Expanding Patient Access: FDA’s Draft Guidance for Medical Device Manufacturers
A patient with an implantable wireless medical device needs access to the data the device collects. Ordinarily, she would get this information from her doctor: when the device collects data and sends it to the manufacturer, it is the doctor who can log on to the manufacturer’s website to obtain it. The patient, however, can no longer afford deductibles or co-pays, and has been forced to drastically cut back on doctor visits. She contacts the manufacturer directly to obtain this data – and is told the manufacturer can only disclose it to her doctor. The manufacturer cannot, it explains, provide the information directly to her without first obtaining regulatory approval, which it has not done because of low patient demand for this information.
What Do Patients Want?
Far from a hypothetical situation, this was a real-world quandary reported by the Wall Street Journal
in its November 2012 article, "Heart Gadgets Test Privacy-Law Limits
While an implantable defibrillator can hardly be characterized as a "gadget," the article details the true-life dilemma faced by a patient and the manufacturer of her medical device, Medtronic, Inc. ("Medtronic"). On one hand, such a patient needs access to this type of medical data: it is about her
, it is vitally important to her ongoing health and health care, and she cannot easily obtain it through the "traditional route" of her physician. On the other, a medical device manufacturer (MDM) in Medtronic’s position faces a compelling set of concerns about providing complex medical data directly to a patient without a learned physician intermediary to help the patient understand it. She may misunderstand or misinterpret the data, or try consulting "Dr. Google," with dangerous or even fatal results. And what of the MDM’s regulatory responsibilities: when does providing information cross the line to unapproved labeling
, with attendant consequences? How can the MDM fulfill the patient’s request with enough data to be useful, but not so much as to be construed as practicing medicine or otherwise rendering medical device? Should the Guidance address the learned intermediary doctrine?
What is FDA’s Solution?
As the Internet of Things and related technology reaches further and further into health care, patients and providers increasingly turn to wearables, remote monitoring devices, wireless implantable devices, and Internet applications, among other medical technology, to improve health outcomes. As a result, MDMs have access to more patient-specific data than ever before. No U.S. Food and Drug Administration ("FDA") regulation requires MDMs to share this data directly with device patients, and MDMs have many legitimate reasons to be leery of doing so. But with both the U.S. Department of Health & Human Services ("HHS") and FDA recognizing that patients should be active participants in their own health care, how can device manufacturers balance empowering device patients, and managing their own liability risks?
In June 2016, FDA took the first steps toward addressing this issue when it published draft guidance entitled Dissemination of Patient-Specific Information from Devices by Device Manufacturers
("Guidance"), ostensibly to "facilitate the appropriate and responsible dissemination of patient-specific information" from medical devices. The Guidance is part of HHS’s push toward expanding patients’ access to their own health information. HHS envisions transforming the health care system so it "puts patients in the center of their care to keep them healthy." To achieve this goal, HHS proposes a strategy to "[s]hare health information so that providers are better informed and consumers are empowered to be active participants in their care."
The Guidance adopts this theme and demonstrates FDA’s commitment to patient access:
FDA believes that providing patients with access to accurate, useable information about their healthcare when they request it (including the medical products they use and patient-specific information these products generate) will empower patients to be more engaged with their healthcare providers in making sound medical decisions.
(Guidance, p. 4)
It is hard to argue with a strategy that empowers patients to be educated and active consumers of health care. To that end, the principle underlying the Guidance seems simple, and even intuitive: MDMs "may share patient-specific information
… with patients at the patient’s request, without obtaining additional premarket review before doing so" (emphasis added). Patient-specific information is "any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of the medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device." Patient-specific information generally falls into two categories: (1) information a health care provider inputs to record a patient’s status and ongoing treatment, and (2) information the device stores to record usage, alarms, or outputs. Patient-specific information does not
include interpretations of data apart from those the device normally provides.
As straightforward as it may seem, the brief (6-page) Guidance raises more questions than it answers, and sparks more liability concerns than it resolves. Layered within the Guidance are several important, but largely unaddressed, caveats:
MDMs must take care that dissemination of patient-specific information does not rise to the level of "labeling," which does require additional premarket review and approval.
Merely providing accurate raw data is almost certainly not sufficient. To ensure patient-specific information is useful and interpretable, MDMs must also consider content and context. This may require providing additional information, while not crossing the line into labeling or – presumably – providing medical care or treatment advice.
To ensure the content of their patient-specific communications is accurate and interpretable, FDA "recommends" that MDMs take "appropriate measures" to (1) consider the "characteristics of the intended audience that may affect interpretability;" and/or (2) provide "supplementary instructions, materials or references to aid patient understanding." For example, "if a patient requests a history of his own blood pressure measurements from a device, the data should include all available data up through the most recent measurement." Attention to content also requires that the patient-specific information be "comprehensive and contemporary."
It "may" also be appropriate for MDMs to include additional relevant information to ensure the context of their communications is such that information is not "misinterpreted, thus leading to incorrect or invalid conclusions." For example, "if information is being provided regarding the activity of a pacemaker, information regarding the circumstances under which an electrical impulse is delivered by the device may provide helpful context." Context may also require MDMs to consider whether to include information about whom to contact for follow-up. "[A]t a minimum," FDA recommends that MDMs advise patients to contact their health care providers for follow-up on patient-specific information. MDMs "may also wish to provide" their own contact information "to answer questions from patients about the device at issue."
While the Guidance uses "may" and "should" language, the implication is clear: MDMs cannot in all cases simply respond to requests for patient-specific information by providing raw data. Instead, they must also provide (undefined) additional data after assessing (undefined) patient characteristics to ensure that neither the content nor the context of their communications is subject to misinterpretation. This must be accomplished without adding new "labeling" absent additional premarket review, and without undercutting the learned intermediary doctrine.
What Changes are Needed?
While the Guidance is by its very language nonbinding and "do[es] not establish legally enforceable responsibilities," in real-world practice it may be touted as a standard for MDMs’ conduct if a user is injured by acting on the patient-specific information an MDM provides in response to a request. The Catch-22 is all too obvious: You may risk liability if you provide too little information ("if you had provided a range of normal values, I would have known this value was out of range"), too much information (did you merely data dump? are you communicating medical treatment or diagnosis within the realm of practicing medicine?), or no information at all ("the MDM knew I didn’t have this information, and if I had, I could have …."). You may also risk loss of good will among patients if you do not provide timely information in response to their requests, as well as among your customers – physicians – if you are perceived as undermining the patient/physician relationship. While the Guidance embraces the worthy principles of education and empowerment, it does not provide necessary protection for MDMs.
And what of device patients, who have varying degrees of education, device and disease state knowledge, and access to health care? For example, the Wall Street Journal authors interviewed a patient with an implanted defibrillator. While the patient had not lost his health insurance, he had a high out-of-pocket payment for cardiologist visits, and reported feeling he was "being coerced into paying to get information [he] should have [himself]." As a result, the patient was interested – and highly motivated – to educate himself about his device and be able to analyze its outputs. In fact, he was so interested he kept detailed spreadsheets of data obtained from his doctor, and took a two-week, $2,000 class that trained technicians on reading the device reports. While at first blush this is evidence of admirable initiative, it also strongly pings the liability radar of an MDM that may not know about the course, approve of its content, or be in a position to evaluate whether it is appropriate for a patient to use the information for self-diagnosis. The patient may, in fact, become dangerously overconfident of his ability to perform medically-complex self-care. By not requiring the patient to confirm ongoing and contemporaneous medical treatment, the Guidance creates a situation in which an MDM must choose between refusing to satisfy a request for data, or potentially providing a well-meaning but non-medically trained patient just enough information to be dangerous.
If the Agency expects MDMs to assume a responsibility that typically (and expectedly) falls on the medical community, it should protect MDMs from anticipated pitfalls:
1. Should the Guidance address the "labeling" issue with more than an admonishment that dissemination cannot equal labeling? In its existing form, the Guidance says no more than "any labeling, as that term is defined in section 201(m) of the FD&C Act, that is provided to the patient by the manufacturer is subject to applicable requirements in the FD&C Act and FDA regulations." In other words, provide as much information as needed to ensure the content and context is interpretable and not misleading, but not so much that the MDM has "labeled" without premarket review. The Guidance should provide guardrails to help MDMs go far enough, without going too far.
As referenced in the Guidance, section 201(m) of the FD&C Act defines labeling to include all labels and other written, printed, or graphic matter (1) upon any article or any of its containers or wrappers, or (2) accompanying such article. General labeling requirements for medical devices are described in 21 CFR Pt. 801. Medical device patient labeling includes any information associated with a device targeted to the patient or lay caregiver. It may accompany devices intended solely for physicians to operate, devices for both physicians and patients/lay caregivers to operate, and devices operated solely by patients/lay caregivers. Patient labeling is intended to help assure safe and effective use of the device.
The Guidance should make clear that any additional content/contextual information the MDM provides that does not
address use of the device itself is not "labeling."
2. Should the Guidance protect MDMs who provide "supplementary instructions, materials or references to aid patient understanding
?" The Guidance makes clear that MDMs "may" choose to provide information in addition to raw data to ensure their communications are useable and not subject to misinterpretation, but apparently leaves the scope of this decision to an MDM’s sole discretion. It is easy to imagine the burdens this may impose on MDMs to evaluate whether the data they provide to patients is helpful or harmful to their health. If litigation ensues, the plaintiff may request documents, data, and testimony from the MDM about how the decision to provide this
, but not that
, supplemental information was made, who made it, why, how, and what alternatives were considered. Testimony will be required to support the decision, and to refute the plaintiff’s allegations that the MDM should have made a different decision. This adds not only an additional layer of potential liability, but also significant potential expense, to the litigation landscape.
3. Should the Guidance address what "characteristics of the intended audience" the MDM must consider, and how the MDM should go about collecting that information
? The Guidance "recommends" that MDMs account for "characteristics of the intended audience" in determining the content of their communications of patient-specific information. The Guidance does nothing to clarify what information the MDM should consider, what should trigger the consideration, and how the MDM should seek and obtain that information. For example, should the MDM require a recommendation from the treating physician before responding to the patient’s request? Should an MDM proactively
seek information from every patient who requests data – such as educational level, physical or intellectual limitations that may require accommodation, access to specialists who can aid in interpretation, and plans to seek that aid? Or does "characteristics of the intended audience" refer to a more generic understanding of patient demographics? There is clear liability potential if the Guidance is touted as "evidence" that an MDM should have evaluated the patient before providing information that, ultimately, the patient was unable to meaningfully use.
4. Should the Guidance clarify the term "comprehensive and contemporary
?" "Generally," patient-specific information must be "comprehensive and contemporary." Again, this is a broad admonishment and presents a potential liability risk, but has no guardrails for MDMs’ protection. Does "comprehensive" information mean all available data? If the patient is a long term user, must the MDM provide all historical data with each request? Would a plaintiff attorney cast providing everything as an unusable, incomprehensible data dump? If the MDM is expected to exercise discretion in responding to a patient’s request, it must be protected from allegations that it provided too much, or too little.
5. Should the Guidance clarify appropriate contextual information
? FDA notes that it "may be appropriate" for MDMs to provide more than raw data to ensure that patients do not misinterpret the information, or reach "incorrect or invalid conclusions." Context
is, perhaps, the area most fraught with liability pitfalls, as it potentially impacts both patient and regulatory actions against the MDM. For example, FDA suggests that an MDM may respond to a request for patient-specific information with "information regarding how [a] parameter was measured and recorded by the medical device." How technical or helpful is this? Should the MDM flag abnormal values? Can the MDM require the patient to agree that the MDM will copy a treating physician on all communications? Who is responsible if this results in the physician issuing a bill? To the extent this information affects a patient’s risk/benefit analysis, is it labeling
that requires additional premarket review? Does the MDM have an affirmative obligation to question the requester about her access to and plans to consult a health care intermediary, and perform a calculus of how likely it is – given that access or lack thereof – that the patient will reach an incorrect or invalid conclusion?
The MDM will certainly want to ensure that the information they provide cannot be characterized as medical advice. FDA should consider partnering with physician groups or associations to create and publish (in conjunction with other HHS entities such as the Centers for Disease Control and Prevention) "tutorials" on various devices that fall within a class of products that collect and store patient-specific information, and/or disease-state "tutorials" for the conditions that such devices treat. The Guidance should then affirmatively protect MDMs who require patients to watch and confirm their understanding of the appropriate tutorials before the MDM provides patient-specific information.
Should the Guidance also permit MDMs to obtain a liability waiver if the patient obtains a physician’s approval to receive a defined set of patient-specific information directly from the MDM? The physician is in the best position to assess the patient’s ability to understand the information, as well as the patient’s access to and willingness to seek appropriate health care from a provider capable of explaining the patient-specific information and any contextual or supplementary information provided.
6. Should the Guidance address the issue of patient disclaimers
? While the construction and enforceability will vary, an MDM could benefit from a State-compliant patient waiver disclaiming a provider/patient relationship, acknowledging the MDM’s communications are not medical advice or a substitute for medical care, and relieving the MDM of liability for injuries that may result if the patient does not follow up appropriate with his or her health care professional.
7. Should the Guidance clarify appropriate follow-up by the MDM
? MDMs "may wish to" provide their own contact information to answer follow-up questions from patients to whom they have provided patient-specific information. While almost all MDMs have some sort of hotline available to respond to patient requests, different liability concerns arise when the questions may result from additional – but non-FDA-reviewed – information the MDM has provided in response to a patient request. Again, the MDM does not want to be in the position of fielding communications from patients that should, in fact, be addressed to health care providers.
8. Should the Guidance clarify that MDMs are not "practicing medicine" if they provide information compliant with necessary Guidance revisions
? As the above examples make clear, there is a very real risk that device patients – for financial or other reasons – may seek patient-specific information from MDMs as a substitute for
medical care. Complicating this situation is the fact that "practicing medicine" may have different meanings, and different criteria, under various States’ laws (which may be further complicated if the patient and the MDM are citizens of different States). As with No. 6, above, the Guidance should address a State-compliant patient waiver disclaiming a provider/patient relationship, and acknowledging the patient’s understanding that the MDM’s communications are not medical advice or a substitute for medical care.
9. The Guidance must address the learned intermediary defense
. Under the learned intermediary doctrine, the prescribing doctor serves as a "learned intermediary" between the manufacturer and the patient, and owes the patient a duty of care to warn of potential risks.
Most states have adopted the doctrine as an exception to a manufacturer’s general duty to warn patients of their products’ dangerous propensities.
Generally, a manufacturer has no duty to assist the learned intermediary in warning of inherent risks.
However, when a manufacturer voluntarily communicates directly with a patient, the courts must construe whether the information merely aids the physician in communicating with the patient, or whether it goes so far as to constitute a voluntary undertaking to warn (thus undercutting, if not abrogating, the learned intermediary doctrine).
The Guidance should make clear that the MDM’s provision of defined patient-specific information is intended to assist the physician in assessing risks and benefits, and is not the manufacturer’s voluntary assumption of a duty to warn.
Public Comments on Guidance
FDA invited public comment on the draft Guidance through August 9, 2016. FDA received comments from patient advocacy groups and an individual, industry, and an industry consulting firm. The comments are available at the Guidance’s regulations.gov docket (Federal Register No. 2016-13787).
Patient groups generally supported the guidance, but wanted more detailed guidance on how device makers can avoid disseminating "confusing or unclear information" to patients. One group observed that summarizing data could result in key data being omitted, while providing "comprehensive" data could overwhelm consumers and prove useless. The Guidance should also specify that information be disseminated in an easy-to-understand manner, taking adult health literacy rates into account. This sector also requested clarification of HIPAA-related issues, such as whether and when MDMs are considered HIPAA "business associates," and the circumstances under which MDMs can share patient-specific information with health care providers without the patient's written authorization.
A patient advocacy group serving individuals and families affected by hereditary cancers urges FDA to consider a separate guidance on dissemination of patient-specific information in this area. This group in concerned with the "very real" potential for patients to misinterpret genetic data, thus influencing "possible life-altering" clinical decisions. This separate guidance should, for example, address how to determine what is "usable" genetic information: is it limited to "actionable" data, or does it include data without regard for apparent clinical utility?
One individual – not associated with an advocacy group – did not support the Guidance or any mechanism by which an MDM could disseminate information directly to patients. This individual stated that "[a]ny data released to a patient specific to their care should come from the provider. The manufacturer should not have the right to release such information direct to the patient. Release of raw data without clinical interpretation in the context of the patient’s full record is not appropriate."
Industry comments generally supported the Guidance's goal of patient empowerment, but focused on several specific concerns. One association representing MDMs asked FDA to emphasize that patient-provider communication is the "primary means" for providing patient-specific information, and to clarify that an MDM may choose to respond to a patient's request by providing information to a health care provider rather than directly to the patient. Further, because it can be "difficult and burdensome" to reconfigure and restate information designed for a health care provider or for the manufacturer itself, the association also asked FDA to recognized that the Guidance's context and content provisions are not requirements, but rather suggestions, to be "implemented when feasible."
Industry also expressed concern that the Guidance will force MDMs into a learned intermediary or even a clinical role. This occurs generally when the Guidance advises MDMs to share patient data in a "usable," "interpretable" manner with "relevant context" and supplementary information. It also occurs to the extent the Guidance required MDMs to ensure patients understand data generated by medical devices intended for a health care provider audience. To this end, the Guidance should be limited to devices intended for patient self-diagnosis or disease monitoring. However, even within that group of devices, the Guidance should exclude from its scope patient-specific information "intended to be seen and used by the patient" (for example, blood glucose monitor readings), and information from devices with functions that allow patients to print data to discuss with their provider at the next visit.
Another significant industry concern is the issue of premarket review. FDA should "focus" on the position that manufacturers can provide patient-specific information to patients on request without premarket review, and should clarify the types of "supplementary" information that the agency would consider labeling.
Finally, industry expressed concern for the Guidance's effect on devices already in the field. Manufacturers may not have access to patient-specific information from such devices, and the issue then becomes whether they are excepted from the Guidance's scope (the preferred outcome), or whether MDMs are given adequate time to achieve compliance.
Industry Consulting Firm Comments
The sole commenting consulting firm feels FDA could strengthen the guidance "by adding data integrity examples that represent the broad range of issues seen in recent warning letters." For example, FDA should more strictly define "patient-specific information" so that MDM responses will be more consistent. The Guidance should also provide more specific and detailed "Content" parameters for the manufacturer – such as what information is "pertinent" to a specific patient, and what information is "interpretable and useful" to the patient. FDA should also clarify "Context" parameters by specifying, for example, what information is generally valuable to a layperson patient, and how manufacturers may mitigate the risk of misinterpretation. Implementation will require manufacturers to develop and implement "extensive" training and protocols for addressing device- and information-specific questions from patients. The Guidance should also address whether language translation is required.
Pharmaceutical drug consumers and medical device patients – like all consumers of health care – should be involved and active participants in their treatment. However, the Guidance does not do enough to make clear that treatment continues to come from the patient’s physician. The Guidance should balance the worthy goal of patient empowerment with the need for a learned physician intermediary to remain central to patient care. To be successful, the Guidance must not alter or amend the primary characteristics of the provider/patient relationship, namely, the ability to accurately weigh risks and benefits associated with the device, to evaluate warnings, and to make informed, treatment-driven decisions related to the device. As it stands, the Guidance simply imparts too much risk for an uncertain benefit.
The comment period on the draft Guidance has closed, and the Guidance is undergoing finalization. FDA recommends contacting the relevant division – in this case, the Office of the Center Director ("OCD") - for the most up-to-date agency perspective. The OCD provides scientific, policy, and managerial leadership and direction to the seven offices comprising FDA’s Center for Devices and Radiologic Health.
For more information on data security practices in healthcare, contact Kimberly Metzger, or a member of Ice Miller’s Internet of Things practice group.
Marcus and Weaver, supra
 See, e.g., Millman v. Biomet Orthopedics, Inc., et al.,
No. 3:13-CV-77 RLM-CAN, 2013 WL 6498394, at *4 (N.D. Ind. 2013).
 See, e.g., Tyree et al. v. Boston Scientific Corporation
, 56 F.Supp.3d 826, 829 (S.D. W.V. 2014).
 See, e.g., Spychala v. G.D. Searle & Co.
, 705 F.Supp. 1024, 1033 (D. NJ 1988).