As the frequent readers of Devine Guidance are well aware, the doctor will never abnegate (look-it-up) his sense of humor while providing insight into an often boring topic, regulatory compliance. That being said, this week’s guidance will be brief as Article 19 is a two-sentence, one-paragraph Article, eloquent in its simplicity. Enjoy.
The IVDD – 98/79/EC
Article 19 – Confidentiality
Without prejudice to national law and practice on medical secrecy, Member States shall ensure that all the parties involved in the application of this Directive are bound to observe confidentiality with regard to information obtained in carrying out their tasks. This does not affect the obligations of Member States and notified bodies with regard to mutual information and the dissemination of warnings, nor the obligations of the persons concerned to provide information under criminal law.
What IVDD medical device manufacturers need to know
For device manufacturers, the proverbial buck does stop with you. What Dr. D? Device manufacturers are responsible for protecting their IP and ensuring that confidential and proprietary information such as design, manufacturing processes, chemical formulations, etc. are clearly identified as such when making submissions to their notified bodies. Remember “don’t ask, don’t tell?” When dealing with medical devices, the “don’t tell” piece is extremely important. As part of the application process, the device manufacturer must state and identify any and all information categorized as confidential. In fact, the technical file, design dossier, test reports, verification and validation activities, design, etc. should all be treated as confidential. Granted, the notified bodies will need these items to properly assess a device’s fitness for its intended use and compliance with essential requirements; however, a signed non-disclosure agreement (NDA) should cove the handling of confidential information. Experienced notified bodies such as TUV-SUD America will insist on having a signed contract and NDA in place prior to commencing with a business relationship.
As for the Competent Authorities, they are bound by the confidentiality requirements delineated within Article 19. However, there are pieces of information that are not covered by Article 19. For example, product warnings, vigilance reports, certificates, recalls (sorry – market withdraws), and other relevant data needed to ensure the health and safety of the public are not protected under Article 19 of the IVDD. Ship product into the EU that hurts people, and eventually all 27-Member States will know about the bad devices. Have a certificate suspended or withheld, once again, all 27-Member States will know about it. Can you say EUDAMED?
What IVDD medical device manufacturers need to do
It all starts with the contract and the NDA. Not unlike a marital prenuptial agreement, device manufacturers must have signed contracts and NDAs on file with their notified bodies and EU authorized representatives. Now granted, these are only pieces of paper; however, they are extremely important pieces of paper once confidentiality has been breached. Can you say the pursuit of legal action to remedy the breach? Ouch. As Dr. D stated in the previous paragraph, there are specific pieces of information Member States are required to release and share that are not covered by any confidentiality clause. If an IVDD has been determined to be ineffective or places the health and safety of the general public at risk, this information needs to be conveyed to all interested parties. The same holds true for product certification issues and other violations of the Directive. Device manufacturers that wrongly affix a CE Mark, fail to obtain device approval, or have other regulatory issues will soon be out of the EU market; and make no mistake, the information leading up to the regulatory action will be shared.
For this edition of DG there are three important takeaways.
- Make sure a signed contract and NDA are in place with the notified bodies and EU authorized representatives.
- Make sure all confidential information is properly labeled as such, i.e., device design information, special processes, manufacturing processes, special formulations, etc.
- All information cannot categorized as confidential under Article 19. Information pertaining to device safety and efficacy issues, certification data, and vigilance reporting are examples of some types of information that will be shared amongst Member States, when deemed appropriate. When in doubt, device manufacturers should always design, develop, and obtain regulatory approvals for IVDDs that can be categorized as safe and effective.
Until the next installment of DG, when Dr. D provides insight and guidance into complying with Article 20 (Cooperation between Member States) of the In Vitro Diagnostic Medical Device Directive, a.k.a., IVDD – cheers from Dr. D and best wishes for continued professional success.