Article 20 of Council Directive 93/42/EEC, a.k.a., the Medical Device Directive (MDD) delineates the requirements for “Confidentiality.” Confidentially speaking, Article 20 of the Directive is all about disclosure, or should Dr. D say, limited disclosure. So what does that mean Dr. D?
Basically, Article 20 of the Directive requires that all parties involved with executing their duties in accordance with the Directive, treat all information obtained as confidential, where applicable. However, Member States, their Competent Authorities, and the notified bodies have the right to disseminate information such as: (a) warnings; (b) registration of persons or organizations involved in the placement of devices into the EU (ref. Article 14); (c) information sent to a device manufacturer, their authorized representative, and their distributor when incidents occur (ref. Article 10); and (d) data relating to certificates.
That being said, the only significant piece of confidentiality remaining is the Intellectual Property (IP). Considering a device manufacturer is required to provide significant granularity in regards to design, development, validation testing, verification testing, and clinical trials (if applicable) to their notified body through the submission of Technical Files and Design Dossiers, there really is not much left on the proverbial table in regards to confidentiality and the dissemination of information (the doctor’s opinion).
Regardless of the opinion of Dr. D and his concerns surrounding the all-inclusive handling of confidentiality of a device manufacturer’s data, the same opinion and concerns could be formed, mutatis mutandis (look-it-up), by the notified bodies. Remember, the notified bodies work for the device manufacturers but they must answer to the Competent Authorities, from whom they receive their power.
The MDD – 93/42/EEC
Article 20 – Confidentiality
1. Without prejudice to the existing national provisions and practices on medical confidentiality, Member States shall ensure that all the Parties involved in the application of this Directive are bound to observe confidentiality with regard to all information obtained in carrying out their tasks. This does not affect the obligation of Member States and notified bodies with regard to mutual information and the dissemination of warnings, nor the obligations of the persons concerned to provide information under criminal law.
2. The following information shall not be treated as confidential:
(a) Information on the registration of persons responsible for placing devices on the market in accordance with Article 14;
(b) Information to users sent out by the manufacturer, authorized representative or distributor in relation to a measure according to Article 10(3);
(c) Information contained in certificates issued, modified, supplemented, suspended or withdrawn.
3. The measures designed to amend non-essential elements of this Directive, inter alia by supplementing it, relating to determination of the conditions under which other information may be made publicly available, and in particular for Class IIb and Class III devices to any obligation for manufacturers to prepare and make available a summary of the information and data related to the device, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article7 (3).
What you need to know
Device manufacturers need to know that proprietary information, for the most part, is protected under the Directive. However, if a device’s safety and efficacy become a concern within the EU, or a specific Member State finds the dissemination of a warning necessary, the Member State, Competent Authority, and notified body shall retain the right to exchange mutual information. Remember, under the Directive regulatory bodies operating within the EU are obligated to take the appropriate action in order to protect public health.
Additionally, the Directive is very specific in regard to the type of information that is not protected under the confidentiality clause. The three salient categories of information protected under the Directive are; (a) registration information, (b) user information, and (c) certification information. Furthermore, there is what the doctor considers a “catch-all” element under the confidentiality clause. Section 3 of the clauses expands on the other information being publicly made available. For example, it is not out of the question or the realm of the Directive for manufacturers to provide a summary of information and relevant data associated with a device entered into commerce within the EU. This holds particularly true for the higher-risk category devices such as a Class IIb or a Class III.
Finally, when in doubt device manufacturers should always confide in the notified bodies. Why? Dr. D broken-record time, “Because the notified bodies work for the device manufacturers.” Although, Dr. D has on occasion been witness to the obverse, when notified bodies believe they are the client. When that happens, all that is usually required is a simple reminder as to who is actually signing the checks.
What you need to do
Dr. D always recommends that an organization develop a written policy for handling of all information, data, records, etc. A non-disclosure agreement (NDA) should always be part of the policy. The doctor would also like to remind the reader that a contract/written agreement should also be in place for the device manufacturer’s European Authorized Representative. When device issues occur in the EU, and trust Dr. D when I say they will occur, the authorized rep will be the device manufacturer’s first line of defense. It is imperative that the manufacturer, the authorized rep, and the notified body be on the exact same page in regards to the dissemination of information and disclosure.
Another salient point that device manufacturers need to grasp is that the Competent Authorities are regulatory gods within the EU. If a device is hurting people and an abundance of vigilance reports places the safety and efficacy of a device into question, the Competent Authorities have the legal right to any and all information associated with the device, including the technical file or design dossier, and all of the supporting reports.
How does the doctor know this? Because Dr. D has lived through the pain of having to review an entire dossier with the Competent Authority of a Member State. It was an extremely painful experience, but it was also a fabulous learning experience. One final note, the technical content of the technical file or design dossier is never to be shared with the general public. Regardless of the Directive, that is why the NDA is an important document.
Takeaways
For this edition of DG, the doctor will leave the readers with three final thoughts:
- Under the Directive, reasonable attempts at confidentiality are required to be sustained.
- There are three categories of information that are not protected under the confidentiality clause—registration, user, and certification information.
- The best way an organization can protect itself in regards to the managing of proprietary information is through a well-documented policy augmented by the NDA.
Until the next installment of DG, when Dr. D will provide guidance for complying with Article 20a (Cooperation) of Council Directive 93/42/EEC, the MDD – cheers from Dr. D and best wishes for continued professional success.
References:
- Council Directive 93/42/EEC. (1993, June). Council Directive 93/42/EEC concerning medical devices. Retrieved December 21, 2010, from http://eur-lex.europa.eu
- Devine, C. (2009, July). Exploring the effectiveness of defensive-receiving inspection for medical device manufacturers: a mixed method study. Published doctoral dissertation. Northcentral University. Prescott Valley, AZ.
Related Articles
-
The new guidance is intended to establish confidence in automation used for production or quality assurance systems and describe various methods and testing activities that may be applied to establish computer software assurance and meet regulatory software validation requirements.
-
The updated guidance document clarifies what constitutes a statement of the basis for the deficiency and includes examples of well-constructed deficiencies and industry responses to facilitate a more efficient review process.
-
The revised cybersecurity draft publication is not intended to be a checklist for healthcare organizations to follow, but rather a guide to help them comply with the HIPAA Security Rule.
-
The draft guidance proposes updates to clarify how the Breakthrough Devices Program may be applicable to certain medical devices that promote health equity, as well as considerations in designating eligible devices that may benefit populations impacted by disparities in health…
