Last week, the U.S. Food and Drug Administration (FDA) released a draft guidance entitled “Dissemination of Patient-Specific Information from Devices by Device Manufacturers,” which is intended to “clarify that manufacturers may share patient-specific information recorded, stored, processed, retrieved, and/or derived from a medical device with the patient who is either treated or diagnosed with that specific device.” Such sharing, the FDA believes, “will empower patients to be more engaged with their healthcare providers in making sound medical decisions.”
The draft guidance is timely. Individuals are increasingly using wearable mobile technologies (e.g., trackers, fitness watches, etc.), as well as mobile medical applications and related health software. Many wearable technology manufacturers are facing increased scrutiny and litigation about the reliability of their products’ assessments (e.g., sleep or exercise trackers). And there is considerable concern about the security of patient-specific information on such devices.
The draft guidance defines “patient-specific information” to mean “any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of a medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device.” Such information may include, but is not limited to:
- recorded patient data;
- device usage/output statistics;
- healthcare provider inputs;
- incidence of alarms; and/or
- records of device malfunctions or failures.
FDA outlined two categories of patient-specific information: (1) data a healthcare provider (HCP) inputs to record the status and ongoing treatment of an individual patient; or (2) information stored by the device to record usage, alarms, or outputs (e.g., pulse oximetry data, heart electrical activity, and rhythms as monitored by a pacemaker). (“Patient-specific information” does not, however, include “any interpretations of data aside from those interpretations of data normally reported by the device to the patient or the patient’s healthcare provider.” ) The agency emphasized that the sharing of patient-specific information may “be used to facilitate continuity of care, to create an adequate patient treatment history and current treatment profile, and to record information relating to medical device functionality.”
The draft guidance establishes that medical device manufacturers “may share patient-specific information (recorded, stored, processed, retrieved, and/or derived from a legally marketed medical device, consistent with the intended use of that medical device) with patients at the patient’s request, without obtaining additional premarket review before doing so.” FDA clarified, however, that any labeling (as defined under section 201(m) of the Federal Food, Drug and Cosmetic Act (FDCA)), that is provided to the patient by the manufacturer is subject to applicable requirements in the FDCA and FDA regulations.
The draft guidance outlines several “considerations” that device manufacturers should take into account when sharing patient-specific information to “help to ensure it is useable by patients and to avoid the disclosure of confusing or unclear information that could be misinterpreted.” These include considerations about: (1) the content of information provided; (2) the context in which patient information from medical devices should be understood; and (3) the need for access to additional, follow-up information from the manufacturer or a HCP.
Regarding content, FDA explains that patient-specific information derived from a medical device that can be shared “may include any information from the device that is pertinent to that specific patient.” The draft guidance notes that when sharing information, manufacturers should take into consideration “the characteristics of the intended audience that may affect interpretability.” Depending on the type and scope of information being shared, manufacturers may choose to provide supplementary instructions, materials or references to aid patient understanding, which would be subject to FDA regulation if it meets the definition of “labeling.” The draft guidance also recommends that patient-specific information provided to patients be “comprehensive and contemporary” (e.g., data regarding blood pressure includes all available data up through the most recent measurement).
FDA further notes that providing patients with relevant context is important to avoid misinterpretations that could lead to incorrect or invalid conclusions (e.g., patient health decisions). For example, the agency noted that it may be useful to provide a patient with how a physiological parameter was measured and recorded by the medical device. Or, if information is provided regarding the activity of a regulated medical device (e.g., pacemaker), the manufacturer could provide information about how an electrical impulse is delivered by the device. As a result, FDA recommends that manufactures assess what contextual information to provide, including whom to contact for follow-up information (e.g., safety or medical affairs department); at a minimum, companies should tell patients to contact their HCPs if they have questions.
Although the draft guidance, even when (if) finalized, will not be legally binding, it signals the importance for medical device manufacturers and related stakeholders to assess whether current policies, procedures, systems and processes are adequate to address FDA’s concerns and recommendations. It will be particularly important for manufactures to analyze current promotional or marketing material review processes to identify when certain information-sharing activities may constitute “labeling,” and therefore, need additional legal/medical/regulatory review before being externally disseminated.
Given the potential FDA-regulatory, privacy, and cybersecurity issues associated with sharing patient-specific information, it will be critical for manufacturers to have robust mechanisms in place to mitigate risks associated with this kind of information-sharing.