Regulatory Review: The Price of Change

“The NSA is akin to Jorge Luis Borges’s ‘Library of Babel,’ a place where the collection of information is both infinite and at the same time monstrous, where the entire world’s knowledge is stored, but not a single word understood,” James Bamford wrote in 2009 of the National Security Agency’s (NSA) massive $2 billion data storage facility in Utah. In July this year, the NSA expert and investigative journalist gave an interview to the San Francisco Chronicle in which he said, “the problem is the bigger you build the haystack, the harder it is to find the needle.”

One of the more philosophical issues facing medical device regulation and the healthcare industry in general today is the justification of data collection and storage—in other words, the argument for a regulated health information technology (health IT) network. The Health Insurance Portability and Accountability Act of 1996 contains a provision known as the Administrative Simplification provision, which requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Government agencies such as Medicare and Medicaid offer incentive programs to medical professionals, eligible hospitals and critical access hospitals as they adopt, implement, upgrade or demonstrate “meaningful use” of certified EHR technology.

“We have reached a tipping point in adoption of electronic health records,” U.S. Department of Health and Human Services Secretary Kathleen Sebelius has said. “More than half of eligible professionals and 80 percent of eligible hospitals have adopted these systems, which are critical to modernizing our health care system. Health IT helps providers better coordinate care, which can improve patients’ health and save money at the same time.”

In September this year, the Food and Drug Administration Safety and Innovation Act (FDASIA) workgroup assembled to evaluate a guidance on health IT gave its final recommendations to the U.S. Food and Drug Administration (FDA). There is no final guidance on the subject of health IT yet, and knowing the FDA, there won’t be for a while (the agency tends to move deliberately); but the FDA did put out two very significant final guidances this year that will shape the future of health IT and its governance in the immediate and long-term future.

The first is the final guidance on mobile apps (applications, functional programs that can run on mobile devices). As more and more people own smart phones, the FDA has taken note of how mobile apps essentially can turn a phone into a medical device. In 2011, San Antonio, Texas-based AirStrip Technologies Inc. released an app in collaboration with General Electric Co. (GE) which reads ECG (electrocardiogram) data from GE Healthcare’s Muse cardiology information system, a cloud database hospitals use to track and store patients’ heart data. Muse measures hundreds of thousands of ECGs, warehouses the ECG data, and allows doctors to access it either in the hospital or remotely. An iPhone streaming ECG waves on its screen looks alarmingly like a device that should be regulated by the FDA.

The final guidance, which was released in September, noted that the agency would use discretion in regulating health apps, as while such apps do essentially turn a smart phone into a medical device, in most cases they pose minimal risk to patients. FDA announced it would “focus its regulatory oversight on a subset of mobile medical apps that present a greater risk to patients if they do not work as intended.” In its press announcement, the agency specifically cited ECG apps as an example of an app that turns a mobile device into a high-risk, regulated medical device.

Donna-Bea Tillman, senior consultant at Biologics Consulting Group with 17 years of medical device regulatory experience at the FDA’s Center for Device and Radiological Health (CDRH) told Medical Product Outsourcing that she believes the mobile app final guidance is “one of the best guidance documents to come out of the agency in the past several years.

“It will lay to rest much of the uncertainty around not only where FDA is going with mobile apps, but where they are going with stand-alone medical device software in general,” Tillman continued. “FDA has clearly articulated a regulatory approach that focuses on apps that turn a mobile platform into a regulated device or are used as an accessory to a regulated device. One of the more important aspects of the guidance is the additional clarity FDA has provided regarding what constitutes ‘health and wellness,’ and that enforcement discretion will also apply to health and wellness apps targeted at patients with specific diseases. Additionally, FDA has reaffirmed its position that it will not regulate manufacturers of mobile platforms or owners of app marketplaces as medical device manufacturers, as long as they do not explicitly market their products for medical device purposes. This guidance will enable the industry to innovate with the expectation that FDA regulatory oversight will only be applied when necessary to protect the public health. It is truly one of the few bright spots in what is currently a very challenging regulatory climate.”

“The final guidance on mobile apps is quite helpful,” said Bruce A. MacFarlane, Ph.D., medical research scientist in the regulatory department of NAMSA, a medical research organization based in Northwood, Ohio. “It’s a significant improvement over the draft guidance. But some manufacturers will still find it difficult to categorize some medical mobile apps because many mobile app developers are inexperienced with regulation, and also because there will always be devices that fall into an area that’s difficult to categorize. FDA has categorized mobile apps into apps that will be under regulation enforced by the agency; apps where FDA will exercise enforcement discretion; and then non-medical apps. The guidance is helpful in giving a number of examples to illustrate the different categories, but we still expect many companies will need support and help in interpreting the guidance. Some companies will do well to make direct contact with FDA to get a determination. Medical mobile app developers need to be knowledgeable about FDA’s software guidances to assure they have appropriate documentation of software development and validation when they are filing 510(k)s.”

The second major decision to come out of the FDA regarding health IT this year, also in September, was its final rule on a unique device identification (UDI) system. The idea behind the system is to have a method by which every device is easily traceable, thereby allowing physicians and the FDA to better track adverse events and even to pre-empt disaster like the failure of a pacemaker. According to the FDA, the UDI system consists of two core items: a unique number assigned by the device manufacturer to the version or model of a device, called the UDI. This identifier also will include production-specific information such as the product’s lot or batch number, expiration date, and manufacturing date when that information appears on the label. The second component is a publicly searchable database administered by the FDA called the Global Unique Device Identification Database (GUDID) that will serve as a reference catalogue for every device with an identifier. The rule is careful to note that no identifying patient information will be stored in this device information center.

“The UDI final rule is going to have a real significant impact on medical device manufacturers,” said Valynda Machen, medical research manager, regulatory, at NAMSA. “We now have less than one year until Class III devices have to be compliant with the final rule, and that means they have to have the UDI information on the label of the device and all the saleable configurations. That means they have to change their date format if it’s not in compliance and they have to have all this info uploaded into the GUDID database. The majority of manufacturers haven’t started on this yet, and there’s a lot of information to be gathered and verified. They’re going to need some cross-functional teams in their organizations to pull this off, which will be critical to their success. It’s going to be really easy to underestimate the complexity of implementing UDI in their organizations.”

From a manufacturing standpoint, the practical issue of integrating the UDI into products will be of real consideration.

“I think [the rule] is a good thing, but I also see problems down the line,” said George Stone, quality engineering manager at Stratos Product Development LLC, a Seattle, Washington-based full-system product engineering and design consultancy. “That’s always the question of how an OEM would want the UDI integrated into its product. Do they want the serial number in the software or on the hardware? Some of the products we work on are products that get absorbed into larger systems, and [our clients] are going to want to know what role the identifier plays in the larger system.”

The idea James Bamford was referencing in his criticism of the overlarge Utah data collection storage facility was President Dwight D. Eisenhower’s “military industrial complex,” the likes of which, some say, has now come into existence in the United States. In an address delivered three days before he left office in 1961, Eisenhower warned against the construction of a central complex that would prove so large that it would give unwarranted power to one entity.

“In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex,” President Eisenhower said. “The potential for the disastrous rise of misplaced power exists and will persist.”
It may be a little bit alarmist to compare the centralization of health data to the United States military industrial complex, on which America spends more money than the next 10 countries on the list of largest defense spending combined. However, it does remain that the FDA is the only agency governing patient and hospital data that will inevitably all be collected and stored in this one big database, or cloud, or whatever form it ends up taking.

An Agency in Flux
Outside of the two major September guidances/rules that will have a significant effect on the medtech industry—particularly the health IT sector—in the months and years to come, the FDA did not put out a large number of guidances this year. However, in the past two to three years, the number of total guidances totaled more than 50, forcing medical device companies to fight to stay abreast of rapid-fire new rules and regulations.

“Working with FDA over the last two to three years has been quite challenging,” said Penny Northcutt, president and CEO of FDA regulatory consultant company REGSolutions LLC based in Atlanta, Ga. “There are many new guidances and the regulatory professional must be current on FDA’s latest review requirements and stay informed on how FDA interprets their need for additional testing. Additionally, the agency is changing with FDA’s senior review staff retiring, leaving behind more junior reviewers who are disposed to extreme caution and excessive conservatism. FDA is under many constraints with the mandated review clock and the new guidance containing interactive review. The junior reviewers have a team to assist in the technical areas so if their subjective matter expert is not available, they often have trouble discussing and making decisions based on industry questions and testing rationales. It is imperative that regulatory professionals produce better written 510(k) submissions that are scientific-based and contain the appropriate testing to substantiate our equivalence arguments. With FDA’s new Refuse to Accept (RTA) guidance, submissions must be contain all elements of the RTA before FDA even accepts the submission for review. This is an improvement in the review system in that 510(k)s must be complete when submitted so as not to waste FDA’s time.”

The RTA guidance was released at the close of 2012 on Dec. 31. The document, which supersedes the CDRH’s 1993 premarket notification (510(k)) RTA policy and the 1994 blue book memo on 510(k) RTA procedures, explains the procedures and criteria the FDA intends to use from now on in assessing whether a 510(k) submission meets a minimum threshold of acceptability and should be accepted for substantive review. The guidance is intended to focus the agency’s resources more efficiently only on submissions that are complete and ready for review instead of wasting time on submissions that are less crucial components and need help from agency staffers to complete. The document is one part of the FDA’s effort, in accordance with the enactment of the Medical Device User Fee Amendments of 2012 (MDUFA III), to shorten review times and become more efficient.

“The FDA has responded [to the need for efficiency] by saying, we heard you, we have spent money on educating our reviewers, and we’ve also developed what we believe is a more expeditious 90-day review process,” said Stratos’ Stone. “But what that means for  the industry is that the FDA is not going to hold your hand anymore. If you miss something in your submission, they’re going to say you forgot this, we’re sending it back and your 90-day cycle starts over again so we can focus on someone who submitted everything they were supposed to.”

Barbara Atzenhoefer Stegmeier, NAMSA’s medical research manager, regulatory, called the RTA check list “the biggest thing to come out of the FDA” of late.

They’re trying to systematize things more in their attempt to try and make a clearer path to acceptance,” Atzenhoefer Stegmeier said. “I’m not sure if they’re completely succeeding, but I think they’re making an effort.”

Device manufacturers also have noticed the effects of the FDA hiring more staff. On paper, the idea is to increase efficiency; on the ground, medtech professionals are taking note of the influx of greener staff, e.g. newer auditors entering their facilities.

“Last year we hosted three separate audits from the FDA, which is rare,” recalled Lillian Erickson, regulatory specialist at Nelson Laboraties, a Salt Lake City, Utah-based microbiology testing services company. “I think they were training new people.”

Erickson noted that the audits would consist of one FDA veteran and one new hire, demonstrating that the agency was making good on its MDUFA-led promise of hiring new staff and training them quickly.

The regulatory experts over at NAMSA have taken note of a particular kind of staffer the FDA is going after.

“There are many more novice reviewers coming out of academia,” said Atzenhoefer Stegmeier. “You can tell some of the questions we get are coming from researchers. We hear through our OEM clients that the types of questions that are being asked [of devices in review] are not necessarily getting to the bottom of substantial equivalence. The questions being asked are more science- and research-focused. When you try to get them back on subject in regards to substantial equivalent discussion, they have a hard time pulling themselves back. There’s hesitancy.”

Added Angela Mallory, medical research manager, regulatory, at NAMSA: “You can tell these new staff are rooted in academics and research because they want to understand the devices. They’ll ask a lot of questions about clinical utility. While it’s OK that they want to understand that, that’s not part of their job. They can’t require that we demonstrate the clinical utility of the device. That’s not part of their wheelhouse.”

Perhaps it is a little soon to expect to see the effects of the RTA already, but long-standing feelings of frustration with the FDA’s lengthy review times are still prevalent in the medical device manufacturing industry. When asked about the unfortunate temporary closure of the FDA during the government shutdown, Nelson Labs’ Erickson said, “Any company that already had anything in review probably won’t see an effect as it already takes six to 12 months to get a review back from the FDA.”

On Oct. 1 this year, the U.S. government shut down operations after Congress failed to enact legislation appropriating funds for fiscal year 2014, or a continuing resolution for the interim authorization of appropriations for fiscal year 2014. Regular government operations resumed Oct. 17 after an interim appropriations bill was signed into law. During the shutdown, agencies across the board that are government-funded were forced to shut down operations, including the FDA. Minimal staff were kept working—such as tech support—but the agency was essentially non-functioning.

“The recent government shutdown was unfortunate for all those involved,” commented Steven Niedelman, lead quality systems and compliance consultant at King & Spalding, LLP, and former deputy associate commissioner for regulatory affairs and chief operating officer of the office of regulatory affairs at the FDA. “It was not the fault of FDA, and they did take steps to make sure essential employees were available to address emergent situations, and assure protection of the public health. They continued to review new product applications that were already funded with user fees—and assured regulatory requirements were complied with. That being said, it also presented challenges to industry to be able to communicate and obtain guidance from the agency, have their imports cleared, inspections closed, and recalls (other than Class I) processed. It presented a significant inconvenience for all—though not attributable to the FDA itself.”

Only two weeks of down time certainly did not have a major effect, per se, on the medical device industry as a whole. However, if those two weeks came at a crucial time for a company, whether an OEM or a CMO, the effect certainly was felt. Nelson Labs was in the midst of attaining its annual FDA registration—any company involved in the production and distribution of medical devices intended for commercial distribution in the United States is required to register annually with the FDA as well as pay a registration fee.

Every year, Nelson Labs has to complete 1) a device registration and listing; 2) a drug site establishment registration; and 3) a GDUFA (Generic Drug User Fee Agreement) self-identification. Missing the deadline for registration can result in a warning letter and possible fines.

“It was kind of bad timing for us,” said Nelson Labs’ Erickson. “If we don’t register on deadline, we could get a warning letter—in fact the FDA just issued a warning letter to a company for not self identifying. The pressure was on, and it required us to set up a whole new user account because our previous director of regulatory affairs had left. Working with the FDA was a six-month experience just to get this account working because the FDA has so many hoops you have to jump through. We finally got it to where it was just about working and we just needed a few approvals, and then the government shut down. We went past due on one of our three different certifications through no fault of our own. The FDA technical staff were still in and still trying to help. Everything was ready and all they needed to do was process our payment, but they physically couldn’t take our money at that point.”