Six months ago, Jerry’s cardiologist recommended a new product designed to save people at serious risk of ASCVD from events like heart attacks and strokes. The new product monitors for signs and symptoms of major ASCVD events and is capable of treating these events on an emergency basis. Three months ago, Jerry was implanted with the device (called BoltMed), a cutting-edge combination medical product approved as both a medical device and a pharmaceutical product. A cardiologist’s dream, this device has real-time monitoring capability (heart rate and heart rhythm), includes artificial intelligence (AI) technology that captures and analyzes Jerry’s personal data, and communicates with Jerry, his cardiologist, and emergency medical services. Even more amazingly, in emergency situations, the device can make medical decisions (just like Jerry’s physician) to deliver a defibrillating shock, dose Jerry with medication that treats cardiovascular events, or both.
In this fictional scenario, the BoltMed device detects a cardiac event through monitoring Jerry’s data, administers appropriate treatment to Jerry (shock and/or medication), and alerts emergency services (EMS) and his physician. Jerry is rushed to the hospital, and he suffers no permanent damage to his heart and lives happily to the age of 80.
How far is this from a real-world scenario? The answer is not very far. From our vantage, practicing in a global law firm that works day-in-and-day-out with small, medium, and large pharmaceutical, medical device, and biotech companies, these types of integrated products are already here in varying stages of development. Everyone in the medical field realizes future products will bring together real-time monitoring, data, connectivity at multiple levels, telemedicine and AI features, and treatment decisions that will, in certain circumstances, be made without physician intervention. But when complex products that take on so many functions are combined—often as part of collaboration and a co-promotion deal—there are a vast number of legal and regulatory considerations to be addressed.
To help companies and interested parties through this process, this article will illustrate several of the aforementioned considerations and make suggestions on how to get these products to market and, once that is accomplished, how to manage and commercialize the product so it will thrive in today’s challenging legal and regulatory climate.
1. Complex and Challenging Regulatory Scheme
The top three markets for drug and device sales worldwide are the United States, Germany, and Japan, with the U.S. responsible for over 50 percent of all revenues in the industry. So, as companies think about developing and commercializing integrated combination drug and device products, these markets should obviously be the main focus.
From a regulatory approval/market authorization standpoint, combination products like BoltMed are treated as two or possibly even three entirely separate products because they include an implanted medical device (with monitoring and defibrillation capability), complex software (with an algorithm that “thinks” and “acts”), and a drug delivered through a catheter port. Given this reality, the product sponsor may need to submit an application to more than one arm of the relevant regulatory body. In Japan, the combination product would be submitted to the Ministry of Health, Labor and Welfare (MHLW), and a determination made on a case-by-case basis whether the product will be marketed as a single drug, medical device, or regenerative medicine product. The product would not need to be submitted to MHLW as both a drug and a device. By contrast, in Europe, the European Medicines Agency (EMA) would require the proposed market authorization holder to submit the product to both its drug and device divisions, and the AI software would likely be submitted to both divisions as well.
Certainly, the software component of any device that monitors and makes diagnostic and treatment decisions will undergo heavy scrutiny if it has AI and telemedicine features. In the U.S., the Food & Drug Administration (FDA) has an office dedicated to evaluate combination products, so all such products (including those with sophisticated software) should start there for evaluation. The more complex and multi-functional the software—especially when it has monitoring, diagnostic, and interventional components, and is effectively making diagnostic and treatment decisions ahead of the patient’s treating physician—will require significant clinical evaluation. It is highly likely such a product will be approved only with a risk evaluation and mitigation strategy (REMS) for post-market assessment of safety and labeling. Among other things, AI software will need to learn the difference between a normal versus an abnormal patient presentation using some type of approved protocol for undertaking that assessment, as well as a protocol for detecting and treating a significant abnormality. These requirements pose major clinical development challenges in terms of proving safety and efficacy and a favorable risk-benefit profile of the protocols and the functionality of the software.
A reasonable strategy for gaining approval/market authorization is to break the analysis into its component parts and seek to take advantage of predicate devices, including those that have proven risk-benefit profiles. Using BoltMed as an example, defibrillators, defibrillator leads, electrocardiogram sensors, and catheters for drug delivery all have proven track records of safety and efficacy. The main challenges in proving the safety and efficacy of a new, integrated device like BoltMed will likely be around those components or drugs that are less-well-studied and/or have no predicate. In the context of our fictional case study, that would likely be the sensing mechanism, algorithm (for diagnosis, defibrillation, and drug delivery), and new branded medication (to be dispensed via the catheter port).
To reiterate, the AI aspect of any product will be subjected to heavy scrutiny and require a large amount of clinical data to prove safety and efficacy. Though the medical community agrees the use and application of AI in drug and device development and medical care is the future of the healthcare industry, AI remains a new and largely untested concept. Certainly, AI is being used or at least contemplated in many products in development before FDA, EMA, and other regulatory agencies, and those agencies are gaining increasing knowledge and experience with such products that should eventually transfer to drug and device developers and help speed their products to market. But, the bottom line is that AI is still in its early stages and presents significant risk in the eyes of the regulators so any product that seeks to incorporate it in any respect will be carefully reviewed.
2. Data Privacy and Cybersecurity
The BoltMed medical product can be paired with wearable technology that collects and monitors patient data, and the device has AI, telemedicine, and EMS-contacting features. These are all good elements, so why are we worried about data privacy issues?
The answer is we know any product that collects, stores, and transmits personal health data must comply with the latest data privacy regimes across the world, including (but not limited to) the Health Insurance Portability and Accountability Act (HIPAA), the California Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), and General Data Protection Regulation (GDPR). These privacy regimes are challenging because they are not uniform and continue to be updated and augmented on a virtually never-ending basis. The scope and complexity of worldwide data privacy laws would require a treatise all on its own. As such, the only advice offered here to any company with a product that touches personal data (especially health data): consult a qualified attorney regarding a data protection plan, comply with applicable rules and regulations, and prepare in the event something goes wrong. Simply put, data privacy regimes are here to stay and they cannot (and should not) be ignored. Nor should anyone ignore the very real risk of cybersecurity and data breach where their devices collect, store, and transmit personal data.
We all understand the need for cybersecurity in our work and personal lives, and with connected, multi-functional combination products, the need is even greater. Here is the reality: Any company that is developing and selling a connected product needs to make cybersecurity a major focus of its business. Such companies need to spend the money to develop a robust defense against hacking and need to be realistic that, even if they do so, they will eventually get hacked. Companies need a plan for dealing with the inevitable because, even using the best and most up-to-date software, it is only a matter of time before an intrusion or breach happens; even the NSA has been hacked and it obviously has world-class programmers and security. Thus, firewalls, alarms, and anti-hacking systems should be put in place to fend off attacks and the company should have a plan in place to deal with attempted intrusions to demonstrate best practices. Mock attacks should be run and practiced once a month or once every two months, and everyone in the company must know how to react and what his/her role is in the event of an attack or breach. The company also needs to be able to investigate attempts/intrusions in real-time and, to the extent it concludes a breach has occurred, have a state-of-the-art response plan in place and follow that plan to inform consumers and regulators.
The risk to patients (and companies) is all the more real when a product is a potential life-saving integrated combination device. What if hackers find their way into the product or a server and change the settings or disarm the device? Patients could be medically compromised or otherwise left unprotected. If this should happen, a company may find itself before a U.S. jury having to explain what it did (or did not do) to prevent hacking and/or how it set up its systems to protect patients from harm. That company better have a good story to tell and it should include, at the very least, “We put patient safety first and we planned for and tried our best to stop this from happening.” The only way to be able to say those things is to ensure the appropriate protective systems and plans are in place and operative, well in advance of any attack, and to try to stay up-to-date from a technological and readiness standpoint.
3. My Product Actually Made It to Market—Now What?
Company X made it to the market after spending hundreds of millions of dollars in development. It has an approved indication for a combination product and an approved label and/or instructions for use. Now what? Company X has to get out there and start talking to physicians about the product. But how does it do that? Company X must recruit and train an ethical sales force that will have direct contact with healthcare providers and promote its product for the approved indications, using approved messaging [materials approved by its compliance team and the respective regulator(s)], and detail the product while maintaining a fair balance in terms of describing the risks and benefits of the product. These things sound simple but, in the real world, when face-to-face with physicians, they are often difficult to get right.
For example, if a sales representative is in the operating room helping identify medical instruments for a surgeon and the surgeon asks the sales representative how another surgeon uses the product to perform an unapproved or off-label procedure, what should the representative say? This, of course, happens all the time; it is a very awkward position for the sales representative to find oneself in, and it has potentially serious consequences for the company. Almost half of the major civil litigations and government enforcement actions brought over the past 20 years have had to do with off-label promotion claims and those claims have resulted in the recovery of billions of dollars in settlements, judgments, and penalties against healthcare companies.
Other scenarios that vex sales representatives are, for example, where a physician asks the sales representative to bring expensive lunches in for his/her staff on a weekly basis or asks the representative to obtain an expensive “gift,” like concert tickets. What can and should the sales representative do under these circumstances? The answer is to comply with federal law and company policies and procedures for proper interactions with healthcare providers. But, for these people on the front lines (engaging day-in-and-day-out with physicians), there are countless scenarios everyday where they must make judgment calls on the fly as to what falls within the regulatory requirements for interactions with physicians and their own company’s accepted practices. It is a tough situation because they absolutely have to get it right, while under pressure from a physician with whom they are trying to establish a meaningful connection. And, the reason they have to get it right is because their conduct and interactions with physicians is under scrutiny and has serious repercussions for the company. As previously noted, this conduct and these interactions are frequently the basis for regulatory enforcement actions by FDA, EMA, or others. They can form the basis of civil or criminal actions based on the federal False Claims Act or lawsuits based on off-label promotion or other improper advertising/promotion. The consequences can be more than just substantial money damages and penalties: Such conduct can result in suspension or the loss of approval/market authorization to sell the drug/device and criminal penalties. Training and proctoring sales representatives is absolutely mission critical. These personnel will drive sales but they can also drive you out of business. Sales representatives need to be more than just an attractive face or personality. They need to be the driving force helping get across the profile and indications for the company’s product while accurately conveying the risk and benefit information for the product.
In short, a company needs to make clear patient safety is its top priority, followed closely by the goal of accurately and fairly conveying the risk and benefit profile of its product. Not only is this the right thing to do from an ethical standpoint, regulators and the plaintiffs’ bar will be watching products and conduct to ensure companies are about safety first.
4. The Pharmacovigilance System
Because most products come onto the market with clinical evidence from only a few thousand patients, new and important safety and labeling data often emerge once the product is on the market and in wider use. As previously noted, complex, integrated products like BoltMed would almost certainly be approved with some type of REMS program for postmarket monitoring. The company would be expected to collect and analyze the product’s safety data and report trends or concerns to FDA and/or EMA, as required by the REMS. Of course, even for products approved without a REMS, a pharmacovigilance system must be in place that tracks expected and unexpected adverse events and identifies new events or patterns of events not previously recognized. Signal detection tools are available and highly recommended to assist with this pharmacovigilance process. All potential signals should be reviewed and assessed, and a careful record made as to how and why the company reacted as it did to the potential signal.
Based on many decades of experience in litigation over emerging adverse events, companies should be more willing to proactively address data showing adverse events and to add such events to their labels/disclosures. Most of the largest pharmaceutical or medical device products liability litigations filed over the past two decades have resulted from newly discovered adverse events that never made it to the product labeling. The legal theory is the company failed to warn of the new risk and thus, the patient in consult with the physician was not able to make an informed decision about using the drug or device. But, it goes without saying there is no failure to warn when a company adds the event to its labeling. Although the major battle in such a civil litigation is almost always over how the label lists the risk at issue, based on taking the depositions of thousands of treating physicians and their patients, very few actually read the product’s label. In other words, though drug and device companies may fret over adding an event to the label, it is rare to hear of a regulator or physician that disapproved of this approach, and there is probably little risk that adding a new event to the label will change the physician’s prescribing behavior or a consumer’s purchasing decision. On the other hand, the failure to do so could lead to substantial civil liability, receipt of a warning letter, and/or significant brand damage.
The emphasis in this context should be on making good products and delivering them safely to physicians and consumers with full transparency. If the focus remains on these issues, and assuming the product works well and has significant utility, the commercial piece will fall into place and the legal and regulatory risks will be well-contained.
[Author’s Note: The authors thank and acknowledge contributions to this article by their Baker McKenzie colleagues Els Janssen (Brussels), Takumi Hasegawa (Tokyo), and Khelin Aitken (Washington D.C.).]
Mark Goodman is a partner at Baker & McKenzie LLP. Based in San Francisco, he serves as co-chair of the firm’s North America Commercial Litigation group and is part of the North America Trial Team. Goodman has led complex multi-district litigation, handled class actions, and tried cases in state and federal courts across the U.S. for both domestic and international healthcare and life sciences clients. He regularly presents on product liability, risk mitigation, and cross-border disputes.
Barry Thompson is also a partner at Baker & McKenzie. Based in Los Angeles, he has litigated and tried complex commercial and product liability cases in state and federal courts across the country. Thompson has deep experience in cases with complex medical and scientific issues. As such, his practice focus has been on products liability, commercial, as well as litigation and risk management counseling. He is a member of the Firm’s National Trial Team and the Litigation Chair for Baker’s California Offices.