliament’s first reading on the medical devices and IVDs regulation proposals and has, among other things, no problems with the ill-considered (if you ask me) expanded definition of ‘medical device’ that will include everything with an indirect medical intended purpose. This will redefine the concept of regulatory burden for the industry and expand the scope of medical devices regulation to include many many things that were never intended to be regulated as medical devices, something even the European Court of Justice warned against in the Brain Products case. So good luck, potentially every device that does anything related to a person that may in any way be beneficial for general health in the long run (like a step counter for example) will be sucked into the scope of medical devices regulation. Will that make the world a safer place for patients? Probably not.

Cybersecurity / draft NIS directive

At first sight it seems that there is not much currently in EU medical devices regulation with respect to cybersecurity if you compare this to the new FDA guidance on the subject, but if you look closer there are some design requirements that can be drawn from the EN 62304 standard (see slide 11 of the presentation above). You could even argue that networking aspects are addressed by the mentioning of authentication, authorisation and communication integrity, which is the main security Achilles heel of many of the networked medical devices on the market currently. On the other hand, there does not seem to be a lot of interest at EU level for this subject. All policy documentation that touches upon medical devices and mHealth approaches security from the angle of protection of personal (health) data, a perfectly valid concern but not an adequate approach to security at all.

The draft NIS directive stands to impact substantially on networked medical devices (slide 13) because it will apply to basically all IoT enabled medical devices. It triggers design and organisational obligations in the field of security as well as breach notification obligations (yes, additional to and conveniently diverging from any breach notification obligation under EU data protection law).

More about cybersecurity for devices in my next post on this blog!

Personal (health) data

Personal (health) data remains a problem with the current framework being in a state of hot mess and the new framework under the General Data Protection Regulation being in a state of legislative limbo in the sense that the Commission says it’s all very urgent and a high priority and must be finished this presidency, an end result is still not clearly visible on the horizon. Yet, the GDPR will remedy a lot of the deficiencies of the current directive – that is, if it turns out looking more or less like the first reading of the Parliament. There are a lot of crucial issues in the air, like regulatory one-stop-shopping, exemption for extra-institution outsourced processing of health data and extra-EU international data transfers, just to mention a few that are critical to business models for service providers in the healthcare business that operate services that use IoT enabled devices to collect personal health data from patients in and outside the clinic and process it using cloud services (isn’t everybody doing (or wishing to be doing) that?). Just read the statement of the Healthcare Coalition on Data Protection backed by not the slightest of organisations, and you wil agree with me that it’s a bleak picture for business if there are no drastic changes made to the GDPR (which it currently looks there will not be).


Should we be worried? Yes, I think so. As I have blogged before, Europe has a tendency to be the ‘department of no’ when it comes to regulating this type of technology. Companies understand very well of course  that there has to be regulation of safety and performance, but how about making sure that such regulation is coherent, up to date, consistently applied across the EU and proportionate so they can actually work with it and plan ahead? The EU is losing itself far too much in politics and its weird love/hate relationship with anything ‘innovative’ as has been more than clear in the medical devices and GDPR dossiers, which makes for sub-optimal regulation for everyone involved.


Get every new post delivered to your Inbox.

Join 3,921 other followers

%d bloggers like this: