A dud with some drama – a report of the 26 February ENVI workshop

20130206ATT60626ENWell, the 26 February workshop is behind us. The expectations were high, but I think in the end the workshop turned out to be the dud I expected; some people I spoke with rather called it a theatrical sizzle or a dud with some drama. A nice factual and chronological overview can be found in the twitter feed of SFL regulatory consultants (@SFLServices) for 26 February that reports on the entire event. Or you could try the ever buggy and rarely working EU Parliament video feed of the event, good luck with that.  The presentations that people provided are here. The agenda for the event is here.

I didn’t attend myself in the expectation of precisely this result, so everything I’m writing down here is hearsay. I think it will reflect the sentiment well however. The overall sentiment of those I spoke with (mainly industry) was that of an orchestrated session with the sole purpose of making Mrs Roth-Behrendt, the Parliamentary rapporteur for the MDR proposal, look good, wise and on the ball. This sometimes led to embarrassing and tense situations like the rapporteur waving her watch at people to cut them off on time, and the people responding “Yes, you have a very nice watch” and continuing their submission because they felt that they were making important points that were falling on deaf ears. I did not speak in any detail with people about the IVD part of the workshop, but I may follow up about that on another occasion. You can find an account on the @SFLServices twitter feed too, as well as on the EU Parliament video feed of the event,

In the first session the Commission – represented by Mrs Testori Coggi (Director General of DG SANCO) – reiterated its initial proposal, saying that this will do the trick. The Commission also reiterated that full PMA would not work under the current circumstances.

There is no way the EU can muster the resources to set up a new agency like the EMA or EFSA for medical devices  approval.

EMA surprisingly said it had no interest at all in taking this devices business on board and saw its role limited to helping out in companion diagnostics and combination products, perhaps deciding on borderline questions.

The session on notified bodies was ugly and had ‘scapegoat’ written all over it. People were using the word ’embarrassing’ and said they felt sorry for the notified body representatives present. Why? Rather than doing the job herself the rapporteur had set up a reporter from the BMJ, a journal with a well-known bias against the CE system, to make the notified bodies look as bad as possible and chastise the member states and Commission in the process for doing a bad job. The message was that the Commission and the member states were lucky to have the European Parliament to save them from the embarrassment of such a bad legislative proposal making it to the finish line to become law. With Mrs Testori Coggi, the Director General of DG SANCO, being not a pushover herself I guess you can imagine the constructive atmosphere in the room.

An interesting discussion ensued about time to market, one of the big advantages of the EU system and a continuing bone of contention. Mrs Roth-Behrendt had obviously been taking inspiration from FDA arguments on the time to market under the EU system. She argued that time to market under regulatory market access procedures should include the time it takes for a device to be reimbursed, because only then the device is available to patients. She said she had ‘researched’ this. In fact, you don’t need much research to find out that this is an old discussion that mixes up different things. Market access is a harmonized EU affair, while member states firmly defend their national competence in reimbursement of medical devices. An instrument like the Transparency Directive for medicinal products – intended to speed up inclusion of products with regulatory approval into reimbursement systems – never made it in the medical devices. Ergo, including reimbursement in the discussion is relevant for effective time to patient but has nothing (I repeat: nothing) to do with regulatory approval. The last time a company tried to blur this distinction for its own purposes and argued that the date of regulatory approval was actually the date of admission of a medicinal product to the reimbursement system (with a view to obtaining longer supplementary patent protection for its medicinal product) it was severely slapped on the wrist by the European Commission and European Court for making such an evident mistake as part of a ‘self-serving’ plan. Really, the company was told in the strongest supervisory wording that these things cannot be mixed up. If Parliament wants to shorten time to patient after reimbursement it should whip the member states into shape on reimbursement and support the Commission on a proposal to speed up reimbursement for medical devices, which I think the Commission would be more than happy to cooperate on.

In the mean time the member states are flying under the radar. There is still no common position of the Council on the proposal, neither external nor (as far as I know) internally. As I have mentioned before, there was no news on the scheduled discussion of the Dalli Action Plan measures during the Irish Presidency, so my guess is that there is a degree of fundamental disagreement about how to handle the future because there is some fundamental difference on whether they want PMA or not (France, as far as we know, was the only one in favour last year). The Parliament and the Council (i.e. the member states) must agree on the regulation proposal for it to be adopted, so the position of the Council is the big known unknown in the equation now.

The session on reprocessing was a bit lost in the mix. Nothing spectacular than the usual happened: the manufacturers of single use devices defended that single use means single use and the others voicing the usual suspicion that this may not always be true. Anyway, the new MDR proposal will harmonise rules on reprocessing and regulate the activity just as strictly as manufacturing – which is the only sensible way to deal with this if you want to allow reprocessing of single use devices.

So, there you have it – a dud with drama, with the real issues misrepresented or not addressed, for example because there is no attention whatsoever to post market issues, except by industry and then even outside of the devices industry – for example Mr. Bergstrom from EFPIA made some very relevant remarks on this subject during the workshop.

This was met with a comment from Mrs Roth-Behrendt that this could only work for devices if there would be similar PMA for devices – which I believe is a complete misconception. Moreover, if there is anything that is significantly improved in the Commission’s proposal it’s post market obligations for manufacturers. Also, as I keep saying, if there is anything not addressed in this flawed PMA discussion, it’s post market surveillance.

With this in mind I would like to ask readers of this blog to get involved – do something or be stuck with flawed legislation. Let’s not destroy the good parts in a misdirected effort to repair the bad parts and end up worse off: patients, industry, everybody. Let’s not loose the 3. The bad parts do need fixing, everyone agrees with that – but then let’s really fix them instead of change the wrong things with the wrong arguments. The rest of the ENVI committee and the Parliament should really take a better look at this than has happened so far.

Recast

, , , , ,

11/03/2013

3 Comments

“P” is for Post Market Surveillance – start your engines now

European ParliamentI attended the Informa PMS surveillance conference in Berlin on 27 and 28 February, and thought I’d share some of the interesting things I picked up there because to me it was a very good conference with some of the best EU experts sharing their knowledge. There were also some easter eggs of information. The presentations I summarise below contained far more detail than I can put in a summary and the ones I have not mentioned were also interesting. The best way to get the full picture is to attend, I’m sure Informa will repeat the conference next year.

“Parliament is not interested in PMS”

The first easter egg for me was the rumor that a Commission official had said that Parliament is not terribly concerned with PMS because it’s too technical so the current wording in the draft MDR and IVDR will most likely survive – companies can start planning for the current draft to be the final word on these matters. If it’s in the regulation proposal now, it’s expected to make it to the finish. This confirms to me what I and many others have been saying all along: Parliament does not understand the underlying issues and takes a fundamentally flawed approach: you can’t remedy a problem of supervision by increasing rules on safety. That is window-dressing to the detriment of innovation. It’s falling victim to the well-known fallacy of confusing issues regarding safety of technology with issues regarding its security. This fallacy is described very well in Regenesis, a recent book about synthetic biology that I recommend as an inspiring read, and which among many things discusses this regulatory misconception in the biotechnology field.

If the ENVI committee is serious about preventing future security issues relating to the EU medical devices regulatory system (fraudulent manufacturers, naughty notified bodies proposing workarounds for certification or not paying attention to what their manufacturers are doing) they should be all over PMS and the market surveillance provisions. But they aren’t. Instead, all the emphasis is on pre-market controls, head firmly buried in the sand.

PMS under the new regulation proposal

Jacques Thielen of Medtronic gave an impressive and comprehensive presentation on PMS under the new regulation and showed how the post-market environment will increase significantly in scope, including  a PMS plan and surveillance, trend reporting of advertising and markting, etc.

He presented an interesting analysis of the Dalli Action plan: unannounced audits have started, a notified body checklist for unannounced audits is circulating.

He explained how serious incidents will be reportable (not for custom made devices contrary to current MEDDEV), no later than 15 days after awareness. There is an obligation to report if there is a possible causal relationship between the device and the incident.

He further discusses the electronic vigilance system EUDAMED (article 62 proposal). Countries will however want to keep their own database, so ‘synchronization’ problems may well ensure.

Competent authorities must carry out risk assessment with respect to serious incidents and FSCA’s. However there is no harmonised method for risk assessment yet. That could be implemented via the coordinating authority concept, Jacques argued.

Trend reporting was addressed: under the proposal it’s step forward compared to the current MEDDEV : duty to report impacts on the risk-benefit analysis and unexpected undesirable side effects. Incident: includes “any unexpected undesirable side effects” in the new definition. Serious incident includes now “temporary” deterioration of patient health. FSCA definition differs slightly from GHTF definition.

Documentation of vigilance data in practice tends to lead to double assessment of vigilance data, and the notified body and competent authority they may take different views.

The proposed regulation will use implementing acts for the ‘paperwork’ (article 66), so watch that space for more detail to emerge.

Post Market Plan – in practice companies do this already, but it will now formalized and the plan must reported. The plan will cover the entire post-market life of the device (article 8), includes PMCF – if no plan is applied, that must be justified.

Advertisment and promotional material review – this must be subject to a robust internal process because it may lead to recalls if companies get it wrong.

The EUDAMED 3 “cathedral” currently under construction was discussed: the market surveillance and UDI pillars are new, as was shown with nice graphics from Eucomed’s EUDAMED working group. Jacques was skeptical about Commission being able to construct a working database able to cope with the requirements. We have heard this skepticism more often. I had to suppress jokes by analogy to Gaudi’s Sagrada Familia cathedral in Barcelona, which has been under construction for more than a century by now and with a total construction timeline of just shy of 1,5 century (started in 1882, current planned finalization date 2026).

Companies should plan ahead and anticipate impact on company resources (qualified person, increased reporting burden), timely perform a gap analysis, were Jacques’ closing words of advice.

UDI

Jenny Gough from Mölnlycke updated us on the status of EU UDI and gave a good practical study on how to implement UDI in a medical devices company. There is no detail on UDI in current EU regulation proposal – everything will be dealt with in a delegated act. There is still no international governance model, while everybody is waiting to see where the US is going with UDI. IMDRF could make the difference, but will it? Still important nuts to crack re UDI databases, UDI requirements, exception handling and existing stock treatment.

Industry issues concern standardisation: will there be UDI database harmonised requirements? This will be especially important for machine readable carriers, with respect to placement etc.

The ETF group in Eucomed is dealing with this, and is developing a UDI policy for the EU for its members. The GS1 standard seems preferable solution. Mrs Gough mentioned that the lack of preparedness the on the part of industry is “scary”, because these things takes long time to implement to be able to start in time. Even if there is no EU guidance yet, industry should start to ready its internal processes for UDI. Some countries are taking their own UDI/traceability initiatives already. The system must also work for healthcare providers and they must be on board in this.

Eudamed

Laura Locati from Abbott addressed Eudamed, the EU database that is supposed to pull everything devices related together. Eudamed 4.4 (to support the Eudamed 3 cathedral) will go into production in march 2013, fixing issues of alignment with national systems and new development requests such as interface improvements, with its legal basis in Article 27 MDR and 25 IVDR.

There is some news from the EU Commission working group on Eudamed on access levels.

Publicly accessible will be:

  • registation
  • certificates
  • clinical investigations subject to confidentiality restrictions
  • UDI

Vigilance data in Eudamed: access possible only for national competent authorities, Commission & notified bodies

Market surveillance: access possible only for national competent authorities & Commission

Competent Authority perspective

George Aislaitner from the Greek competent authority had the second easter egg, or rather easter bomb, by confirming rumours about a separate governance regulation / directive being in the works. This is apparently intended to supplement the cooperative parts of the MDR and IVDR, for example to provide a legal basis for the joint inspection teams that are envisaged. These teams will consist of a mix of inspectors from different member states and the Commission, much like we already know in competition law in the EU.

Notified body perspective

Steve McRoberts from UL  gave a very down to earth view under the hood of a notified body. His message was that there are no secret recipes under the hood of notified bodies: a manufacturer must consistently meet its own specs, so the notified bodies can confirm in an audit that he does. Of course the specs have to meet the basic requirements, but there is nothing more to it. BSi also had two comprehensive presentations setting out what is required for implementing PMS that a notified body can sign off on.

Trend reporting

Trend reporting will be another major issue under the new regulation. Jacques Thielen from Medtronic also presented on this subject. He explained how the MEDDEV on vigilance version 8‘s trend reports in meaning of 4.18 MEDDEV require pre-defined levels that trigger reporting obligations. Many companies won’t have this, and only start to think about trigger levels when something unexpected or problematic happens.

Under the new regulation a trend report must include significant increases in rate of already reportable incidents but also usually non-reportable events. How to measure what you would normally not measure? The only way here is to set up additional processes for that

Difficulties Jacques addressed under the current MEDDEV:

  • Evolution of trend, associated patient / user risk and HHA are to be considered together.
  • Correction for trend influence by bulk reporting, sample size, etc.
  • What should be tracked? There is a lot of information to trend (complaints, service reports, failure mode, adverse event types, vigilance reports, confirmed root causes).
  • How to correct for abuse by customers of complaints processes to get the manufacturer to give them freebies?
  • What is the trigger level? No standard available, so each authority may look at it differently or has no idea themselves. Levels in risk analysis are engineering values, not reporting triggers. A company’s trigger level will evolve over time but how? There are no standards for that either so a company must make choices and develop audit able policies for that.

PMS in the supply chain

I presented about implementing PMS in the supply chain for a medical device. The new regulations implement the Decision 768/2008 model for supply chain market surveillance, and as was consensus in the room, there are a lot of overlapping autonomous responsibilities between the respective actors in the supply chain (the MAID) and there is no guidance in the regulation on how to implement PMS in this constellation. Consequently, the traditional top-down way of requiring “compliance with applicable law” that most companies put in their distribution agreements will not work anymore. As I explained, this may be giving a distributor a free pass to do precautionary panic recalls without anyone else knowing. Also, the MAID profiles tend to be defined broader than you would think – ‘distributor’ for example includes even the last reseller before the device reaches the end user. Companies have to start thinking about how to implement the division of these responsibilities in their import, distribution and supply agreements to avoid being faced with liability being unexpectedly being put on one’s plate and the other party raising its somebody else’s problem field with respect to the issue. My presentation is here:

I will be speaking about contracting issues in view of the new regulations more specifically on a workshop by MD Project in the Netherlands on 25 March (although the invite on their site is in Dutch, the presentations will be in English).

Post market surveillance

, , , ,

04/03/2013

11 Comments

Fireworks! Or a disappointing dud? The 26 February ENVI workshop on the EU medical devices and IVD proposals

European ParliamentWith the ENVI committee “workshop” on the medical devices regulation and IVD regulation proposals in sight next week, medical devices media have been drumming up momentum by using exciting adjectives like “fireworks” that make this workshop sound like it will be an ‘epic battle‘, or how about a ‘clash of the titans’? I wouldn’t want to go that far. Being familiar with Brussels processes, I predict this will be a disappointing dud rather than fireworks. Sure, there is a tremendous amount at stake for the stakeholders but the agenda leaves no room for doubt that there will not be fireworks: ENVI is going to only hear what it wants to hear and has given no or almost no time to any voices that may provide input that is politically unwelcome. Sure, we will hear from some vocal organizations that have structurally misinterpreted basics of medical devices regulation in the past like ESC, and there is a panel on reprocessing that will take up a disproportionate amount of time compared to the importance of the other items. By now it is known that ENVI will propose pre-market controls for medical devices that are much stricter than the currently proposed scrutiny procedure, which itself will not solve anyone’s problem and is outdated by the pharma regulation standards it purports to mirror too, as I have argued on occasions.

Let’s take a step back to ENVI’s shot across the bow to the Commission saying: “Learn the lessons of this fraud!” Did ENVI itself learn that lessons? Not in the least. As the industry has explained again and again, fraud is something that member states must deal with. If a notified body misses fraud by a company in breast implants or proposes something close to fraud for implants, member states must police their notified bodies and take action to make them do better. This is the first thing the Commission proposed when the PIP breast implants scandal spun out of control and which the Commission has firmly ingrained in its proposal. Are the member states stepping up to their responsibility? I don’t get the impression they are. They are understaffing their medical devices supervisory departments and are happy with the cosmetic solution of making market access more difficult in order to remedy fraud in the post market phase. To put it quite bluntly: it’s the same logic as trying to solve a problem of cars getting flats on bad roads by mandating that all wheels must be square so nobody will get anywhere rather than fixing the potholes.

That blunt analogy is closer to the truth than you might think. Think about the characteristics of the medical devices industry: many SMEs, that’s where most of the innovation happens – also in the higher risk class devices. In this respect the devices industry is very similar to the biotech industry. The biotech industry has had the good fortune to already be stuck with a overcomplicated and badly implemented market access mechanism in the form of the ATMP regulation. That has been in force for five years now, and it has produced exactly ONE (1) licensed product. We notice with our biotech clients that the process is just too burdensome for SMEs so they don’t bother and try to work around the process by relying on hospital exemption models or just licensing their technology to bigger companies. Even the European Medicines Agency realizes that the process fails to deliver and is bending over backwards just to get companies to please take the gamble with the regulatory process. Is that what we want for the thriving EU devices industry that delivers innovation earlier than elsewhere? That is the price you pay for solving a problem that is not a problem. You don’t protect patients by making market access for safe devices more difficult. You protect patients by effective and immediate action against fraud and mistakes in the system. But precisely that does not seem to be on the agenda (except with the Commission) because it’s not a politically opportune message to deliver and it costs the member states money and resources that they don’t want to dedicate. The Commission has immediately proposed an action plan for better post market surveillance and vigilance and quality control of notified bodies by the notifying member states. I have heard that the enthusiasm of member states to solve these issues was, let’s say, not very big. The results were supposed to have been presented end of January at the CAMD meeting at the Irish presidency, but the total silence on this point leads me to assume there is nothing very positive to report because otherwise we would have heard about it. The Commission also proposed a mechanism in the new regulations to dramatically improve the quality of notified bodies, and some of the notified bodies have stepped up to the challenge themselves with the notified bodies code, currently at version 3.0.

ENVI, you have clearly not learnt the lesson of this fraud yourself. Patients, innovation and industry will pay the price for it. But then again – we have not seen the Parliament’s amendments yet. Those will become clear by end of April. ENVI may surprise us yet – but I’m not counting on it.

Recast

, ,

21/02/2013

5 Comments

Devices at the DIA Euromeeting – drinks are on us!

The DIA Euromeeting is quickly becoming a more an more interesting event for the medical devices community, as the DIA has been working on getting a full devices theme in place for the duration of the conference. The program that they have this year is comprehensive and features high profile and quality speakers (and me too) – see theme 7. The conference is in Amsterdam this year, from 4 to 6 March.

If you happen to visit the conference, you and anyone you want to bring are more than welcome at our reception on Tuesday 5 March in the evening, right next to the conference center at the Amsterdam city beach Strand Zuid. You’re also welcome if you’re not visiting the conference, conference registration is not necessary to attend our reception. Spread the word!

 

Uncategorized

,

20/02/2013

1 Comment

“Swedish Document” reloaded – a new boost for medical devices standalone software regulation

LakemedelsverketSweden is a lovely and industrious country that takes engineering very seriously; the small Scandinavian country that we know from its boxy but good cars also builds its own fighter jets (pretty good ones actually) and is determined to put its mark on the regulation of standalone software under EU medical devices law. The Swedish competent authority Läkemedelsverket has now issued a new version of the famous Swedish Document with the obvious agenda to influence guidance on standalone software under EU medical devices law in the way it has done before with MEDDEV 2.1/6.

Let’s take a look at the document, keeping in mind that the Swedish authorities tend to want to interpret the scope of ‘medical device’ with regard to standalone software wider than most EU countries. An indication of this is that on p. 17 it is stated that

“It is important to bear in mind that it is both the functionality of a product as well as the intended purpose stated by the manufacturer that determines whether software is qualified as a medical device.”

This is in contradiction with the case law of the European Court of Justice, which recently ruled in the Brain Products case that the intended purpose assigned to a device by the manufacturer determines its status as medical device, and not its functionality. Although the court was not as clear as it could have been – as I have argued – it held  that using functionality as a deciding criterion would lead to regulation as medical devices of many devices that could be used as a medical device but are intended for other purposes, so this is the wrong way to interpret the concept of ‘medical device’.

This agenda of  Swedish Authorities is pretty transparent when the report goes on to say that

“However, there are information systems for the health care sector where the manufacturer has not defined their device as a medical device, but still it could affect the safety for patients under certain conditions. Health care providers should in these instances still consider if those systems should be handled with the same awareness of safety as if it had been a medical device.”

and

“On the Swedish market most RIS are for instance CE marked as medical devices.”

In other words, we would actually like to regulate software of which the use in clinical settings could carry risk for patients, even though the report itself says that risk as such can never be a deciding criterion (p. 13). The report also doesn’t mention that the Swedish market is pretty unique in this respect and that this perspective is not shared by most other national authorities in the EU. I have it on good authority that there was also controversy about this between the member states when they were discussing the text for MEDDEV 2.1/6. Just so you know that this is clearly one view at one end of the regulatory spectrum.

As with the initial version the report provides a lot of useful detail and examples. Compared to the existing EU MEDDEV the report contains useful guidance on

  • software as service (para 4.1.5), clarifying that this can of course also be a medical device;
  • smartphone apps (para 4.1.6), clarifying that an app that qualifies as medical devices does not necessarily makes the phone as such or the combination of the two a medical device; and
  • ‘home brew’ standalone software (para. 4.3), clarifying that one should approach this along the lines of the thinking surrounding home brew IVDs.

The appendix to the document is well worth reading and contains several separate annexes on interesting subjects with a lot of practical information and guidelines:

Annex 1. Risk management

Annex 2. Standards and recent development of standards

Annex 3. Clinical evaluation of medical information systems

Annex 4. Networks

Annex 5. Procurement and issues referring to CE marking (most interesting for me personally, as it discusses tendering strategy for software systems)

Annex 6. Product examples (the largest part of the document, with 19 case studies of software examples. Exercise with caution however, as the Swedish authorities tend to draw the scope of the concept ‘medical device’ wider than others).

All in all a very worthwhile read indeed and guaranteed to provoke discussion in the process surrounding the revision of the standalone software MEDDEV 2.1/6. Also, the annexes provide useful practical examples for the growing apps and other software industry about how conformity assessment for a software medical device works.

However, I think the report could have done better at discussion of the concept of accessory. The report stops at the statement that “[s]tandalone software can, without having a medical purpose of its own, be essential to maintain an intended function of another medical device. It can then be an accessory to a medical device.” This is not a very precise statement at all. I, personally, think that the definition of accessory is extremely important, as the discussion of several examples of modular systems in the report shows when it discusses how non-medical modules can still be regulated as accessories to the medical device module. I think it is even more crucial to develop a position on the concept of accessory in view of the considerable extension in scope in the current proposal for the new regulation on medical devices and the proposal for a new regulation for IVDs to include devices that not only “enable” but also “assist” a medical device in achieving its intended purpose. The definition of this humble little concept will have a severe impact on regulation of standalone software in networks and systems, and, consequently, all eHealth, telemedicine and mHealth services that rely on networks and systems.

eHealth, Software

, , , , ,

13/02/2013

18 Comments

“E” is for economic operator – you know: the MAID

In the series of articles on this blog discussing parts of the proposed EU medical devices and IVD regulations I am taking a look now at economic operators, or as Maurizio Suppo calls them in an interesting analysis of the IVD regulation proposal: the MAID (manufacturer, authorized representative, importer, and distributor). Both the IVD and medical devices regulation lumps all of these together in a single section of the proposal, along the methodology of Decision 786/2008 on a common framework for the marketing of products, which forms the template for regulating the supply chain in EU regulation for CE marked products. Since the economic operators are regulated identically under both the MDR and the IVDR proposals, everything below applies to both. The party line in this respect is the Commission’s attempt to make the supply chain a closed system, much like the Commission has also tried with the Falsified Medicines Directive, by requiring that each link in the chain checks compliance of the previous one and by imposing autonomous regulatory obligations on the respective actors in the supply chain. Both of these elements are new compared to current medical devices and IVD rules and are a departure of the principle that the manufacturer is the focal point of all regulatory responsibility.

For an overview you can download the presentation I gave on this, among other subjects, at a recent medical devices regulation seminar organised by my law firm. This post is also not the exhaustive word on the MAID under the proposals – there is more to follow, for example on authorised representatives, which I already discussed in detail recently, and will discuss in detail again in another post.

Manufacturer

I’m not going to go through the entire manufacturer concept, but will rather focus on some things that jumped out at me. As a point on which there is a significant departure of the current system I’d like to take you to article 14 in the MDR and IVDR, called “Cases in which obligations of manufacturers apply to importers, distributors or other persons”. A distributor, importer or other natural or legal person shall assume the obligations incumbent on manufacturers if he does any of the following:

(a) makes available on the market a device under his name, registered trade name or registered trade mark;

(b) changes the intended purpose of a device already placed on the market or put into service;

(c) modifies a device already placed on the market or put into service in such a way that compliance with the applicable requirements may be affected.

So far no really big departures to the current rules. But then there is the translation and pack changes provision in section 2, which imposes some very new things:

  1. Translations and pack changes by others than the original manufacturer  must be subject to quality system that is notified body certified; and
  2. Prior to making the relabelled or repackaged device available, the manufacturer and authorities must be informed and (upon request) be provided with a sample or a mock-up of the relabelled or repackaged device, including any translated label and instructions for use.

To me these changes make a lot of sense, but they do not do a good job of accounting for European Court of Justice case law regarding repackaging of medicinal  products. Point 2 was the subject of bitter  and protracted litigation in that field, and the EU Court delivered a number of judgements setting out how the manufacturer and repacker should behave towards each other, of which you can find a helpful overview right here and the latest judgment in the series over here. Since recital 25 IVDR and 30 MDR explicitly refer to the last judgment mentioned for guidance, we will have to assume that the Commission intends this case law to apply to the medical devices and IVD field. That automatically means that there is a lot more nuance to repacking and translating than is presently set out in the proposals themselves. Important case law on the effect on the manufacturer intellectual property rights relating to the packaging, such as the distinctive character of the manufacturer trademarks, is not addressed in the operative part of the proposals (and, according to EU Court case law, cannot serve as rules directly prescribed by the regulation). Since these trademarks will appear on the changed pack, this would normally be trademark infringement – or in other words: something that the manufacturer should have a say about. The pharmaceutical industry has fought for years and years about this and it might just be that the Commission is trying to quietly fly this one in under the radar for the medical devices industry, because in the MDR and IVDR proposal the only right that the manufacturer has is to be “informed”, whereas the trademark owner with respect to a medicinal products is much better protected. Of course we don’t know if “informed” is a term that denotes that this is the only remedy the manufacturer has, but on the other hand it does not give any detail to the contrary either. Although the proposals have tried to incorporate the original five so-called BMS conditions developed in the case law discussed, the further refinement and regard for the trademark owner’s reputation set out in that case law (e.g. the division of the burden of proof about damage to the reputation of the trademark of the manufacturer) has not been put in the proposals. As an IP litigator I am intrigued by the opportunities for me but not happy for industry.

Importers

Importers must ensure that:

  1. the appropriate conformity assessment procedure has been carried out by the manufacturer;
  2. an authorized representative in accordance with Article 9 has been designated by the manufacturer;
  3. the EU declaration of conformity and the technical documentation have been drawn up by the manufacturer;
  4. the device bears the required CE marking of conformity;
  5. the device is correctly labeled and accompanied by the required instructions for use and EU declaration of conformity; and
  6. a Unique Device Identification has been assigned.

They must  furthermore:

  1.  Be able to identify any economic operator to whom they have supplied a device, any economic operator who has supplied them with a device and any health institution or healthcare professional to whom they have supplied a device for a period of five years;
  2. Label the device with their contact details;
  3. Take corrective action (a.o. recalls and report to authorities) autonomously;
  4. Engage in post-market surveillance (among other things report complaints); and
  5. Refuse to import devices of which he has reason to believe are not in conformity with the requirements.

Just some remarks here. How is an importer going to “ensure” that the ” appropriate” conformity assessment procedure has been carried out by the manufacturer and that the device bears the “required” CE marking of conformity and is “correctly” labeled? It seems that the Commission is intending the importer to be a notified body of sorts. Of course the importer can check if certain paperwork is in place, but making the importer autonomously responsible for second guessing the notified body’s work, that’s serious stuff I think. You might say this is justified for class I devices (where a notified body has not been involved) but for class III devices? Perhaps I’m reading too much in these qualifiers and we only need to look at what they trigger (article 11 (2) MDR and IVDR):

“Where an importer considers or has reason to believe that a device is not in conformity with the requirements of this Regulation, he shall not place the device on the market until it has been brought into conformity. Where the device presents a risk, the importer shall inform the manufacturer and his authorised representative to that effect, as well as the competent authority of the Member State in which he is established.”

So if there is only a need to inform in case of suspected non-compliance, why does the statute stipulate a duty to “ensure” compliance? This can only mean that the authorities can enforce against an importer of which they believe he has not done enough to “ensure” compliance and this will have a lot of consequences for the agreements in the supply chain, because importers are faced with a new and substantial risk that must be accounted for in the agreement. But if “not enough” was intended, why not phrase it as such? Now it’s phrased as a binary obligation rather than a duty of care, so essentially a no-fault liability – and one without legal recourse on the manufacturer, at least not on the basis of the MDR and IVDR. If there is anything I’d be lobbying on as industry to get out of the proposal, it would be something like this. However, it looks like the industry will be stuck with it, as the proposals implement the exact template of economic operator supervision set up in Decision 768/2008. That doesn’t mean that these things are not picked up by the market. Orgalime for example mentioned problems with applying the “ensure” criterion in the supply chain in 2010 already. Eucomed is flagging the issue again now in its brand new position paper on the MDR.

Distributor

Distributors must verify that:

  1.  the product bears the required CE marking of conformity;
  2. the product is accompanied by the information to be supplied by the manufacturer; and
  3. the manufacturer and, where applicable, the importer have complied with the rules.

They must furthermore:

  1. Label the device with their contact details;
  2. Take corrective action (among other things undertake recalls and report to authorities) autonomously; and
  3. Engage in post-market surveillance (i.e., report complaints)

The same applies as for importers with regard to the terms”required” and “complied with the rules”.

Confidential information

You will see some common themes here: each link has to check compliance of the previous links. Sounds very nice in theory. As discussed the no-fault liability for another party’s behaviour is nothing to look forward to. But there is more to meeting these obligations.

In practice this will involve exchange of a lot of confidential information that nobody likes to just give to someone else. As Mr Suppo puts it: “Rules are rather unclear on how access should be granted to technical documentation for economic operators other than the manufacturer.” I would take a further step back, because this statement assumes that economic operators would be granting each other access to tech files for the purpose of allowing the other to check compliance. Being quite familiar with supply chain contracts (imports and distribution) in the medical devices industry I have not come across agreements that allow the distributor or importer full access to the technical file of the manufacturer. Both under the current directives and the proposals a tech file as such would be confidential information. Moreover, why grant only access to the technical file then? The quality system documentation is also an important pillar for compliance. I have double-checked the proposals but could not find a proposed requirement for companies to give each other access to tech files. Also, this would not solve the no-fault liability that I discussed – the importer and distributor may disagree with the manufacturer, and even with the manufacturer’s notified body. Should the system be set up in a way that economic operators have to second-guess notified bodies to manage their own potential liability? I think that undermines the core of the CE marking system: you have to be able to always rely on certificates of conformity. My contention is that distributors and importers duty’s on the no-fault liability part should not extend beyond verification of the certificate of conformity and corresponding declaration of conformity (except in the case of class I devices, in which case only verification of a declaration of conformity should suffice).

Well…

Here it is: a tip of the iceberg with regard to economic operators. As discussed, companies in the medtech sector should really watch where this is going. Importers and distributors have to start thinking about upping their game in regulatory compliance. Companies should account for this in long term contracts that may run beyond the transitional period set out in the proposals. Etc. More to follow!

Distributors, Importers, Intellectual property

, , , , , ,

04/02/2013

5 Comments

EU Data protection developments: privacy by design – literally, may impact your design

European ParliamentIf you’re active in the medical devices industry in Europe you will no doubt have come across EU data protection regulation. It applies to all personal data (including data concerning health) relating to EU citizens that your company processes. As you may know, the EU is presently revising the current directive and has a proposal in the legislative works for a General Data Protection Regulation, the GDPR. Since I have been quite active with respect to the GDPR proposal behind the scenes, I thought it would be a good idea to step forward with some thoughts on the occasion of developments that occurred just before last Christmas.

Draft Report

The GDPR is a lot more prescriptive, top down and detailed than the current data protection directive. One of the reasons is that since the directive entered into force in 1995 the EU has promoted the protection of personal data from a predominantly internal market subject to a constitutional right as one of the novelties of the Treaty of Lisbon. In the mean time, the sense of urgency in protecting personal data at member state level varied wildly with the Germans taking it extremely serious to the Brits not taking it that serious, just to paraphrase both ends of the spectrum (and overgeneralizing more than I probably should). So the EU decided it needed stronger medicine to control processing of personal data – which, mind you – is now planned to affect every company that processes personal data of more than 500 EU data subjects with organizational requirements, according to the last step in the legislative process: the Draft Report of Parliament rapporteur Mr. Albrecht issued on 17 December 2012. This report sets out the changes that the rapporteur proposes for the first reading by the parliament to the initial text as proposed by the European Commission. And it’s only 215 pages of dense technical reading containing just 350 amendments, so you can imagine that I spent some happy hours with it over the holidays. Mind you, the EU considers health data among the most sensitive categories of personal data and it’s upping its game in considerably tightening controls over it. Really, it’s no laughing matter:  the authorities can impose really severe penalties for non-compliance (how about up to 2% of your company’s worldwide turnover?).

The GDPR requires a lot more from companies than is currently required, no less from those in the medical devices sector. I am not going to provide a complete overview of how the GDPR works and how the initial version might impact the medical devices industry. There are very good other sources that explain the general workings of the GDPR. COCIR and Continua Health Alliance did a nice job on explaining how the initial text might impact medical devices and eHealth companies with activities in the EU. Suffice to say here that the mandatory ‘privacy by design’ requirements for how you structure data flows and operations in your company will require a lot of work and time to get right. The Commission has described succinctly how current data protection law works in relation to eHealth in its recent telemedicine paper in the eHealth Action Plan package and there was of course the Article 29 Working Party opinion on the epSOS project for cross-border eHealth services, which give you a good idea of where the pressure points currently are if you process health data in the EU. With respect to clinical research there is the elaborate FEAM position paper. And there is a lot more.

New changes

What I would like to do is take a number of proposals from the recent Report to show that the devices industry has a lot more complexity to look forward to if these amendments to the initial proposal are adopted, and which it will be strongly impacted by:

  1. Proposed instrument to impose technical design requirements for services and devices with a view to compliance with data processing rules. Medical devices companies are used to the design requirements in the medical devices directives, their harmonised standards and a bunch of other statutes, like WEEE, EUP, RoHs, REACH, Batteries and the rest. The GDPR proposes to add an additional one by creating competence to prescribe how a company must design its devices and services to ensure compliance with the GDPR: “The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. The principle of data protection by default requires privacy settings on services and products which should by default comply with the general principles of data protection, such as data minimisation and purpose limitation.” and “Processing of personal data shall be organised and carried out  in a way that ensures compliance with the GDPR principles ; producers, data controllers and data processors shall take technical and operational measures to ensure such compliance in the design, set-up, and operation of automatic data processing or filing systems.” (my italics) The Report then goes on to give the Commission and the European Data Protection Board competence to issue further specific criteria for implementation. In other words, your device may be prohibited if it is not designed from the start to meet EU privacy requirements by default.
  2. Increased regulation of profiling (monitoring). Under the GDPR all monitoring of persons (so also of patients) is considered profiling. Profiling has a really bad ring to it.  We all hate it if external parties are sneakily profiling us for their own commercial purposes to figure out what we really want to buy based on how we behave, perhaps even without us knowing or based on consent buried in fine print so dense that you need a whole law firm to understand what you consented to. So far so good. What’s not so good is that the definition of profiling (“any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behavior”) also includes monitoring as we know it in healthcare, both remote monitoring and non-remote monitoring. And because we hate profiling in general because we don’t trust those companies on the internet, the GDPR is going to make profiling extra difficult to do and give the data subject the right to object to profiling across the board. Exceptions for health data – surely they would have thought about that? No, there is only an exception insofar as the processing takes place under a doctor’s medical privilege and then the patient can still object retroactively. Does this put a stake right through the heart of the (remote) monitoring industry? No, because you can still monitor with consent. However, consent has become the company’s problem: the burden is on you to prove that consent was informed, specific, freely given, unbiased, not given in a situation of imbalance and that your policies that were consented to were actually understandable. And then the patient can always withdraw his consent later and demand erasure of all data relating to him. How about that for a foundation to build a business model on?
  3. Even stricter regulation of processing of health data for scientific research. The medical devices industry is dependent on research for innovation. Consequently it’s not good news that the Parliament is planning to make the already very strict exemptions for processing health data for research basically impossible to work with from a regulatory compliance perspective. The Report proposes to require that processing of pseudonomised (reversibly coded) health data can only take place with consent of the data subject except in cases of “research that serves an exceptionally high public interest and if that research cannot possibly be carried out otherwise”. Time will tell what that means but I predict it is not going to make things easier when a company wants to use health data for long term purposes research because all data obtained with valid (for what it’s worth with all the complexity surrounding consent) consent is subject to the obligation that “all necessary measures shall be taken to prevent re-identification of the data subjects“. Good luck doing corrective actions for the lucky people in that group.

Not helpful in the real world

Anyway, I could go on but these three points really jumped out at me and indicate to me that the EU is not really thinking constructively about health data in the real world in which commercial companies rely on data for meeting their regulatory obligations and developing innovative technology. I am following these and other points up in Eucomed and in several associations specifically active in eHealth and mHealth. I will also be speaking about this subject next week in the Netherlands at the Lexxion conference on the new medical devices regulation. To me it is still hard to understand why the Commission on the one hand launches ambitious eHealth actions plans (that rely on workable data protection rules by the way) and wants a competitive European healthcare industry as a matter of policy but on the other hand makes the output of research really difficult to leverage for innovation and improvement of healthcare. Of course there has to be a balance and fundamental rights need to be respected. I don’t have the feeling however that the healthcare industry are the bad guys in the eyes of patients and trial subjects. Innovative companies in healthcare are no sneaky profiling marketeers or social media on which you post your drunken face to your detriment for the rest of your career. Therefore, they should not  be regulated with the same undifferentiated instruments. As is clear from the position papers I have linked to above, the industry is not in the least trying dodge its responsibility, but it does raise red flags about how this will not work for anyone nor help achieve the policy goals the EU has for healthcare.

So, what happens next?

The European Parliament will now ruminate on the Draft Report and see whether they really want this as amendments, or maybe want to add some more to 350 amendments proposed (end of February). The Rapporteur is however not crazy and will only propose things of which he knows have support in the Parliament. The Parliamentary Committee charged with this dossier, the Civil Liberties Committee, will then vote (end of April) and the dance between the Commission, Council (the Member States) and the Commission (the initial author of the proposal) will start to see if they can agree (from May onwards) in the so-called Trilogue. And in the mean time every stakeholder and stakeholder group will be lobbying like crazy to try to make a difference.

And: companies will have to start to make sense of how to implement all of this. Because even if the GDPR may change on some points in the process – it’s not going away, I assure you that much.

Data Protection, Telemedicine

, , , , , , ,

23/01/2013

9 Comments

Happy New Year – with all those developments

Schermafbeelding 2012-12-29 om 13.25.01The end of the year is upon us, and I’d like to take the opportunity to wish the readers of this blog all the best for the new year, a new year with lots of exciting developments ahead. This post will not be the usual regulatory and legal analysis of rules, but something more forward looking and analyzing how the law will deal with developments that I think are particularly interesting:

    1. Apps will become more prevalent in clinical use and will be used more and more for higher for higher risk operations, as the overview of most innovative medical apps of 2012 on iMedicalapps.com shows. The European Commission is currently in the process of overhauling the MEDDEV on standalone software, announced guidance on apps and proposed mobile computing platform specific essential requirements in the newly proposed EU Medical Devices Regulation (MDR). The new accessories rule proposed will also bring a lot of peripheral apps within the scope of the MDR).
    2. As medical devices take their place in the internet of things or even of everythinginterconnectedness will become more important. Customers and patients will require it because with the increasing role of consumer technology in the eHealth ecosystem, proprietary end-to-end solutions will become more and more difficult to defend. Companies can expect to see an increase in interoperability requirements in tender requirements in the EU as clinical institutions will for example expect this for telemedicine solutions. Medical devices manufacturers should work on interoperability standards as the European Commission proposes to give itself ample tool to set standards if it is not happy with what industry develops.
    3. Clinical Decision Support software will and should become more accepted as cost and life and costs saving tool. It is amazing to me that the potential for cost and life saving by leveraging software in medical diagnosis is so widely overlooked. My opinion is that this is because of the incremental nature of deaths and potential cost savings and the disregard of hospitals for deploying quality systems that also monitor diagnostic decisions and identify opportunities and threats. Family of mine that works with quality systems for maintenance and diagnostics for big flying military hardware laugh at the thought of having maintenance mechanics decide by themselves what maintenance is needed and refusing to use software and data to assist wherever possible. This would result in foregoing enormous cost savings and and more consistent precise diagnosis of what maintenance is required. This type of evidence based diagnostics are acceptable in aviation because we don’t like airplanes full of people or loaded with bombs to crash on cities. It is apparently not acceptable in medicine because we don’t mind one person dying at a time in order to keep up the appearance that humans are better in applying diagnostic protocols than machines. And everybody agrees that the medical profession can still learn a lot from aviation in rigorous application of quality systems, see for example here and here. Of course you cannot shoehorn healthcare in aviation procedures one-on-one, but I think nobody proposes that. The EU rules for clinical decision support software are  on the move, with the Commission working on the new version of the standalone software MEDDEV.
    4. The enhancement of humans for non-medical purposes will continue and will take varying degrees of invasiveness. The borderline between devices for remedying a handicap and pure enhancement as well as treatment of a disease will become more and more blurred, as for example intelligence enhancing implantscommunication with comatose patients and prosthetic limbs that make handicapped athletes faster than non-handicapped persons develop. The new MDR proposal responded to this by means of the proposed Annex XV regime, to regulate non-medical devices that are similar to medical devices in terms of characteristics and risk profile under the MDR.
    5. The borderline between medical devices and living materials (e.g. organs) will continue to be blurred further with bioprinting being deployed to print replacement parts of the human body. This will be problematic given the MDR’s new demarcation rules that exclude tissues or cells of human or animal origin or their derivatives. Where the printing consists of a combination of medical device and cells the fun really begins, because the result may be an advanced therapy medicinal product under regulation 1394/2007.
    6. The European Commission is starting to zig-zag under the pressure applied to it because of the proposal for the General Data Protection Regulation that will hit the healthcare (and devices) industry like a ton of bricks (see for example COCIR’s position paper on the subject) and will make processing of health data, genetic data and biometric data a lot more complex. Companies are not happy at all and the Commission is now talking about implementing a risk based approach to regulation, just like the Council is too, which is not necessarily good news for the devices industry because health data, genetic data and biometric data are among the categories of data that are regulated the strictest because of the risks associated. Moreover, I’m not enthusiastic about member states’ plans to make processing of data by public institution, which can lead to unfair competition between companies and clinical institutions when it comes to clinical data. 2013 will also mark the first reading of the regulation, and we will know what the Council, the Parliament and  the Commission are proposing to change in the current draft.

Next year will be another good year for preparing for all the legal and regulatory changes that will hit the medical devices market in the EU. If you are curious as to how the new EU rules proposed for medical devices will play out and have made that a New Year’s resolution, you could check the box on that one by going to this conference in the Netherlands on 29 January. The conference is interesting because of the different model: organized by a publisher and a university it will incorporate more academic debate by having commentators respond to presenters, which is a welcome departure of the usual broadcasting model of presentations – I think. And the quality of the speakers is good, at a fair price. If you use this link to subscribe you get a 5% rebate on the conference fee. Of course I am referring to this conference here also because I am speaking there myself and because my firm contributes, but don’t let that hold you back!

Accessories, CE marking, Data Protection, Personal data, Recast, Software, Telemedicine

, , , , , , ,

31/12/2012

Leave a comment

The new Commission eHealth Action Plan, and some thoughts on what it will mean for devices

EU flagLast week the Commission launched its new eHealth Plan (EHAP). It was announced under the header “Putting patients in the driving seat: A digital future for healthcare”. A nice rundown of the relevant documents is here and a good summary by MedTech Europe (Eucomed and EDMA) is here. Then there is the convenient overview and roadmap over here giving an overview of actions to be implemented in 2012 – 2020. You might want to take a look at this Commission presentation on eHealth of last month giving you the short and comprehensive version of what they then expected to be in EHAP.

These developments are important for the medical devices industry, for several reasons. First, more and more medical devices are standalone software and provides as service. Those are now explicitly regulated under the proposed Medical Devices Regulation and proposed In Vitro Diagnostic Devices Regulation. Secondly, more and more medical devices will connect to the internet as part of healthcare services in the internet of things. Thirdly, these devices, both software/service devices and physical ones, need degrees of interoperability to function together.

However, the EU has no direct competence to regulate healthcare or it financing. However, it has competence to regulate the internal market for medicines, medical technology and related services. Therefore, it must resort to regulating the conditions for eHealth services by removing barriers and creating conditions for the uptake, for example by means of the eHealth infrastructure established under article 14 of the Cross Border Patient Rights Directive. Indeed, access to and the conditions under which citizens can receive eHealth services differ wildly between member states. Denmark, for example, is the eHealth champion of Europe while other countries lag far behind.

The goal of the EHAP is

“to improve healthcare for the benefit of patients, give patients more control of their care and bring down costs. While patients and health professionals are enthusiastically using telehealth solutions and millions of Europeans have downloaded smartphone apps to keep track of their health and wellbeing, digital healthcare has yet to reap its great potential to improve healthcare and generate efficiency savings.”

To put this into perspective Commission Vice President for the Digital Agenda Neelie Kroes said at the EHAP launch: “Europe’s healthcare systems aren’t yet broken, but the cracks are beginning to show. It’s time to give this 20th Century model a health check. The new European eHealth Action Plan sets out how we can bring digital benefits to healthcare, and lift the barriers to smarter, safer, patient-centred health services.”

At the same time, the newly appointed Commissioner for Health and Consumer Policy, Tonio Borg, added: “eHealth solutions can deliver high quality, patient-centric, healthcare to our citizens. eHealth brings healthcare closer to people and improves health systems’ efficiency. Today’s Action Plan will help turn the eHealth potential into better care for our citizens. The eHealth Network under the Cross-Border Healthcare Directive channels our joint commitment to find interoperable solutions at EU level.”

With this in mind we would not be exaggerating if we paraphrase as follows: the EU’s healthcare systems are skirting the abyss but eHealth can save the day, if only the Member States can cooperate under the EU’s banner. This, of course is where all the trouble starts for lack of competence of the EU to regulate healthcare directly. Responsibility to define the way to organise and deliver health services and medical care lies within the Member States. In several other areas supporting action from the Commission would be possible, notably under Articles 168, 173, 179 or 114 TFUE (Treaty on Functioning of the EU). As a result you get an EU that harbors absolute eHealth champs like Denmark and absolute laggards. And nobody can agree on joint standards because there aren’t any mandatory ones. Denmark has now put its money on the Continua standards for interoperability of devices, which I think is a very good sign. They have actually issued the first tender for Continua compliant telemedicine services.

The Commission Staff Working Document on Telemedicine that is part of the EHAP package does a great job of summarising the legal and regulatory questions for a typical cross border eHealth service:

Licensing: Does the telemedicine provider also need to be licensed/registered in the Member State of the patient? –  this is harmonised to an extent by the Cross Border Patient Rights Directive that imposes home country control for the service (just like the e-commerce directive does). As eHealth services are sold online more and more, I expect that there will be more friction between the e-Commerce directive and national law, as you can read in my post about the Ker-Optika case. The Ker-Optika judgement has also found its way into the Commission’s recent thinking about telemedince set out in the Staff Working Paper on Telemedicine. The Commission, in order to maximise potential reliance on the Ker-Optika theory of free movement of information society services, states that

“It is important to underline that telemedicine is not a new medical act and does not intend to replace traditional methods of care delivery, such as face-to-face consultations. It rather represents an innovative way of providing health and care services, which, can complement and potentially increase the quality and efficiency of traditional healthcare delivery.”

I am not sure if this theory can be maintained in all scenarios, as it would seem to be based on a concept of telemedicine as monitoring of an already diagnosed disease. However, in practice telemedicine is capable of much more as it becomes more and more autonomous, like new diagnosis and subsequent automatic follow-up. This would mean that the last medical act by a human operator might actually be the prescription or recommendation of a particular expert or clinical decision support system, as already happens with apps that tell people what dose of a medicinal product to take and that are recommended by a physician.

Data Protection: What are the conditions for the legitimate processing of personal data related to health? Processing of data concerning health is harmonised under the Data Protection Directive which provides for regulatory one-stop-shopping but does not provide for full harmonization. However, as the Article 29 Working Party’s opinion on epSOS shows, things get really complex very quickly and it is very difficult to set up a eHealth services structure that stands up to scrutiny. And then the Data Protection Directive is currently being replaced by something a lot more stricter in the field of health data, the General Data Protection Regulation.

Reimbursement: Will the cross-border telemedicine service be reimbursed? This is where things get really complex as Regulation (EC) No 883/2004 on the coordination of social security systems is not applicable to telemedicine services because it expressly requires the physical presence of the patient in the Member State of treatment (the one of the healthcare provider). This means you have to fall back the Directive on the application of patients’ rights in cross-border healthcare that sets as a general rule that the Member State of affiliation shall ensure that the costs incurred by any insured person receiving cross-border healthcare are reimbursed, if the healthcare in question is among the benefits to which the insured person is entitled in the Member State of affiliation. Of course the question is if cross-border healthcare is among the things reimbursed in the patient’s member state. And – although there are some conditions – Member States may still require prior permission.

Liability: What is the liability regime applicable in case damage arises? Again, difficult as EU harmonises product liability, it does not harmonise professional liability for medical treatment and member states even diverge in how they treat professional liability for malfunctioning devices used for provision of medical services. Furthermore, as I have recently researched, Member States tend to think quite differently about whether software is a ‘product’ in the meaning of the product liability directive.

Relevant jurisdiction and applicable law in case of damage: What are the relevant jurisdiction and the law applicable in case damage arises? Well, as the case study on this point in the Staff Working Document on Telemedicine shows, things can get very complex even though EU law harmonises jurisdiction to an extent.

What will this mean for the devices sector? Promotion of interoperability all around as party line. Actually the new Medical Devices Regulation proposal already has that modestly vectored in the new essential requirements (no 11.5, which provides that devices that are intended to be operated together with other devices or products shall be designed and manufactured in such as way that the interoperability is reliable and safe). Now that the Commission proposes to be able to change the essential requirements by delegated act (convenient) or issue Common Technical Specification by implementing act, the Commission has the tools to force interoperability from a safety policy perspective. You can expect tenders for devices enabling eHealth to include interoperability requirements, because these systems are useless if they can’t scale and interoperate. The Commission is further planning to issue (see the roadmap):

And the Commission will continue the international harmonisation efforts under the Memorandum of Understanding with the US on eHealth on interoperable eHealth systems and ICT skills. Remember that international harmonisation is one of the explicit goals under the proposals for the Medical Devices Regulation and the In Vitro Diagnostic Devices Regulation, and that the EU and US are in the IMDRF (former GHTF) together.

So, we aren’t there yet. As the SWP on Telemedicine concludes:

This Staff Working Paper underlines the importance of legal clarity in cultivating trust and acceptability of telemedicine. Furthermore, it is intended to serve as guidance to Member States, raising awareness on what telemedicine is and what they are committing to when they adopt it as a type of medical act, or reimbursable health service.

Finally, this paper shall serve as a starting point for discussion with Member States on the opportunity to tackle at EU level remaining legal uncertainties created by divergent national regimes such as the issue of medical liability.

That’s exactly what this is: the start of the discussion about an opportunity. Rome wasn’t built in a day either but if the EU – and most importantly the Member States – really want to leverage Moore’s law into eHealth, all involved will need to up their game (except Denmark) and start acting more like Denmark to the 27th power. At least we have such a good blueprint available, now we just have roll it out to other member states and be ready to not re-invent the wheel.

There is also a lot more to say about the subject, so this post is by no means comprehensive. It’s just a start!

e-commerce, eHealth, Recast, Telemedicine

, , , ,

19/12/2012

6 Comments

A medical device is medical – but what does that mean?

Last week the EU Court decided Brain Products / BioSemi, one of the pending borderline cases involving demarcation between medical devices and ‘general stuff’. This case is interesting and important because it concerns a direct interpretation of the definition of medical device in the EU Medical Devices Directive (MDD), which is why I have already blogged about the Advocate General’s opinion in this case. It is also interesting because the case will not make the borderline between medical devices and general health / wellness products simpler. Apologies in advance for the less than concise and slightly rambling post, but I thought I would give you some insight in my thought process about the judgment.

Was was the case about again?  Biosemi markets electrotechnical systems and equipment, in particular, a system called ‘ActiveTwo’. The system enables human brain activity to be recorded. Brain Products thought that this was a medical device. Since BioSemi did not have CE certification for such devices, the marketing of that product should be prohibited, argued Brain Products in German court. Why did Brain Products think that it was a medical device? Because the intended purpose of the device exactly fit the definition of ‘medical device’ in the MDD as a ‘device for the investigation of a physiological process’.  BioSemi argued that the  ActiveTwo device is not intended for medical use and can therefore not be classified as a ‘medical device’. Moreover, BioSemi argued, the fact that that system can be transformed into a diagnostic device does not lead to it being classified as a medical device. Finally BioSemi argued that a restriction on the marketing of ActiveTwo would be contrary to the principle of the free movement of goods since the competent Netherlands health authority takes the view that there is no need to certify that system.

The EU court’s conclusion is the same as the AG’s:  the concept of ‘medical device’ covers an object conceived by its manufacturer to be used for human beings for the purpose of investigation of a physiological process only if it is intended for a medical purpose. The Court’s reasoning however is interesting and of course, it’s the final word on the matter; moreover the EU Court approaches the problem differently than the AG and only from two directions: teleological interpretation of the directive and the requirements of free movement of goods in the EU internal market.

Teleological interpretation: medical intended purpose

On this point the EU Court does one of its best interpretative tricks when it seeks to reconcile its intended conclusion with the lack of an explicit requirement of medical intent in the actual text of the law by holding  that “ [i]t may be considered that the silence by the European Union legislature on that point is explained by the fact that medical use is inherent in the devices concerned.” (point 23) Fortunately, “that analysis is supported by Commission guidelines (Meddev 2.1/1) published in April 1994, which seek a uniform application of the provisions of Directive 93/42 within the European Union. That document contains Section I, entitled ‘Field of Applications – Definitions’ containing Chapter I, entitled ‘Directive 93/42/EEC on medical devices. Point I.1.1(b) in that chapter expressly states that medical devices are intended to be used for a medical purpose.” (point 24)

OK, but we knew this latter point already since 1994, nothing new except that the EU Court now says that the Commission was right on this point.

Free movement

The free movement argument basically says that it would not help the internal market of goods if you regulate products that are not medical devices as medical devices. I follow that logic:

29      It follows that Directive 93/42 may have the effect of limiting the free movement of medical devices, by providing for an obligation for certification and CE marking in respect of those products only where such a limitation is necessary for the protection of public health.

But then the water gets muddier:

30      Therefore, in situations in which a product is not conceived by its manufacturer to be used for medical purposes, its certification as a medical device cannot be required.

“Conceived” is a tricky term here. Does that mean that the manufacturer’s conception is limited to ‘conceived initially’? That is what this word seems to mean; this is confirmed if you look at other language versions of the judgment. But what if the manufacturer decides to change the intended use later on because he sees possibilities in the medical market? In that case the device was not conceived as medical device, but may be intended to be used as such later. Would that still be covered by the MDD? I think yes, because that would be the only conclusion to avoid everyone phasing their devices in by changing the intended use to ‘medical’ at a later stage without consequences.

Where are we now?

The result is that we now seem to be stuck with an almost philosophical debate about the question what ‘medical’ means. In its  reasoning the European Court refers to ‘protection of public health’, and everyone knows that ‘health’ is not the same as ‘medical’, because medical assumes something clinical, while health as a concept is much, much broader. This means that any device that promotes or sustains good health may be a medical device. That means that a large category of devices might be sucked into the scope of the MDD, like treadmills and body fat composition monitor apps on your smartphone. But wait, these things are actually not supposed to fall in the scope of ‘medical device’, as the EU Court excludes

in particular, […] many sports goods which enable the functioning of certain organs in the human body to be measured without any medical use. If such articles were to be classified as medical devices, they would be subject to a certification procedure without any justification for that requirement.

OK, so what, then, is “medical”?  The scope of ‘medical’ seems to require a ‘medical context’, as may be gleaned from the EU Court’s example of software in points 16 and 17 of the judgment:

16      Next, it must be stated that the wording of Article 1(2)(a) of Directive 93/42 was amended by Article 2 of Directive 2007/47, recital 6 of which states that a software in its own right is a medical device when specifically intended by the manufacturer to be used for one or more of the medical purposes set out in the definition of a medical device. That recital adds that software for general purposes when used in a healthcare setting is not a medical device.

17      As regards software, the legislature thus made unequivocally clear that in order for it to fall within the scope of Directive 93/42 it is not sufficient that it be used in a medical context, but that it is also necessary that the intended purpose, defined by the manufacturer, is specifically medical. [Underling and bolding are mine]

So we need two cumulative things for a device to be ‘medical’: a medical context and a medical purpose defined by the manufacturer.

But what is a “medical context”? That may well be a situation where a doctor uses a body fat composition monitor to measure my functioning and makes me run on a treadmill in a check-up visit. Conclusion: ‘medical context’ is not a helpful concept here, and only makes things more complex.

What about the medical purpose? The medical purpose must be “defined” by the manufacturer. Does this  suggest that there is no room to objectify the purpose? It looks like it because that is what the case is about in the first place: a device has a ‘medical’ dual use, but the EU Court concludes that is not a medical device because the manufacturer says it isn’t. This primacy of the subjective intended purpose opens up a can of worms that may well lead to a lawyers’ paradise of attempts to de-medicalise things with obvious medical purpose, or at least, dual medical purpose. As a lawyer I like lawyers’ paradises of course, but I do not wish for them for the market. I also believe that this way of interpreting is inconsistent with scoping of the definitions other EU legislation regulating ‘medical stuff’, like medicinal products that use a definition that also looks both at the function of the product and the intended purpose. This has the obvious advantage that you can have a scientific discussion about the mode of action, while that is difficult when subjective medical intent is the only essential and deciding criterion to go by if we read the judgment literally. Finally, you put the door wide open for abuse of dual possibilities . Why buy an expensive ‘medical’ device if you can buy the same ‘non-medical’ device for half the price (because no investment in CE marking is required)? This again goes to the heart of the case at hand and is probably the very reason that Brain Products started the proceedings. And don’t forget, a level playing field is also what free movement provisions intend to achieve.

Another way to arrive at a better result

I wonder why the EU court took this difficult route of interpretation. Rather than pulling a rabbit out of its interpretation hat regarding the 3rd limb of the definition  it  could also have concentrated on the word “investigation” in the 3rd limb of the definition, because that was the actual question of the national court (“‘Does a product which is intended by the manufacturer to be applied for human beings for the purpose of investigation of a physiological process constitute a medical device, within the terms of the third indent of Article 1(2)(a) of Directive 93/42/EEC, only in the case where it is intended for a medical purpose?’”). It could have simply stated that the word “investigation” (which is not necessarily a medical term), should be interpreted as “investigation for medical purposes”. The interpretation chosen by the EU Court  instead leads to some difficulties. Why? By pouring a ‘medical’ sauce over the whole definition you question the inherent medical content of other concepts as well, such as ‘therapeutic’. Are there non-medical therapeutic devices? In the mind of the EU Court there apparently are. Indeed, although the EU Court only ruled on the interpretation of the 3rd limb of the definition, its reasoning on ‘medical intended purpose’ and  free movement is just as applicable to the rest of the definition.

Fortunately the amended definition in the Medical Devices Regulation proposal (MDR) avoids this problem, by making all limbs of the definition subject to the qualification ‘specific medical purpose’ but as a exhaustive list of medical purposes:

“‘medical device’ means any instrument, apparatus, appliance, software, implant, reagent, material or other article, intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the specific medical purposes of:

– diagnosis, prevention, monitoring, treatment or alleviation of disease,

– diagnosis, monitoring, treatment, alleviation of or compensation for an injury or disability,

– investigation, replacement or modification of the anatomy or of a physiological process or state,

[…]” [my underlining]

So the EU Court could also have referred to this new definition to determine what the Commission wants for medical devices in the EU market and arrive at this solution, and that would also have fit the MEDDEV it referred to. But it didn’t. That would have solved a lot of problems and now we have to wait for the MDR to enter into force, which may take at least a year or two.

Conclusion

Conclusion: the EU Court has not done the devices market a favour with this judgment, and certainly did not clarify the law if you ask me. It did create somewhat of a a lawyers’ paradise by potentially enlarging the scope of the MDD but at least muddying the borderline with general health and well-being device – I think – but please don’t shoot the messenger.

Borderline

, , , ,

26/11/2012

12 Comments

« Older posts
Newer posts «