If you are active in the medical software field in the Netherlands you may probably be aware already that the the Dutch healthcare Inspectorate IGZ has announced that it will rigorously enforce medical devices law against medical software that they consider a medical device as of 1 January 2014. They have said so pretty clearly on an invitational conference last 5 June, and have now started to collected information from the market to determine the general compliance level in what looks like a pretty large information gathering exercise. Several companies I know have received the same letter that has been drafted from the assumption that the company’s software is a medical device. The information that IGZ scoops up in this information gathering exercise will be used to define their enforcement policy for the period after 1 January 2014 and of course, to determine whom to enforce against first.
The question of course is if you are obliged to provide this information, and whether if you are perhaps incriminating yourself by providing information in the level of detail requested. At this stage we have no idea what the IGZ is going to requirement as satisfactory compliance benchmark for medical software under medical devices law. We know that some companies are providing the information without giving it a second thought, but I think this may not always be the best idea looking forward.
Practicalities of how-to
Every company that develops or sells software (apps, websites, electronic health records) for the healthcare industry in the Netherlands and/or has its authorised representative in the Netherlands will be affected by this sooner or later. Since the IGZ has determined that it is going to put the medical software market through this process, I though it would be a good idea to organise a seminar about this at my firm in Amsterdam on 16 October 2013, see below for invitation. We have been able to get some of best medical software experts in the Dutch market for presentations.
The seminar will not only discuss what to do in the various enforcement scenarios we expect, but also how to determine if your app, website or other software is a medical device in the first place, and if so, how to design it for compliance. We will also address the practicalities of CE marking of software and the often overlooked other important compliance element of protection of personal health data compliance.
See you there!
We hope to see you there on 16 October – please RSVP to the email address in the below invitation so we can plan resources for the seminar. If you have any questions beforehand, feel free to contact me or my colleague Sofie van der Meulen.
As a former inspector for IGZ I can explain a bit more about the facts and miths regarding questions asked by the IGZ in relation to self-incrimination. If the IGZ asks these questions as part of their role as a supervisor, they can ask a lot and you are obliged to supply a truthfull answer. If not, you are in fact breaking the law (Algemene Wet Bestuursrecht art. 5.16 and 5.20). In return, the information you supply may not be used against you in court. If the IGZ suspects serious infringements, a new investigation should be done. This time all involved should first be cautioned and it is not necessary to cooperate.
All this looks quite clear, but reality is a bit more complicated. First who is the ‘you’ that has to reply to IGZ? ‘You’ are all the inspection subjects of IGZ. For medical devices these subjects are Dutch based manufacturers, authorised representatives or distributors. So, if you are a manufacturer or authorised representative you can answer the questions from that perspective. Same for the role of distributor. If you are a consulting organisation that helps others to decide on what software they should buy, you are probably not a supervising subject for IGZ. You don’t have to reply, but I would recommend to give a good motiviation for not replying.
An other problem with these questions has to do with the ability for IGZ to issue fines. If you are not compliant, IGZ can write a ‘fine report’. In this report you will be informed that you are not compliant and that you have a short period of time to change this. If you don’t comply after that period, you will be fined. However, IGZ can’t support their claim for this fine based on the information that has been given as part of their supervision, they will use other sources for that. For example: they may look at the label of a device and conclude this is not in comformity, and issue a fine for the label.
The information gathered by IGZ will be used for building and feeding a risk model. Based on that model some companies will get more attention than others. A first – and quite strong! – risk indicator is the speed and quality of repying to a request for information.
Conclusion: if you are based in The Netherlands and indeed involved in manufacturing or distributing medical devices, you have to answer these questions and you have to do this truthfully. And make sure you are not amongst the respondents that need to be reminded to reply. But you don’t have to be affraid that you will get into problems as a direct result from this. That may happen later, when an inspection or samples taken from the market show serious non-compliances.
Hi Ronald, thanks for this detailed comment. I agree with you on the law – however, the problem is that IGZ is not always clear for what purpose they are asking the information, which is also the case here. If they were only clear about the status of this letter (which they are not) that would help a lot. Furthermore, there is no legal basis that I am aware of preventing the IGZ from using information collected in an information request for the purpose of a later investigation. Actually, legal commentary says that the IGZ is perfectly allowed to use information from an information gathering exercise against you later in enforcement. Information provided pursuant to an information request may indeed provide a reason for IGZ to suspect infringement and then switch to enforcement mode because you have just handed them a smoking gun without realising it (and only then they are obliged to tell you that everything you say from that point onwards can be used in the enforcement procedure) – but there is no obligation for IGZ to un-know what they have learned in the information gathering exercise when they start enforcement. Also, it is pretty difficult for the same inspector to un-know in enforcement what he knows from information gathering. This is a very difficult dilemma for companies, because they have to think about what information they provide pursuant to an information request since it may be used against them later.
Dear Mr. Vollebregt,
I know the blog entry is a little bit older, but in the last weeks questions arose regarding the actual actions taken by the Dutch authorities and their plans for the future.
What is to be expected? What already happened? What information are necessary on top of the “normal” essential requirements? Are there specific areas of concern?
As you can see in my e-mail address, I’m working for a big enterprise, which has some experience in the field of medical devices, but in our area of information and archiving systems, there are some uncertainties left.
I know you made a seminar on 16th of October, which I couldn’t join. Perhaps it is possible to give me a short summary or some links. It would also interesting, if there would be a second possibility to join a seminar.
Thanks in advance
Dear Mrs Geierhofer, apologies for the late reaction – there is a lot I can say about the plans of the Dutch authorities, both on an off the record. We have for example seen some very strange moves by them recently, such as second guessing valid approval to initiate a clinical investigation based on the notification duty and enforcing against an authorized representative arguing that they were actually a manufacturer. These are two definite areas of concern. Also, we have no idea how they will enforce in software area – so far they are doing their best not to enforce even if they say they will as of 1 January. Another interesting one is that the Dutch are lobbying the other member states in Brussels to incorporate business compliance rules for the relation between companies and doctors in the regulation that is currently in the process.I will put your contact details on our mailing list for seminars. If you want to discuss Dutch authority policy in more detail, just let me know. Happy holidays and best wishes for the new year!