« April 2012 | Main | September 2012 »

25 June 2012

Medical Apps, FDA and Patient Data Integrity

Two recent articles - one in the Washington Post entitled Health-care Apps of Smartphones Pit FDA Against Tech Industry and one in the Wall Street Journal entitled There's a Medical App for That-Or Not - have raised the spectre of how smartphone medical apps imply an imminent trainwreck between today's rapid-pace innovation and last century's slower-going FDA regulation.

 

Shanghai_Bullettrain  vs?  Zooming_Along_in_Railroad_Handcar

What's the real question?

As I note in Get to Market Now!, new innovations and technologies emerge on average every 6 months while new or revised regulations take 12-14 years. Today, there are over 13,000 medical apps available for you and me; another 5,000 are available just for physicians and healthcare providers. By the time you finish reading this post, another medical app will have been published.

From a business perspective, the thought of FDA dragging down innovation to the rate of regulation is frightening. And while there is also the need to protect the public - and physicians - from medical apps that are unreliable, faulty, and just plain poor, is new regulation the answer? Is treating a $1.99 app like an MRI the answer? Innovation wouldn't stop. The price would just go up. Instead of paying $1.99, you'd just pay $1,990 for the app.

So, assuming that's not our goal, then what's the answer? Well, maybe we should step back from racing to find an answer, and reframe the question. Afterall, there's no point in arguing over the answer if we're not all answering the same question.

I suggest the real question has little to do with speeding innovation, keeping the public safe, enabling informed healthcare consumers, or making healthcare professionals more efficient. Those are all wonderful points, but they are not the core question behind how to, or even whether, we should regulate a medical app.

The real question is simpler:  How do we - as a society - ensure that patients and healtcare providers can rely upon the health data used/maintained in a medical app?

Think about it. Would you want one of the regular updates to an app on your smartphone to corrupt all the previous data you had in it?

In today's video game market, data corruption is a painful reality becoming more and more common - patches and updates to games increasingly have to be withdrawn and redone because they accidentally corrupted and destroyed people's previous game data. It's too late for those consumers whose data files were destroyed.

"Well, sure," you say, "but those are game files. I mean, come on." And then think about it:  is that what you want for your smartphone health app?  You'd be hard-pressed to find a patient or a physician okay with running that risk for all their health data. Are you okay with all your health data and trends over the past year being wiped out while an update to your app is downloaded as you sit at Starbucks sipping that latte?

So this is the core question:  how do we ensure that data entered into a medical app stays trustworthy?

And if we reframe it in this way, then we can cast about for already existing regulations, controls and tools. And yes, we already have them.

 

Today's Medical App Controls

I see four significant controls available today. The first two are pure market-driven, the second two are more "guiding hand" industry best practice combined with existing regulation:

1. Consumer reviews.  Admittedly, there are some drawbacks to this as we don't know if the person writing the review is knowledgeable, and sites that rely on consumer reviews are usually fairly easy to game. So, consumer reviews are not a stand-alone control, only a piece of the control puzzle.

2. Product liability litigation.  Yes, it's coming if not already occurring. Face it, if you can find a lawyer able to beat a restaurant for serving too hot a cup of coffee, you can find a lawyer able to beat a medical app for allowing your medical data to become corrupt. Still, because it can take up to two years for such product liability litigation to emerge, this is not a preventative except in the long, long-term. Product liability litigation is only another piece of the control puzzle. If nothing else, right now, medical app makers will want to include some level of documented risk assessment to patient data as part of their development process, otherwise, expect to defend why you didn't when you sit before the court in 18 months.

3. Software quality control practices.  Great in theory, often poor in practice. The reality is that often companies cut quality control in order to rush products to market. When a medical app can be written and quality checked by the same person all in the span of a 14-hour day, software quality control is not a stand-alone data integrity control to rely upon. Nonetheless, I'd argue it is still a part of today's control puzzle. Everything from ISO to CMM should be on the table here, and it'd be nice if we could start to see some sort of reference by medical app makers to the software quality coding method used to make their app and its inevitable updates.

4. Part 11.  Yes, I said it. 21 CFR 11 Electronic Records; Electronic Signatures. Now, before you bring up the spectre of "validate everything" (and trust me, as a recovering "validate everything" addict, I've got a lot of personally painful, embarrasing stories), I'm discussing how Part 11 (and the EU's Annex 11) are interpreted and enforced today. Today, Part 11 is all about data integrity - ensuring that data that is trustworthy. And isn't that the core question we just defined above?

So if a medical app provider can show that his/her medical app maintains data with integrity (i.e., is Part 11 compliant), isn't that enough for the vast majority of the 18,000+ medical apps out there?

Coincidentally, Sweden's Medical Products Agency just released a guide to the EU's medical device directives that discusses controls, risks, and expectations for medical software - including medical apps. Download a PDF of Sweden's guide here. It's approach seems quite reasonable. Makers of medical apps are to conduct a risk assessment of their app that includes risk to the patient (see control #2 above), and be able to demonstrate that the app meets its intended performance goals (see controls #3 and #4 above). Finally, the guide notes that smartphones and tablets, etc., will never be considered (and regulated as) medical devices unless they are specifically converted to be a medical device.

If only we in the States could be so reasonable....

Posted at 11:04 AM in FDA Intel, FDA regulation, IT Compliance (Part 11), Medical Apps, Medical Devices, Records Management & Retention | | Comments (0) | TrackBack (0)

|

04 June 2012

From the Medtech QA/RA Global Conference

New European medical device regulations are due within 18 months. The new rules will update the current Medical Device Directives (MDDs) for the 21st century, and close the gaps so brutally uncovered by the PIP scandal and the metal-on-metal issues. Industry is proactively adjusting their quality systems and regulatory compliance programs while key executives are encouraging EU regulators to avoid US-style over-regulation.

These were the principle themes infusing the two-day Medtech QA/RA Global Access 2012 conference hosted by the Irish Medical Device Association (IMDA) in Galway, Ireland last week. With over 250 medical technology companies calling Ireland home, including 11 of the top 13 device firms in the world, Ireland has become Europe's center of excellence for devices. And IMDA's Medtech meeting is Ireland's flagship conference.

Much of Day One was devoted to discussions of the planned MDD revisions, with speakers from the European Commission, the European Parliament, the Irish Medicines Board (IMB), Eucomed (the Advamed of Europe), and industry. Europe encourages "responsible innovation" by relying more upon vigorous postmarket surveillance, inspections and adverse event reporting rather than any pre-approval scheme such as the FDA's 510k. Instead, the EU has only pre-market assessments and the CE mark. IMB's Ann O'Conner noted that 65% of vigilence reporting leads to product recall and removal. This state of affairs, with its regulatory burden primarily on the postmarket stage, allows for rapid inclusion of new technology, and new scientific and engineering innovation, an approach I advocated in my latest book, Get to Market Now.

The EU's new MDDs will require a number of elements that are outlined in Global Hamonization Task Force (GHTF) guidelines such as:

For readers of my client newsletter, SmarterCompliance, adoption of GHTF guidelines should come as no surprise. FDA is moving to GHTF inclusion as well, albeit a bit more slowly than Europe. Whether FDA's "slowly but surely" pace of harmonized rule adoption will inadvertently put US-based device makers at a disadvantage on the global marketplace remains to be seen. European parliamentary elections are scheduled for June 2014, so expect the new MDDs to be in place by then if not sooner.

In addition to a high-level presentation by FDA on "possible, eventual 510k updates," the rest of Day One was taken up with surveys of the state of device regulations in India, China, Russia, the Middle East and North Africa.

Day Two of the conference saw speakers delve more deeply into practical implications and challenges behind the new rules. One set of challenges will be the new clinical rules in the updated MDDs. The IMDA is hosting a two-day conference later this year to address the new EU clinical evidence rules.

I had the privilege of presenting on elements of a defensible record-keeping program for complaint handling and medical device reporting. The message I had for attendees was two-fold:

First, it is clear that complaint handling records and complaint files hold both regulatory and legal risks. Focusing only on quality system compliance can leave a firm vulnerable to disgruntled customers increasingly willing to file a lawsuit to get monetary compensation. Thus, quality auditors must also assess the content of complaint records to help minimize risk to their companies.

Second, complaints can come into a device company through more than just "official" channels. Whether a complaint is made to the saleswoman manning a conference booth or to the company vice-president speaking to a patient advocacy group, each person dealing with the public must receive some level of complaint handling training.

As with any in-person compliance speech or workshop I provide, I gave attendees handouts to help with both of these issues:  an internal quality auditor checklist for reviewing complaint files and a list of complaint documentation do's and dont's.

The next IMDA Medtech conference is scheduled for 2014 just as the new EU MDDs come into force. It promises to be an exciting event, so keep an eye out for announcements.

In the meantime, consider attending some of these events where I'll be offering advice on optimizing your quality system and regulatory compliance programs:

  • June 14 teleconference on defensible documents
  • June 22 speech on the role of IT departments in effective regulatory compliance
  • July 25 teleconference on effectively managing an FDA inspection
  • July 31 workshop on 21st century supplier management and qualification

More upcoming lean compliance events can be found on my upcoming events page on the Cerulean website.

Posted at 10:50 AM in Event & Publication Calendar, Lean Compliance, Records Management & Retention, Regulatory Intelligence | | Comments (0) | TrackBack (0)

|

My Photo

About

John Avellanet

Recent Posts

Enter your email address:

Delivered by FeedBurner

Categories

Archives

More...

Copyright Notice

  • © Cerulean Associates LLC
    All rights reserved
Subscribe to this blog's feed