The U.S. Food and Drug Administration (FDA) has published final guidance for medical device developers sharing information with patients at their request.
Legally marketed medical devices gather, store, process, and transmit medical information. When patients ask for copies of the information recorded by or stored on the devices, developers may share patient-specific information with the patient that submits the request.
The FDA encourages data sharing as it can help patients be more involved with their healthcare providers. When patients give their healthcare providers data gathered by medical devices, it can help them make informed medical decisions.
While information sharing is not necessary for the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it should be a requirement to provide medical device developers with recommendations about sharing patient-specific information with patients. The guidelines are aim at helping manufacturers share information appropriately and responsibly.
The FDA explains that in many instances, patient-specific information recorded by medical devices is sent to the patient’s healthcare providers, and oftentimes the patient is able to download copies of that information from their healthcare suppliers. However, sometimes patients may send in a request to the device developer for a copy of the patient-specific information recorded by the device.
The FDA outlines that patient-specific information is information that is unique to a specific patient – or unique to the patient’s diagnosis and treatment – that has been recorded, stored, processed, or derived from a legally marketed medical device. It says: “This information may include, but is not limited to, recorded patient data, device usage/output statistics, healthcare provider inputs, incidence of alarms, and/or records of device malfunctions or failures.”
The FDA says that patient-specific information does not incorporate labelling, which is covered by the FD&C Act. Labelling covers information like descriptions of intended use, benefit and risk information, and instructions for use and the sharing of such information is subject to applicable requirements of the FD&C Act.
The FDA encourages device developers to send information with patients when copies are requested, even though data sharing is not necessary under the FD&C Act. The FDA also explains that data can be sent to patients at the patient’s request, without the need to complete an additional premarket review in advance.
Some medical devices save, store, and transmit information in a format that makes it difficult to share the data with patients, or in some cases, information is recorded in a closed system that cannot be logged onto by the device developer. The FDA knows that in such cases it may not be feasible to share data with patients.
When information sharing is possible, device developers should respond to requests promptly and data should be “comprehensive and contemporary.” Data should incorporate all information that is available, up until the point that the request is submitted.
The FDA says that its guidance does not assign any legally enforceable responsibilities, and neither does it impact any federal, state or local laws. That includes HIPAA, and specifically the HIPAA Privacy Rule, which will apply if the device developer is a business associate of a HIPAA-covered body.