The moment is NOW! And medicinal product trials requirements feedback in medical devices clinical requirements

European ParliamentYet another post! Apologies, I am very productive these days. A lot is happening and I am just trying to keep track because the moment is NOW if we don’t want to get stuck with medical devices regulation in the EU that will not achieve its objectives, hurt innovation and last but not least, make it more difficult to have innovative devices on the market for the benefit of the patient.

Really, if the proposal of Mrs Roth-Behrendt makes it through, you can expect manufacturers to gravitate to the bottom and concentrate their efforts on me-too devices that require little innovation and have a low regulatory risk profile. That will be a development to look forward to. Only the big ones with deep pockets will be able to make innovative products. But why should they if we’re not willing to shell out all the extra costs for the regulatory process? Sounds much like the problems plaguing the pharma approval system that we would like to solve, right? If we know how to do better, then why don’t we.

Where does this rant come from, you ask? Yesterday I had the pleasure of speaking at the Informa conference on Clinical Evaluations and Investigations for Medical Devices and I took the temperature of the mood about the revision of medical devices law among some of the most innovative devices companies in the world. The mood was glum. Companies are in shock. They don’t know what to do with all this zigzagging on the regulation. Companies are now starting to postpone investments because they have no clue what the EU will pull out of its hat next to move the goalposts in regulatory requirements. They’re frustrated, but they can deal with that. The worst is they have no idea where this process is going and therefore cannot plan ahead. And that has consequences for innovations that are currently in the pipeline. I’m not making this up. At this moment almost any other market has a more reliable regulatory outlook than the EU. High five! And who is the biggest loser in this debate? You, me, everybody – because we all end up in the hospital sooner or later and would like the best medical technology to be available then. Companies can go do something else, but patients have no alternatives as Eucomed underlined in their Don’t lose the 3 campaign. We’re in this together.

In the mean time the Irish Presidency was beavering away in the same city on getting the medical devices regulation in shape which (I picked up ) they may not manage because the member states are dragging their tails. The member states are too busy with other things to seriously look at the devices regulations that create so much turmoil in industry and in the European Parliament. This would explain the stealthy behaviour of member states with respect to the outcome of the Dalli Action Plan, which they were supposed to present in the Irish presidency end of January 2013. I get the feeling member states lack sense of urgency to improve things in market surveillance, while the new regulations trickle through the system. If the member states start to look at the draft regulations seriously only in Spring 2014, there is a pretty realistic chance that the regulations are not finished before the European Parliament elections in early summer 2014. That will set the process back considerably, possibly years. Very responsible way to deal with public health issues – if there are any in the first place, because the existing rules are capable of solving all the problems if the member states step up on market surveillance and control of notified bodies as I have argued often on this blog.

At the conference I spoke about the ongoing changes to EU medical devices regulation and the thinking of the European Commission and Parliament to align the clinical requirements more with medicinal products clinical trial requirements, just another interesting gem in the proposed regulation. As you can see in my presentation (below) this conceptually interesting idea is not entirely consistent in its execution and as thought out as it could be. For example, why use different definitions between pharma and devices of ‘sponsor’ with “liability” as delta? “Pah, liability in trials – small detail” you might say. Yeah, just tell your management that and see what happens.

Oh, and it could result in your clinical trial data becoming public if the authorities take ‘alignment’ seriously and the friends in pharma don’t succeed in putting this djinny back in the bottle after the European Parliament’s rapporteur proposed to amend the clinical trials regulation proposal to that effect.

There’s a lot of detail to this presentation that I don’t have time to write out here, but if you’re interested, I’m happy to explain.

The audience agreed with me that this regime is nothing to look forward to. Parliament people, please please please think things through and ask someone on the outside for a fresh perspective before writing down things that only complicate and confuse matters. Protection of patients is not the same thing as creating legal uncertainty and then crying victory for stricter requirements. And member states, how about some involvement here?!

Clinical evaluation, Clinical investigation

, , , , ,

25/04/2013

5 Comments

Guest blog: no enhanced patient safety resulting from rapporteur Roth-Behrendt’s proposal

time and money

I am very pleased to publish a guest blog by Annet Muestege, director and co-founder of Applied Clinical Services BV., which dives into the clinical aspects of the DRB report proposal in significant detail. Since I am only a lawyer, I am very happy with the clinical picture with respect to this proposal from someone as knowledgeable as Annet. Annet is also a blogger like me, and I recommend her blog Medical Devices Clinical. It does a great job of providing the clinical perspective in medical devices regulation. Are you a writer and interested in writing a guest blog like Annet and James did? Just let send me an email with a proposal.

So, take it away Annet:

ENHANCED PATIENT SAFETY?

Time and money, similar to pharma, that is what I think the changes to the proposed European Medical Device Directive will require when reading the Roth-Behrendt report. Looking at it from clinical research perspective:

Randomized Controlled Trials

The report seems to be driving towards a more medicinal product oriented approval process including randomized clinical trials. The phrase

“Clinical investigations for medical devices, where made compulsory in accordance with this Regulation, shall include randomized clinical investigations in the appropriate target population and well-controlled investigations”

to me suggests that a randomized clinical trial always is required as part of your pre-market clinical evaluation for the higher classes of medical devices. An activity that may be unnecessary or even inappropriate in certain situations – for example when an alternative treatment does not exist – and will demand a substantial larger clinical investment as compared to a single arm clinical trial.

Efficacy

The term efficacy is added throughout the report and at some points even seems to replace the term performance. The statement that

“Performance should notably be understood broadly so as to encompass efficacy and benefit to the patient, which shall be checked in cases where clinical investigations apply”

tells me the report is moving from the requirement to show clinical safety and performance before marketing authorization to clinical safety and efficacy. Proof of efficacy will require more and different clinical data and thereby will require a significant larger clinical investment in money and time.

Ethics Committee

The proposed amendment suggests adding a complete section regarding authorization of clinical investigations by independent Ethics Committees guarding the rights, safety and well-being of subjects participating in a clinical investigation. Nothing surprising there when you are used to following ISO 14155 for your clinical trials, but the explicit mentioning here does not leave room for any clinical investigations being conducted without Ethic Committee approval.

Postmarket surveillance

The report promotes a more pro-active attitude towards postmarket surveillance: requiring instead of suggesting the installment of registers for class IIb and III medical devices to collect experience related to the use of these devices. Together with the suggested independent scientific review of the PMCF evaluation report for class III medical devices, this will again add to the clinical administrative burden. When well handled though, this aspect of the report can also have a positive impact on patient safety for the higher class devices, and creates opportunities for the medical device industry for publications on long term product safety and effectiveness to drive market adoption as previously blogged.

Conclusion

Besides pushing towards a PMA like structure as Vollebregt and EUCOMED already mentioned, it seems the Roth-Behrendt report is moving towards a more medicinal product-like approval process. When implemented, the above elements will significantly add to the clinical evidence burden before market access and require a substantial investment in time and money, thereby delaying time-to-market. Also, I cannot help but wondering how these measures would contribute to enhance patient safety, which is the ultimate goal of the proposed changes to the European regulatory system. The only positive element in that respect I find is the enhanced attention to postmarket surveillance. To be continued…

Clinical evaluation, Clinical investigation

, , , , ,

24/04/2013

4 Comments

Team NB FAQ on EN62304 standard for software lifecycle processes

logo

Many companies developing medical software, especially the smaller app developers, have difficulties applying the EN62304 standard. For that reason a number of experts under the auspices of Team NB started work on an FAQ document shedding more light on how this standard works, as to enable companies to conduct more productive discussions with their notified body and assess their own software better. The document has been reviewed by a voluntary team consisting of a few notified bodies as well as the ISO group that is responsible for the ISO 62304 standard. The document’s aim is that it is used by all notified bodues as a reference document to ensure more consistent application of the standard. It answers 73 unique questions, divided into 7 categories. See for more background on this Eisner Safety Co.’s summary and the FAQ document here. The document is a living document and its authors invite comments on the email address in the document.

The document produced is I think a great help in understanding the EN62304 standard, because it is based on actual realistic questions that the market could send in as response to the consultation for the FAQ document. If you want a nice rundown of what is in the document, Leo Eisner is your man with his post here. Because that rundown is very complete, I’d like to focus on some points that I found particularly interesting myself. And I’d like to complement the authors on the playful inclusion of pictures in the document – e.g. a picture of soup in the section discussing SOUP – pretty unique for technical guidance documents.

SaaS

Software as a Service (SaaS) is something we’ll see more and more with apps being run partly on a handheld and partly on a remote server, or maybe completely from a remote server. In this respect the FAQ document provides that “[The] [medical devices directives, “MDD”] does not cover the overall service provided. MDD only covers design, manufacturing and regulatory post market activities of the medical devices. Nevertheless, it is the responsibility of the MD legal manufacturer of the software intended to be used as part of a wider service to manage the specific risks related to the use of the software itself under the service environment.” This is in line with the modularisation thinking set out in the standalone software MEDDEV 2.1/6: if you have a bigger suite of applications or elements, identify the medical functionality (which must be CE marked) and manage the dependencies with the rest of the software it works with.

Definition of software under MEDDEV 2.1/6

Even Excel macros can be ‘software’ in the meaning of MEDDEV 2.1/6 :

“Excel macros sold with an intended medical use fall under the MDD and must be created according to EN 62304.”

That is only logical if they go beyond “an action on data, or performs an action limited to storage, archival, communication, ‘simple search’ or lossless compression” in the meaning of step 3 of the flowchart on p. 9 of that MEDDEV. It just underlines that ‘software’ in the meaning of the MEDDEV can also be what many people refer to as a document.

Network devices

The FAQ document says:

“An internet based, server based or cloud based software that meets the definition of the MDD is a medical device. Any general purpose operating system or network software is a SOUP. Any general purpose commercially available hardware devices such as network or storage capability that does not meet the definition of an accessory according MDD are only non-medical components. Nevertheless, risk associated with such HW architecture has to be managed in the medical device risk management file.”

That is fine and good for the moment, but don’t forget that the new Medical Devices Regulation and IVD Regulation proposals include a definition of accessory that is much wider than currently set out in the MDD, because it also will include devices that “assist” (and not only enable, as currently drafted), so it is not excluded that the scope of the definition of accessory will come to include more network devices.

Is compliance with EN62304 sufficient for placing on the market?

The FAQ document answers this common misunderstanding with a clear

“No. Compliance with EN 62304 does not provide a presumption of conformity with all applicable essential requirements of Annex I of the MEDICAL DEVICE Directive. EN 63204 for instance does not cover usability aspects, clinical evaluation, and the final validation of the software product or the need for accompanying documents such as user instructions. Therefore, other standards and procedures need to be considered to show complete fulfillment of all applicable essential requirements. (If harmonized standards are not applied, the manufacturer has to justify and explicitly state the selected equivalent alternative methods)”

SOUP selection, assessment & qualification

I really like flowcharts because they’re helpful to analyse problems and fit them in procedures, so I was happy with the nice flowchart for SOUP selection, assessment & qualification in Annex 2 of the document, because what company still writes all of its code itself these days? If you don’t, like basically everyone else, you have to  have a process for dealing with integration of external software in yours. Annex 2 provides a nice example of a process for the selection, assessment and qualification of SOUP suppliers. It shows the degree of control you have to implement over your software supplier. What is doesn’t say is how to implement that in your agreement with your supplier. Fortunately I have had plenty to say about that, like for example here, here and here. With the software supplier often being critical, you even have to plan and contract for surprise audits of your software supplier by your notified body.

Direct diagnosis

The document raises the issue of direct diagnosis as a classification criterion and incorporates the COCIR’s Position paper on direct diagnosis from 2011 for good measure in annex 4. That paper concludes that any software that provides for direct diagnosis, as in “without the necessity to acquire or take into account additional information” by the user, regardless of whether the diagnose is made by the device or the user him- or herself. That means that a lot of software would fall within the definition of direct diagnosis and be bumped up to risk class IIa (and as a result be subject to notified body scrutiny), were it not for the fact that direct diagnosing software also has to diagnose “vital physiological processes” in the meaning of rule 10 of Annex IX MDD to fall in class IIa, which, according to the MEDDEV on classification,  “include, for example respiration, heart rate, cerebral functions, blood gases, blood pressure and body temperature”. “Vital physiological processes” is a term that itself is not always as clear as it can be. It does however show that direct diagnosis can also concern at least three other categories without falling in class IIa:

  1. non-vital physiological processes (I could imagine ovulation cycle, nail growth, etc.);
  2. physiological states (You fell on your head? You have a headache? You saw a flash of light? Congratulations: you have a concussion.); and
  3. other diagnoses that relate to the human organism (for example, everything non-physiological, so mental disorder diagnosis)

 All in all

A must read if you already develop medical software (or have it developed for you), or are planning to. A very useful document and big kudos to the team behind it:

  • Jomuna Choudhuri, VDE Test and Certification Institute
  • Koen Cobbaert, Quality, Regulatory and Risk Management, Agfa Healthcare
  • Georg Heidenreich, Quality & Technology, Siemens AG – Healthcare Sector
  • Frans Jacobs, Regulatory Affairs manager X-ray products, Philips Healthcare
  • Gerd Neumann, Software Standardization Expert, Siemens AG – Healthcare Sector
  • Michael Bothe, Head of Medical devices/Processes/Systems, VDE Test & Certification Institute
  • Peter Linders, Chair Technical & Regulatory Affairs Committee, COCIR

eHealth, Software, Standards, Telemedicine

, , , , , , ,

22/04/2013

4 Comments

Rapporteur Liese’s IVD regulation amendments are out: not so horizontal as expected

European ParliamentNow that rapporteur Roth-Behrendt’s proposed amendments for the medical devices regulation proposal are out, it could not take long for  rapporteur Liese’s amendments for the IVD regulation proposal to also be published. And here they are.

Basically this proposal is not jerking the wheel in the other direction as the Roth-Behrendt proposal does, but is mainly carefully finetuning the Commission proposal from an ethical perspective. These amendments seem much better considered and less political than those of rapporteur Roth-Behrendt, that seemed to me largely copied from what was put in front of her by the reprocessing lobby. The first reactions to the Liese report that I heard are positive. I think the care that the rapporteur took to keep the proposal SME friendly is to be applauded. It does away with some of the translation formalities, applause for that as well.

Horizontal?

Although the two proposals share a lot of procedure (the so-called ‘horizontal’ matters), rapporteur Liese turned out to follow the structure set up for general medical devices less than I expected. For example, PMA for the category of IVDs proposed to be subjected to scrutiny (class D) did not materialize. Additionally, he puts in an interesting and potentially far reaching proposal to change the definition of ‘medical device’ substantively, which affects both the IVD and general medical devices proposal (more about that below).

The rapporteur tabled a number of specific items that I’d like to discuss (also because the rapporteur himself considers these the important ones):

Companion diagnostics

Companion diagnostics are looked at more critically. They can’t be subject to the in-house exemption and must undergo design dossier review like class D devices.

Genetic testing and Informed consent

A significant amount of detail is added to the genetic testing part by adding a prior to use mandatory informed consent procedure for use of the device on the patient’s sample based on

  • “appropriate information on the nature, the significance and the implications of the genetic test”
  • provision by the physician to “the test subject concerned with appropriate and comprehensible genetic counselling without prejudging the outcome. The genetic counselling shall include medical, ethical, social, psychological and legal aspects”
  • while the ” consent shall be given explicitly in writing. The consent may be revoked at any time in writing or orally.”

Ethical as this may sound, I think that the preoccupation with any and all genetic testing makes e.g. applying cancer diagnostics based on genetic testing of tumor tissue overly burdensome. The consultation regime and resulting informed consent associated with any and all genetic testing should I think only apply to specific hereditary conditions which, admittedly, can have an enormous impact on patients’ lives and people should be counselled on that. However, I don’t see why the EU should intervene in this because it essentially is a matter of ethics that should be reserved to member states, just like the proposal clearly states in respect of other ethically sensitive matters like a member states decision whether to restrict the use of any specific type of in-vitro diagnostic device in relation to aspects that are not covered by this Regulation. In my view the rapporteur is not consistent here.

In addition, what happens when the consent is revoked after the test? Does that invalidate the test results? Can’t they be used anymore? What if medical treatment has been initiated based on these results? This invokes the all the problems that the General Data Protection Regulation proposal is now causing with the right to be forgotten in clinical trials.

Near patient testing

The conformity assessment route for near patient testing devices changes: design examination for near patient testing devices only for near patient testing devices in class C.

Scope

You can disagree with some of the solutions chosen, such as covering tests with indirect consequences to people’s health (nutrigetic and lifestyle tests) which I think fall outside the scope of the concept of medical device (based on the EU Court’s recent Brain Products case: if there is no direct medical intended purpose, even if there may be a relation to health, there is no medical device) and consequently cannot be IVDs because IVDs are a species of medical devices.

HOWEVER, the scope change to implement this seems to overreach and open some floodgates by amending the definition of medical device as such (apparently to get around the EU Court’s case law) by introducing the “indirect” medical purpose:

medical device’ means any instrument, apparatus, appliance, software, implant, reagent, material or other article, intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the specific direct or indirect medical purposes of […]

– providing information concerning direct or indirect impacts on health”

That sounds like regulating things that are way remote from what is medical: a device with an indirect medical purpose providing information concerning indirect impact on health. That could be my intelligent fridge that tracks my food intake (too much soda drinks in the fridge ->  bad for health) or my Garmin Edge cycling computer that measures heart performance, calories burned and watts of power generated (generate few watts at high heart rate -> must be a medical issue). Again, this is at odds with the EU Court’s Brain Product judgment that says that the EU should only regulate devices with a directly intended medical purpose. I guess you can get around that by moving the goal posts. The question is if you should, because a lot of companies in sporting and general health products will suddenly find themselves producing medical devices. Just imagine what the accessory cloud around this could around these medical device would look like with the proposed amended definition of any device that “assists” a medical device in its intended purpose. Explosive proliferation of medical devices regulation – as devices lawyer I say: go for it!

In addition the amendment of the definition of manufacturer will also ripple through in the medical devices regulation. The rapporteur proposes an impressively amended concept of manufacturer, which includes also includes packaging, labeling and assembly, while the text is unclear about whether the packaging, labeling and assembly activities must be conducted with a view the devices concerned being placed on the market under that person’s own name (it is not clear if “with a view to their being placed on the market under that person’s own name or trademark” applies both to both sets of activities mentioned or only the latter):

“the natural or legal person with responsibility for the design, manufacture, packaging and labelling of a device before it is placed on the market under that person’s own name, regardless of whether those operations are carried out by that person or on that person’s behalf by a third party. The obligations of this Regulation to be met by manufactures also apply to natural or legal persons who assemble, package, process, fully refurbish or label one or more ready-made products and/or assign to them their intended purpose as devices with a view to their being placed on the market under that person’s own name or trademark.”

That definition clashes however blatantly with the ‘new’ New Approach system set up on the template of Decision 768/2008 that defines a general set of definitions and procedures to be used in CE mark regulation, including that of  ‘manufacturer’. If you want the clarify the concept, I think a mechanism like in the medical devices proposal of activities that are also subject to control as if you are a manufacturer (translation and repacking in that case) would be a much better option. Anyway, there is an opportunity to improve the drafting here, and the manufacturer concept should of course be as consistent with other CE statutes (last but not least the medical devices regulation!) as possible.

Inspections

The proposal provides for the possibility to conduct inspections at interventional clinical performance studies sites. Normally national health supervision authorities will have these powers, but the regulation will fill in any gaps because they have the possibility and will have to monitor such studies. The rapporteur clarifies that this way member states have no excuse to let this slide.

Beefing up of interventional clinical performance study requirements

These are supplemented with a specific regime for incapacited and for minor test subjects – the most vulnerable study subjects.

Transitional Period

The rapporteur does not beat around the bush and wants a shorter transitional period, 2 years instead of 5 years.

All in all

The proposed amendments generally make sense, except for the medical devices definition amendment and the genetic testing counseling. Both of these look nice, but will resort in a lot of practical problems because of their lack of preciseness.

Update 18 April 11:30 re transitional period

EDMA pointed out to me that the limitation of the transitional period to 2 years does not apply to all aspects of the proposed regulation, but only to

“the requirement for member states to cooperate with one another and a faster implementation of the new vigilance provisions (in line with the implementation of the new UDI provisions). Compliance to the new classification and conformity assessments linked to them remain at 5 years as well as many of the related provisions.”

That does make a quite a difference, so many thanks to EDMA for that observation.

In Vitro Diagnostics, Recast

, , , , , ,

17/04/2013

10 Comments

Hold on to your seat: ENVI’s Dagmar Roth-Behrendt report is here

drb2Well, the long awaited DRB (Dagmar Roth-Behrendt) report is here. I read through it as quickly as I could, answered a bunch of press questions and can now give you my preliminary view. I have poked fun at the process before with the ostrich picture but having read the proposal I am feeling more cynical than funny by now and did my share of facepalming today. You’ll understand by the time you’ve read this article. Here are my first thoughts on the rapporteur’s report.

PMA

Let’s start with PMA. It was announced. We feared it would be bad. And it is. Not even because of the   procedure as such but because of the underlying assumption that kills risk based regulation, the cornerstone of EU medical devices law. Why? The proposal divides the world in three groups: “innovative” devices, non-“innovative” but high risk devices and the rest. The first group is subject to EMA centralised authorisation, the second one to decentralised member state authorisation and the third subject to the ‘normal’ regime. There is some detail on what this would cover:

Centralised procedure:

– innovative implantable devices, – innovative devices referred to in Article 1(4) (combination products),

– innovative devices referred to in Article 1(5) and point 5.3. of Annex VII (Rule 11) (drug delivery devices), or

– innovative devices manufactured utilising tissues or cells of human or animal origin, or their derivatives, which are non-viable or are rendered nonviable.

Decentralised procedure:

– class III devices,

– non-innovative implantable devices,

– non-innovative devices referred to in Article 1(4) (combination products),

– non-innovative devices referred to in Article 1(5) and point 5.3. of Annex VII (Rule 11) (drug delivery devices), or

– non-innovative devices manufactured utilising tissues or cells of human or animal origin, or their derivatives, which are non-viable or are rendered nonviable.

By now you are probably wondering what this magic word “innovative” means. Well, the proposal actually does not tell us is what “innovative” is. Yes, really. It is left to the European Commission to define the products that should be classified as such by delegated act. So, while we have evolved IVD regulation from the cumbersome list based classification because that just did not work, we are inviting this right back in for the highest risk medical devices. And mind you, a delegated act procedure is not a light instrument, it’s political and requires both Council and Parliament input. The proposed text breathes what I have argued in relation to the scrutiny procedure: an irrational and non-evidence based fear of the innovative, just to appease the public opinion rather than educate the public. The procedures proposed are not surprising for PMA: they mirror the EMA medicinal products procedure for ‘innovative’ devices and the mutual recognition procedure for non-innovative but high risk devices. You will love the token surprise inspection during the application process. You will especially like the not so well thought through transitional regime:

“Devices referred to in paragraphs 1 and 2, and which are already on the Union market at the date of entry into force of this Regulation, shall be required to have a marketing authorisation, in accordance with the procedures set out in this Section, as from the expiry date of the validity of their certificate.”

Consequently, if your certificate expires after the regulation enters into forces at a date that allows less than the minimum time possible to get a marketing authorization after that mechanism entered into force: take your product off the market. This will not work of course.

Clinical

A lot happens in the clinical field, like the mandatory introduction of Ethical Boards at member state level for approval of studies. You love it or you hate it, but at least it’s harmonisation. What is not so nice is the addition on clinical investigation methodology:

“As randomized controlled investigations usually generate a higher level of evidence for clinical efficacy and safety, the use of any other design or study has to be justified. Also the choice of the control intervention shall be justified. Both justifications shall be provided by independent experts with the necessary qualifications and expertise.”

This means that you will always have to argue in your study design not only why a particular design is appropriate, but now also why you are not doing a study that may be completely inappropriate for the device concerned (actually randomized studies are inappropriate for the majority of devices) – so you would have to explain why you are not using placebo implants, for example.

Also, post market clinical follow up plans that you already agreed with the notified body will be second guessed by third parties for class III devices (“[technical file contains] the PMCF plan and PMCF evaluation report, including a review of the PMCF evaluation report by an independent scientific body for class III medical devices“) (underlining added).

Another interesting one is that incident reports will need to contain information on the healthcare professional and patient involved if available to the manufacturer – and they will become accessible to healthcare practitioners and the public (although in the latter case the access level is not specified).

Systematic registries will be required for class IIb and III devices, where the Commission proposal only encouraged them.

Notified Bodies

As was to be expected after the 26 February ‘workshop‘ the notified bodies were not going to get it easier in the proposal. As I have flagged, what are the consequences of a notified body not adhering to an MDCG recommendation? Well, now we know: the member state responsible will have to justify this. At least this is a way to make member states responsible for what their notified bodies do, but I doubt if this is the right way because it assumes that the MDCG is always right while there is nothing in place to ensure that the MDCG always has more expertise than the notified body.

“As a consequence of the internal market, manufacturers are allowed to apply with a notified body established in another Member State than the one where the manufacturer is registered. However, in the view of improving transparency, if a manufacturer chooses to do so, it should inform the national authority of the Member State where it is registered of such an application.”, argues the rapporteur.

Making it more difficult for manufacturers to use notified bodies in other member states will likely raise eyebrows with the legal service of the Commission because it hinders the free movement of services, in my view unjustifiably. Indeed, I don’t see why member states could not receive this information from the Eudamed database. The idea of increasing transparency of fees charged and ensuring they’re comparable across members states sounds good on the surface, but the prospect of enacting national legislation reflects a desire to have government regulation on prices of notified bodies. On the one hand the proposal increases their overhead considerably and on the other provides for mechanisms to compete on price rather than quality. That’s not logical and won’t achieve the intended result. Companies can already compare costs because the mandatory services provided are the same. The proposal implements more control on notified bodies using subcontractors. I think that is a good thing (I have had some bad experiences with outsourced auditors in cases for clients), but this is something the notified bodies are fixing already themselves in their code. Putting it in the regulation will take care of free riders that do not want to subscribe to the code.

Reprocessing

This part of the proposal seems to have been completely written by the reprocessing lobby. Disclosure: I am normally on the OEM side, so you would expect me to say something like this. However, if I were that industry I would be worried about such a stunning success in getting very controversial points across and written down as proposal. The report proposes to introduce the assumption that EVERY device (yes – “every” as in “none excluded”) is capable of being re-used but that economic considerations prevent manufacturers from admitting this. Here is the rapporteur writing:

“Reuse of medical devices was very common until the 1980s, when manufacturers started more systematically to label their devices as single-use. The current situation is that there are too many devices labelled as single-use while they could be reprocessed, as manufacturers want to avoid bearing the responsibility in case the reprocessing of a device would pose a danger to a patient. Sometimes, improper labelling is the result of economic considerations.”

Let’s apply this reasoning to medical practice: opening up people to take a look inside has served us well for centuries for diagnostic purposes, now we are using MRI and CT scanners because these naughty manufacturers just want to make a profit. So, let’s get rid of these scanners because they just add to costs.

The rapporteur totally ignores that there might be a reason that has to do with, let’s say usability and risk/performance ratio, that devices get built for single use. Catheters that have to be capable of being reprocessed will be built sturdier and be less friendly to the patient’s vascular system, just to mention an argument that even lawyers understand. This is so absurd that a Star Trek quote is in order (doctor McCoy  observes a primitive treatment method in Star Trek IV): “My God, man! Drilling holes in his head isn’t the answer! Now put away your butcher knives and let me save this patient before it’s too late!”

The burden of proof is on the manufacturer to prove that a device cannot be reprocessed. The manufacturer has to prove this, and in case of class III devices, even commission a SCENHIR opinion to back this up. Essentially the reprocessing industry gets all clinical substantiation for free from the OEMs, who have to provide clinical support for activities that they do not intend for their products. Sounds very logical, right? The problems are compounded because the whole reprocessing regime will apply to everything in the proposed definition of reprocessing (which was not amended): “the process carried out on a used device in order to allow its safe reuse including cleaning, disinfection, sterilisation and related procedures, as well as testing and restoration of the technical and functional safety of the used device”. Consequently, the fairly balanced regime for reprocessing from the Commission’s proposal is blown up to include all current and normal activities to prepare intended re-usable devices for intended re-use. I know that I will be buying my own single use devices for my family and will be taking them to the hospital if this proposal clears.

Isn’t there anything good in there?

Actually, there is. The report proposes to involve healthcare practitioners more in the incident reporting process, one of the points on which I think the Commission proposal clearly fell short.

Now what?

This is just a preliminary view, but the big picture emerges: largely token measures that will not solve the problem they purport to solve. The rapporteur’s report will be the basis for the ENVI committee’s vote, which in turn is the basis for the vote by the parliament. There are however also other parliamentary committees involved, such as IMCO (internal market), which issued a report that includes no PMA at all. Further, the member states have to agree for the proposal to become law. So far (as far as I know), only France has been lobbying for PMA. Industry can still lobby and they certainly will. I think this report proposes a regulation that nobody should want because it is especially onerous for the SMEs in the higher risk medical devices. It is prone to create a sub-optimal regulation as we have with the ATMP regulation, which has very little to show for it in terms of authorised products and includes a lot more SME stimulation than the devices regulation proposal that actually includes no SME incentives. EMA is now canvassing biotech SMEs for some time already to please please take a chance with the process. Is that what we want for devices?

Update 16 April 9:49

You know that feeling when you write something, send it off in a hurry and then look at it the next day? I had that feeling this morning, so here are some updates (apart from the spelling mistakes I already corrected in the text above – apologies for those).

Here is the IMCO committee report link (it’s not up on OEIL yet, so you’ll have to get it from my Dropbox for the moment, I hope your security allows it). You’ll see that IMCO’s report stays closer to the Commission draft, but makes the MDCG scrutiny opinion binding on the notified body, beefs up the clinical expertise behind the MDGC (if you have to go MDCG, this is a sensible thing) and provides for a scientific advice procedure for manufacturers that have scrutiny liable devices (hopefully good for SMEs, works like the pharma system in EU).

The notified bodies are not very happy  at all – they have a closed huddle today to see how they should deal with this.

As @robertmdproject pointed out to me: don’t forget that the proposal seeks to redefine some core technical and clinical concepts in medical devices regulation:

  • “performance”: “any technical characteristics, any effects and any benefit of the device when used for the intended purpose and in accordance with the instructions of use;”
  • “benefit”: “the positive health impact of a medical device based on clinical and non-clinical data”; and
  • “safety”: “the avoidance of risk or harm caused by the medical device or associated with its use”

You can imagine the impact this will have on for example the way we will have to interpret harmonised standards like EN 14155, the medical devices GCP standard that contains a definition of “clinical performance’ and risk management standards like EN 14971 (contains a definition of safety different from the one proposed (“freedom from unacceptable risk”) and describes risk/benefit analysis in great detail). How are we going to work with definitions that conflict with harmonised standards? I honestly have no idea.

The IVD regulation proposal by rapporteur Peter Liese is not out yet. It is expected in the coming days and I’ll report on that when is comes out. But you can expect all the procedural stuff to be identical or similar, like PMA for class D IVDs. The IMCO report re the IVD regulation proposal proposed to clarify the regulation of in-house (home brew) exemption/regulation and include predictive genetic tests. I expect this to find its way to Peter Liese’s report too, given the preoccupation with genetic testing we have seen.

Clinical investigation, Recast

, , , , , , , ,

15/04/2013

16 Comments

What’s cooking at IMDRF? UDI and software, among other things

IMDRF logo

After the GHTF had been decommissioned – much to the disappointment of many – the IMDRF had big shoes to fill and everybody is watching if they manage.

The outcome statement of the last meeting in Nice, France of 19-21 March gives us a peek into what is happening.

Standalone software

The new work items were interesting to me. IMDRF will start work on international harmonization of the approach to standalone medical device software and on the definition of common data elements describing medical devices through the regulatory lifecycle. As you know, the EU is currently revising its standalone software guidance, the Swedes are on the game to hijack that process, the EU is also working on a Green Paper about health and wellness apps, the EN 62304 standard is by now starting to get really outdated and the FDA is still fighting with everybody else about what it will do in mobile medical medical apps. What better way to sort this all out than with some good international harmonization? The market for medical software as standalone software or as deployed in eHealth, telemedicine or mHealth is extremely international and will benefit greatly from harmonisation, so my applause for the initiative! I’m very curious how it will turn out.

Medical profession

There was also unanimous support on the importance of involving the medical profession in the IMDRF work, very nice. Hopefully the medical profession will get enthusiastic about being involved in devices vigilance, because this is one of the big gaps in EU medical devices regulation that also the new proposals won’t fix because they also only ‘encourage’ healthcare professionals to play a role.

UDI

The big problem with UDI in the EU is that we have placeholders for it in proposals that may enter into force years from now and implement UDI in stages, while we are waiting for the Americans. With that in mind, this is a situation that the IMDRF is supremely well positioned for to advance. And it does: it reports that “[t]he work on the revised Unique Device Identification Draft Guidance 2.0 on labeling specifications is progressing. A public consultation is envisaged in the near future.” When that will be we don’t know, but we do know that the FDA is planning to, by 30 November 2013, as a member of the Unique Device Identification (UDI) Workgroup, present to IMDRF Management Committee a draft IMDRF guidance document on UDI to update the September 2011 Global Harmonization Task Force (GHTF) document entitled “Unique Device Identification (UDI) System for Medical Devices. In the mean time the European Commission is also jumping in the fray with its own UDI recommendation, which was published on 9 April 2013. This recommendation says it’s “aligned” with what is happening at IMDRF level, so there you are on this point – this is were the IMDRF seems to be going (according to the EU that is), and more or less where the FDA will need to end up to with its IMDRF proposal in November (if it wants the EU on its side).

Hopefully the EU member states will also have the patience and sang froid to not run in all directions and start to impose their own UDI systems that will turn out to be incompatible with the Eudamed cathedral that the Commission is only starting to build and that will contain the EU UDI system envisaged under the proposed medical devices and IVD regulations.

The IMDRF announces that a consultation will be forthcoming with respect to its UDI draft guidance 2.0 “in the near future”. Watch that space, because I don’t really know what ‘near future’ means to a slow moving organism as IMDRF.

Ongoing work items

The outcome statement finally summarises the state of the ongoing work items:

  • “The survey of the National Competent Authorities Report exchange program is completed. It was decided to review the GHTF N79 Guidance taking into consideration the outcome of the survey. A new proposed work program will be prepared with a view to the finalization of the revised guidance by the end of the year.”
  • “The work on the revised Unique Device Identification Draft Guidance 2.0 on labeling specifications is progressing. A public consultation is envisaged in the near future.”
  • “The documents on the Recognition for Organizations undertaking Audits of Medical Device Manufacturers and the Auditor Competency and Training Requirements will be submitted for public consultation with comments due by 15 June 2013.”
  • “Discussions on the work item on the list of recognized standards continue to progress. The project should be completed by end of summer 2013. A work package for the second phase will be outlined for consideration.”
  • “Regarding the Regulated Product Submission working item, the Management Committee endorsed the work achieved so far, including the completion of the draft non-IVD Table of Contents for marketing authorization as well as progress on the testing of the RPS standard for medical devices. The draft Table of Contents will be submitted for public consultation in the near future.”

 So

There you have it: international harmonisation in action with interesting things in the pipeline. Good to see the IMDRF picking up momentum.

Software, UDI

, , ,

11/04/2013

3 Comments

The IVD regulation proposal in a nutshell

EU flagWith this post I would like to make good on a promise I made some time ago: that I would also do an analysis of the proposed IVD Regulation in more or less the same level of detail as I did for the proposed Medical Devices Regulation, so here we go.

As a starting point, you should keep in mind that the Medical Devices Regulation and IVD Regulation proposals overlap to the point that the Commission has seriously considered merging them into one regulation, but in the end refrained from doing after considerable lobby from the IVD industry that IVDs are too different to be in the same regulation. Therefore, basically all of the procedure stuff I wrote about in previous posts on the Medical Devices Regulation proposal will apply to IVDs as well because it is mirrored in the IVD regulation proposal.

Another point to remember is that as a result of the implementation of a GHTF risk based classification mechanism the large majority of IVDs must be looked at by a notified body, which is a landslide difference with the current situation (see slide 5 in the presentation below).

If you want the whole story, I did this presentation as a webcast for RAPS on 3 April. If you would like the full story, your best option is to purchase the webcast from RAPS. A condensed version of the slides is here:

Compared to Sabine Oshe’s presentation that I wrote about before there is not that much difference. I have tried to provide more detail on some additional things that are really new in IVD regulation, so here’s a small gap analysis for the items that feature additional detail:

  • the GHTF based risk classification
  • the qualified person
  • parallel trade and repacking provisions
  • the scrutiny procedure (“It’s a trap!”)
  • interventional clinical performance test regime
  • market surveillance
  • more detail on the governance via the MDCG and reference laboratories; and
  • explanation of the transitional regime

Of course everything that I wrote about the PMA controls that the ENVI committee of the European Parliament may require applies as well with respect to the IVD regulation – assuming however that the ENVI committee will treat all medical devices the same. So far there has been very little to no discussion of PMA with respect to IVDs, while also the highest risk class of IVDs are subject to the scrutiny procedure that the ENVI committee considers insufficient pre-market control for high risk medical devices.

With IVDs the discussion has so far concentrated on ethical and privacy aspects of genetic testing, which are perfectly justified concerns. The level of discussion has been disappointing at times. My personal impression is that people are scared of things they don’t understand and have been depicted in a scary way in science fiction movies, so I think it’s time to educate the public on risks and benefits of technology rather than kill innovation by imposing rules that make no sense because people are scared of complex stuff they don’t understand. It all comes down to the technology safety versus security discussion that I have raised earlier. Hey, this scary stuff is only science fiction, fiction being stuff that is made up . Indeed, genetic testing is a necessary technology to reap the benefits of personal medicine and most people would like a cure for their cancer, don’t they? I do, in any event. Just like Eric Topol, I’m more than a glass half full type of guy when it comes to this kind of possibilities. IVDs are the parent of healthcare after all, and data is key to this industry.

These discussions also have a place in the discussion regarding the General Data Protection Regulation (GDPR) proposal, which has a special regime for ‘genetic data’ that is separate from the regime for ‘data concerning health’ with an overlapping definition. This is quite unfortunate, because under the GDPR proposal ‘genetic data’ and ‘data concerning health’ are subject to – yes indeed – separate control regimes. While there seems to be some movement in amending the definition of genetic data (which in its first draft even included non-personally identifiable genetic data, so in fact data outside the scope of the regulation), I have not seen any movements by the ENVI committee to untie the gordian knot of the overlap of these concepts so this will remain problematic: what genetic data constitutes health data and what does not?

If you want to know more, EDMA has scheduled a workshop on the IVD regulation proposal in Brussels, somewhere in June with timing understandably depending on political developments with the proposal so watch that space.

In Vitro Diagnostics

, , , ,

08/04/2013

2 Comments

Unannounced notified body visits recommendation imminent – amend your contracts and procedures now!

RecommendationWhile everybody is running around about the MDR and IVD regulations proposals another storm is brewing in the wings: unannounced audits, which I announced earlier. Currently notified bodies “may” do unannounced audits under the EU medical devices rules. Now they will be required to do a minimum amount of unannounced audits. Required? Yes, EU member states may require this as condition for accreditation of the notified bodies. Will they? Most certainly. Some have already started to require notified bodies to do unannounced audits already now, as a straight consequence of member state action requested by the Commission pursuant to the Commission’s Dalli market surveillance action plan. With all the political turmoil about EU medical devices regulation underperforming in the safety department, it is not an option for a member states to refrain from increasing market surveillance. If they can actually afford to – but that’s another discussion, because what has two thumbs and will be picking up the bill for unannounced audits? Correct: the manufacturer. As you will see below, member states are already planning to use notified bodies to indirectly inspect manufacturers for them.

I have puzzled together some information that gives you a look under the hood of the impending Commission Recommendation that we already had on the horizon. I also benefited a great deal from the insights of Gert Bos of BSi, one of the persons that really knows what is going on in devices regulation in Europe, that he presented at the MD Project event on 25 March in the Netherlands.

Timing and status

We know that the Commission Recommendation is almost finished, with an anticipated release date somewhere in May 2013. The release will concur with the anticipated Commission decision on the designation of notified bodies. The document is in version 18 now and has reportedly been approved by the service juridique (legal service) of the European Commission, so it is more or less in final form. It will be immediately applicable when published, which will trigger applicability of the unannounced audits section in the notified bodies code version 3.0 (more about that below). The instrument of a “recommendation” is a first in medical devices world, because none of the current guidance documents has this status. A recommendation is more ‘law’ than MEDDEV and carries far more political weight, because a MEDDEV is a consensus statement of the member states of the European member states’ authorities and a recommendation is issued by the Commission itself aimed at harmonising member state practice.

Goals

The recommendation has two goals:

  • consistent application of conformity assessment
  • laying down general principles for unannounced audits and inspections

The document has three annexes. Annex I applies to audits where the manufacturer applied for design dossier examination or type examination. Annex II applies to audits where the manufacturer applied for quality system assessment. Annex III concerns unannounced audit methods and methodology.

Annex I: design dossier / product assessment

This annex contains 7 points, of which some are new:

  • Notably new: the notified body should review if there is an up to date and complete tech file for all variants and trade names of device (compared to the current usual question: does the documentation produced by the manufacturer check out?). The notified body should do verification of products, e.g. by means of taking and testing products on manufacturer’s costs. It will be big fun when a notified body schlepps off an entire MRI unit and bills you for it, and this is not a hypothetical possibility -said Gert.

Annex II: Quality system

18 points, points 15-18 new:

This annex reflects a strong suspicion towards outsourced elements in supply chain. More specifically notified bodies are to refrain from working with manufacturers unless they receive access to all critical subcontractors and crucial suppliers (and, consequently, to all sites where the devices or its crucial components are produced) regardless of length of contractual chain between manufacturer and subcontractor or supplier. Manufacturers are to integrate their subcontractors’ QMS in their own as much as possible. You can imagine how nice this will be for subcontractors that produce for several manufacturers. The Commission wants Own Brand Labeling to end (piggybacking on other parties’ certificates). OBL is not acceptable in the eyes of the Commission if the OBL does not have full access to all documentation relating to the reference device. In my experience the supply chain contracts that regularly cross my desk are completely unprepared for this.

Annex III: principles of unannounced audits of manufacturers and subcontractors

5 points:

  • al least every 3 year unannounced audit
  • critical subcontractors or suppliers can be visited (make sure you amend contracts – inability to visit subcontractor or critical supplier is ground for immediate revocation of certificate)
  • production sample checking (file review and witness test – or take sample and outsource test on manufacturer if on site test not possible)
  • high risk devices – sampling logical for spot tests
  • activity on-going at time of audit will be audited

The manufacturer must always be ready to accommodate a notified body unannounced audit, also at third parties such as subcontractors and critical suppliers. As a notified body already commented at the RAPS conference last year: as soon as you start your production you must be ready for unannounced audit; if you are not, don’t start production. Supply chain parties must make this possible and account for it in their contracts. If they do not, there is no excuse and the notified body will issue a major nonconformity. In case of limited production runs, the notified body must know when the runs are to be able to show up unexpectedly. The manufacturer pays for notified body for local security measures required, for example body guards.

Member states are free to require application of the recommendation of their notified bodies – and they will in practice because of the pressure put on them in the Dalli action plan.

The recommendation requires that a notified body must establish secret audit plan for manufacturers. Notifed bodies are presently meeting regularly to compare notes on best practice and what works and does not between themselves in unannounced audits.

Notified body code v. 3.0; entry into force of recommendation and code

The new notified body code v 3.0 announced part enters into force immediately upon entry into force of the recommendation, which we already saw coming. The recommendation will enter into force upon publication, as far as I know – NO transitional period. The code has important language on risk management for audit frequency, and I have discussed that before here. It also contains a heading for devices that are often non-compliant – more visits. Gert informed us that authorities are now starting to use notified bodies as extension more and more: they tell notified bodies where to do an unannounced visit if they see spikes in trending of complaints.

So…

Better start preparing pronto by writing procedures and amending those agreements in your supply chain, because as Gwen Stefani sings: “this sh*t is bananas”. And it will hit the fan this May – less than two months! – with no transition period. That just goes to show the political pressure behind all of this. Questions? I’m here.

Audits, Notified Body

, , ,

27/03/2013

18 Comments

EU privacy requirements for (healthcare) apps – the Article 29 Working Party weighs in

EU flagThe European Article 29 Working Party has just released its opinion 02-2013 on apps on smart devices. This detailed opinion provides very useful and detailed guidance for companies developing and distributing healthcare apps in the EU, as well as manufacturers of mobile operating systems and devices that run apps. Finally, there is also guidance for third parties.

Applies to basically all standalone software, not only apps

Many medical technology companies struggle with the application of EU privacy requirements to medical apps and other software, so I though it would be a good idea to discuss this guidance document. Even though the document says it applies to apps, I think it provides very useful guidance for standalone software in general.

EU-US harmonisation

Where the EU and US authorities do not seem to get along very well at all on regulation of medical devices (which healthcare apps may well qualify as if they are a medical device in the form of standalone software, see here, here and here) and with the US regulation of healthcare apps still not boiling down to something definite, this guidance documents refers a lot to US initiatives in this field and explicitly concurs with them. The guidance explicitly and approvingly refers to the recent FTC staff reports Mobile Privacy Disclosures, Mobile Apps for Kids reports (here and here) and the Attorney general of the Californian Department of Justice’s report. This is good news and will facilitate trans-Atlantic app development.

Risks regulated

The guidance document provides a lot of detail on the risks the EU authorities want to regulate, the EU data protection regulatory logic that they apply and finally gives a nice and convenient summary of obligations and best practices at the end. The document further ties together the acquis in data protection law in different fields, such as cloud computing, children and consent, together with a focus on mobile apps.

What are the main risks identified in the guidance?

  1. lack of transparency – many apps are not transparent about what they actually do with the data they collect, and a large part do not even provide users with information in a privacy policy.
  2. lack of free and informed consent – consent does not meet user requirements (users want a more granular choice) and – closely connected to transparency – must understand what an app does before they can give valid consent.
  3. poor security measures – obviously this is a risk: if there is a data breach, this may lead to unauthorized processing of data, which, in case of healthcare apps, will mostly concern sensitive personal data.
  4. disregard for the principle of purpose limitation – purpose limitation is one of the cornerstones of EU data protection law: a controller should not process more personal data than necessary for the purpose defined and the period necessary. Apps are generally very bad at precise purpose limitation, suffer from scope creep or ‘elastic purpose’ in this respect and are not transparent about the duration of processing.

Actors regulated

The document goes on to explain the rules that apply for the four categories of regulated actors: app developers, app stores, OS / device manufacturers and third parties. There is a good discussion of ‘privacy by design’ and ‘privacy by default’ requirements that look to become a lot stricter under the GDPR currently in the legislative pipeline. Both of these requirements already apply to a degree under directive 95/46 (Data Protection Directive) and the often overlooked directive 2002/58 (ePrivacy directive). The ePrivacy directive – which most companies will know from its cookie rules – is especially important for those who plan to store and access personal data in the user’s own hardware – consent and information requirements apply also in that case. The document also warns that the ePrivacy directive data breach requirements  currently only apply to network services providers, but will most likely be extended to all data controllers under the proposed GDPR.

Where the apps concerned are also medical devices, the actors regulated under data protection law will overlap with the MAID actors regulated under the medical devices rules to an extent. Generally speaking, the developer is manufacturer, the app store is importer / distributor, the OS / device manufacturer may be accessory or medical device manufacturer and the third parties can basically have any role. From my work in the sector the distinct impression emerges that although companies may sometimes realise they are manufacturer of an app that is a medical device, there is little understanding of the other roles and how a company may have responsibilities there. For example, all of the app stores (Apple, Google, etc.) should start to prepare for their role as importer / distributor of medical devices.

The obligations/best practices by actor table

I have tried to put the summary of obligations and best practice at the end of the document in a format that can be easily used in practice in the below table, with obligations (“must”) and best practices (“should”) in rows and the actors concerned in columns:

 

App developers

App stores

OS / device manufacturers

Third parties
Must
  1. Be aware of, and comply with, their obligations as data controllers when they process data from and about users;
  2. Be aware of, and comply with, their obligations as data controllers when they contract with data processors such as if they outsource the collection and processing of personal data to developers, programmers and for example cloud storage providers;
  3. Ask for consent before the app starts to retrieve or place information on the device, i.e., before installation of the app. Such consent has to be freely given, specific and informed;
  4. Ask for granular consent for each type of data the app will access; at least for the categories Location, Contacts, Unique Device Identifier, Identity of the data subject, Identity of the phone, Credit card and payment data, Telephony and SMS, Browsing history, Email, Social networks credentials and Biometrics;
  5. Be aware that consent does not legitimise excessive or disproportionate data processing;
  6. Provide well-defined and comprehensible purposes of the data processing in advance to installation of the app, and not change these purposes without renewed consent; provide comprehensive information if the data will be used for third party purposes, such as 
advertising or analytics;
  7. Allow users to revoke their consent and uninstall the app, and delete data where 
appropriate;
  8. Respect the principle of data minimisation and only collect those data that are strictly 
necessary to perform the desired functionality;
  9. Take the necessary organisational and technical measures to ensure the protection of the 
personal data they process, at all stages of the design and implementation of the app 
(privacy by design), as defined in in section 3.6 of this Opinion;
  10. Enable app users to exercise their rights of access, rectification, erasure and their right to object to data processing and inform them about the existence of these mechanisms;
  11. Define a reasonable retention period for data collected with the app and predefine a period of inactivity after which the account will be treated as expired;
  12. With regard to apps aimed at children: pay attention to the age limit defining children or minors in national legislation, choose the most restrictive data processing approach in full respect of the principles of data minimization and purpose limitation, refrain from processing children’s data for behavioural advertising purposes, either directly or indirectly and refrain from collecting data through the children about their relatives and/or friends.
  13. Be aware of, and comply with, their obligations as data controllers when they process data from and about users;
  14. Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes, as well as whether the data is shared with third parties;
  15. Give special attention to apps directed at children to protect against the unlawful processing of their data, and especially enforce the obligation to present the relevant information in a simple manner, in age specific language;
  16. Provide detailed information on the app submission checks they actually perform, including those aimed to assess privacy and data protection issues.
  17. Provide a single point of contact for the users of the app;
  18. Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
  • who they are (identity and contact details),
  • what precise categories of personal data the app wants to collect and process,
  • why the data processing is necessary (for what precise purposes),
  • whether data will be disclosed to third parties (not just a generic but a specific 
description to whom the data will be disclosed), and
  • what rights users have, in terms of withdrawal of consent and deletion of data.
  1. Be aware of, and comply with, their obligations as data controllers when they process data from and about users;
  2. Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes, as well as whether the data is shared with third parties;
  3. Give special attention to apps directed at children to protect against the unlawful processing of their data, and especially enforce the obligation to present the relevant information in a simple manner, in age specific language;
  4. Provide detailed information on the app submission checks they actually perform, including those aimed to assess privacy and data protection issues.
  1. Update their APIs, store rules and user interfaces to offer users sufficient control to exercise valid consent over the data processed by apps;
  2. Implement consent collection mechanisms in their OS at the first launch of the app or the first time the app attempts to access one of the categories of data that have significant impact on privacy;
  3. Employ privacy by design principles to prevent secret monitoring of the user;
  4. Ensure security of processing;
  5. Ensure (the default settings of) pre-installed apps are compliant with European data 
protection law;
  6. Offer granular access to data, sensors and services, in order to ensure that the app 
developer can only access those data that are necessary for his app;
  7. Provide user-friendly and effective means to avoid being tracked by advertisers and any 
other third party. The default settings must be such as to avoid any tracking;
  8. Ensure the availability of appropriate mechanisms to inform and educate the end user 
about what the apps can do and what data they are able to access;
  9. Ensure that each access to a category of data is reflected in the information of the user 
before the app’s installation: the categories presented must be clear and comprehensible;
  10. Implement a security-friendly environment, with tools to prevent malicious apps from 
spreading and allow each functionality to be installed/uninstalled easily.
  1. Be aware of, and comply with, their obligations as data controllers when they process personal data about users;
  2. Comply with the consent requirement determined in Article 5(3) of the ePrivacy Directive when they read or write data on mobile devices, in cooperation with the app developers and/or app stores, which essentially provide user with the information on the purposes of data processing;
  3. Not circumvent any mechanism designed to avoid tracking, as it currently often happens with the “Do Not Track” mechanisms implemented in browsers;
  4. Communications service providers, when they issue branded devices, must ensure the valid consent of users for pre-installed apps and take on board relevant responsibilities when contributing to determining certain features of the device and of the OS, e.g. when limiting the user’s access to certain configuration parameters or filtering fix releases (security and functional ones) provided by the device and OS manufacturers;
  5. Advertising parties must specifically avoid delivering ads outside the context of the app. Examples are delivering ads by modifying browser settings or placing icons on the mobile desktop. Refrain from the use of unique device or subscriber identifiers for the purpose of tracking;
  6. Refrain from processing children’s data for behavioural advertising purposes, either directly or indirectly. Apply appropriate security measures. This includes secure transmission and encrypted storage of unique device and app user identifiers and other personal data.
Should
  1. Study the relevant guidelines with regard to specific security risks and measures;
  2. Proactively inform users about personal data breaches along the lines of the requirements 
of the ePrivacy Directive;
  3. Inform users about their proportionality considerations for the types of data collected or 
accessed on the device, the retention periods of the data and the applied security measures;
  4. Develop tools to enable users to customise retention periods for their personal data based on their specific preferences and contexts, rather than offering pre-defined retention terms;
  5. Include information in their privacy policy dedicated to European users;
  6. Develop and implement simple but secure online access tools for users, without collecting 
additional excessive personal data;
  7. Together with the OS and device manufacturers and app stores use their creative talent to 
develop innovative solutions to adequately inform users on mobile devices, for example through a system of layered information notices combined with meaningful icons.
  1. In collaboration with the OS manufacturer, develop control tools for users, such as symbols representing access to data on and generated by the mobile device;
  2. Subject all apps to a public reputation mechanism;
  3. Implement a privacy friendly remote uninstall mechanism;
  4. Provide feedback channels to users to report privacy and/or security problems;
  5. Collaborate with app developers to pro-actively inform users about personal data 
breaches;
  6. Warn app developers about the specificities of European law before submitting the 
application in Europe, for example about the consent requirement and in case of transfers of personal data to non-EU countries.
  1. Enable users to uninstall apps, and provide a signal (for example through the API) to the app developer to enable deletion of the relevant user data;
  2. Systematically offer and facilitate regular security updates;
  3. Ensure that methods and functions allowing access to personal data include features 
aiming to implement granular consent requests;
  4. Actively help develop and facilitate icons alerting users to different data usage by apps;
  5. Develop clear audit trails into the devices such that end users can clearly see which apps 
have been accessing data on their devices and the amounts of outgoing traffic per app, in relation to user-initiated traffic.
  1. Develop and implement simple but secure online access tools for users, without collecting additional excessive personal data;
  2. Only collect and process data that are consistent with the context where the user provides the data.

Overlapping responsibilities

If there is one picture that emerges from this document, it is the overlap of responsibilities of the actors concerned. As I have shown, there is further overlap with regulatory obligations under medical devices regulation. An example is the guidance referring to complaint mechanisms to implement data subjects’ rights, which can double as instruments for post market surveillance in the supply chain. Another example are the new design requirements in the proposed medical devices regulation for standalone software for ‘mobile computing platforms’. Companies will need to manage these overlaps contractually, coherently and intelligently, to avoid nasty surprises and to achieve compliance in the ecosystem of medical apps / standalone software.

Accessories, eHealth, Personal data, Post market surveillance, Software

, , , , , , , ,

18/03/2013

5 Comments

eHealth and mHealth at the DIA Euromeeting

Diahome01032013I had the privilege to preside a session about eHealth and mHealth at the DIA Euromeeting in Amsterdam last week, joined by Mr Tapani Piha, Head of Unit for eHealth, Health Technology Assessment and Science of DG SANCO of the European Commission and Mrs Marianne Fournier of Voisin Consulting.

In a lively session we took the audience through a tour d’horizon of EU future and present mHealth regulation.

European Commission

Mr. Piha discussed the EU policy angle for eHealth, focusing on the draft EU proposals for a Regulation on eIdentification, a Regulation on data protection (GDPR), and the Green paper on mHealth (the latter being in the pipeline, slated for 2013). He confirmed that the recently proposed NIS Directive will also impact on eHealth and mHealth. Mr. Piha further provided insight in the use of the Directive on patients’ rights in cross-border care. He spoke about the upcoming implementing act on prescriptions that harmonizes minimum data to be shared across borders and thus paving the way to ePrescription. He further addressed the eHealth Network under article 14, which provides for

  • Common identification (eID) for electronic transferring of health data
  • Guidelines on semantic and technical interoperability
  • Guidelines on non- exhaustive list of data to be included in patient’s summary

Finally he addressed the eHealth Action Plan and its relation to the EU strategic eHealth network, as well the Regulation on European Standardisation, an important instrument for achieving interoperability in eHealth.

Voisin Consulting

Mrs. Fournier spoke about software and e/mHealth services as regulated medical device in the EU and provided a large amount of examples and case studies to show the possible permutations of regulation of hardware and software.

Axon Lawyers

I myself discussed mainly the possible consequences of the proposed General Data Protection Regulation (GDPR) for the EU eHealth and mHealth industry, which may have an enormous impact on eHealth and mHealth. Since this regulation proposal a horizontal instrument, it treats all categories of services for which personal data are processed the same. I showed how this for example leads to the unintended consequence that the things you want in eHealth and mHealth like monitoring, are made very difficult because they are subject to the same restrictions as profiling by online advertising companies.

The exemptions in the regulation for processing of health data have been watered down in the last proposed changes by the rapporteur of the ENVI committee to the point that – in my view – they will severely impede viable eHealth and mHealth business models. This impediment is worsened by the fact that the criterion for consent to processing of personal data has also been made so complex that I would be hesitant to provide a legal opinion on whether consent has been validly given in a specific situation. In other words, the GDPR creates a large amount of collateral damage in sectors we would normally want to enable. DG SANCO and DG Connect have set up elaborate policies for eHealth and mHealth, but these may not achieve their objectives if processing of health data is made prohibitively difficult. in addition, medical devices companies are faced with additional difficulties to collect the additional clinical data required for meeting regulatory obligations under the proposed new medical devices regulation and IVD regulation. This way DG Justice will also negatively impact on DG SANCO’s policy in medical devices and IVDs.

Even though this session was one of the graveyard sessions of the DIA program we almost had a full house, evidence of the importance of this subject for the marketplace.

Data Protection, eHealth, mHealth, Recast

, , , , , , ,

15/03/2013

7 Comments

« Older posts
Newer posts «