On February 15, 2019, the U.S. Food and Drug Administration (“FDA”) finalized two guidance documents regarding regenerative medicine therapies (see FDA’s announcement here). This development comes nearly 14 months after FDA issued both guidance documents in draft form, which also coincided with FDA’s announcement of a new comprehensive regenerative medicine policy framework intended to spur innovation and efficient access to new regenerative medicine products.

FDA Commissioner Scott Gottlieb remarked that the finalization of regenerative therapy guidance documents “demonstrate[s] [FDA’s] continued commitment” to fulfilling the promise of providing a clear and predictable pathway to approval. Moreover, he noted that these guidance documents help stakeholders to “understand our regulatory framework” and, in turn, “may help to more efficiently advance access to safe and effective regenerative medicine therapies.” These guidance documents, which are discussed in further detail below, provide information to product developers about FDA’s current thinking with respect to evaluating devices used with regenerative medicine advanced therapies and provide information on the expedited development programs that may be available.

Guidance for Industry: Evaluation of Devices Used with Regenerative Medicine

The final guidance entitled “Evaluation of Devices Used with Regenerative Medicine Advanced Therapies” (available here) clarifies how FDA will evaluate devices used in the recovery, isolation, or delivery of regenerative medicine advanced therapies (RMATs). This guidance finalizes FDA’s current thinking on how the agency will streamline and simplify its application of regulatory requirements for combination device and cell or tissue products.

In this guidance document, FDA acknowledges that a wide range of devices may be used in conjunction with an RMAT, ranging from simple, low-risk devices to complex, higher risk devices to devices that are constituent parts of an RMAT that is classified as a combination product. FDA reiterates that the primary factor in determining the availability of premarket pathways for a device is the device’s classification (i.e., Class I, Class II, or Class III), followed by the risks associated with the device type and the level of regulatory controls necessary to provide a reasonable assurance of safety and effectiveness.

In addition, FDA discusses the factors it will consider when determining whether a device may be labeled for use with a specific RMAT or class of RMATs. When determining which devices may be suitable for use with a specified RMAT or type of RMAT, FDA will consider the distinct biological and physical characteristics of RMATs, intended use, and conditions for use. With respect to cellular products that are RMATs, FDA intends to review the cellular products’ characteristics, their interaction with different devices, as well as any impact on cell viability, differentiation potential, activation state and ability to respond to stimuli after administration and other similar factors.

Substantively, there were no major or unexpected changes between the draft guidance and the final guidance issued by FDA.

Guidance for Industry: Expedited Programs for Regenerative Medicine Therapies for Serious Conditions

The second final guidance, “Expedited Programs for Regenerative Medicine Therapies for Serious Conditions” (available here), provides information regarding the use of accelerated approval pathways for regenerative medicine therapies that have been granted designation as an RMAT, as well as considerations in the clinical development of regenerative medicine therapies and opportunities for sponsors of such products.

This guidance makes clear that the following therapies could qualify for an RMAT designation: cell therapies, therapeutic tissue engineering products, human cell and tissue products, and combination products using any such therapies or products, except those regulated solely under section 361 of the Public Health Service Act (42 U.S.C. 264) and 21 C.F.R. Part 1271. Notably, the final version of this guidance clarifies that “cell therapies” includes both allogeneic and autologous cell therapies, as well as xenogenic cell products. Products that qualify for an RMAT designation receive all of the benefits of the fast track and breakthrough therapy designation programs, including early interactions with FDA. Although sponsors may apply for and receive both breakthrough and RMAT designation for a product, FDA advised that each designation requires a separate application.

Factors that FDA may consider when determining whether the preliminary clinical evidence is sufficient to support RMAT designation include, but are not limited to, the rigor of data collection; the consistency and persuasiveness of outcomes; the number of subjects and sites contributing to the data; and the severity, rarity, or prevalence of the condition. Unlike the breakthrough therapy designation, RMAT designation does not require a sponsor to produce evidence indicating that the drug offers a substantial improvement over available therapies.

To apply for RMAT designation, a sponsor should submit either a new investigational new drug application (“IND”) or an IND amendment, along with a concise summary of information in support of the RMAT designation. The application should include a description of the investigational product; rationale for the investigational new drug meeting the definition of an RMAT; a discussion to support that the disease or condition the product is intended to treat is serious; and preliminary clinical evidence that the product has the potential to address the specified unmet medical need for the serious condition. The requirement to provide a description of the product is new to the final guidance.  No later than 60 calendar days after receipt of the designation request, FDA will notify the sponsor as to whether the regenerative medicine therapy has received the RMAT designation.

Finally, this guidance provides recommendations for clinical trial design. FDA states that it will consider clinical trials in support of a Biologics License Application (“BLA”) that “incorporate adaptive designs, enrichment strategies, or novel endpoints.” This final guidance provides new language indicating that historical controls and natural history data (the course a disease takes from its onset, through presymptomatic and clinical stages, to a final outcome in the absence of treatment) may be considered, if appropriate. Natural history data, however, may only provide the basis of a historical control if the “control and treatment populations are adequately matched, in terms of demographics, concurrent treatment, disease state, and other relevant factors.”

FDA’s continued focus on developing and finalizing guidance in the regenerative medicine space suggests that FDA is serious about helping industry to both navigate the application process in an effort to streamline the premarket approval process and to better understand and address identified regulatory pain points. For these reasons, sponsors of investigational regenerative therapies should pay close attention to and take into consideration the recommendations set forth in these final guidance documents.

There is a new kid on the block . . . the Chief Data Officer (CDO).  There is no surprise in our data-driven world that such a role would exist. Yet, many organizations struggle with defining the role and value of the CDO. Effective implementation of a CDO may be informed by other historical evolutions in the C-Suite.

Examining the rise of the Chief Compliance Officer (CCO) in the 2000’s mirrors some of the same frustrations that organizations faced when implementing the CCO role. While organizations were accustomed to having legal, HR, and internal audit departments working together to ensure compliance, suddenly CCOs stepped in to pull certain functions from those departments into the folds of the newly-minted Compliance department.  Integrating CDOs appears to follow a similar approach. Particularly in health care, the CDO role is still afloat, absorbing functionality from other departments as demand inside of organizations evolves and intensifies to focus on the financial benefits of their data pools.

Corporate evolution is challenging and often uncomfortable, but the writing is on the wall . . . there are two types of companies:  ones that are data-driven and ones that should be.  Which will you be?

What Is a Chief Data Officer?

CDO responsibilities will vary depending on the organization. Some organizations position the CDO to oversee data monetization strategies, which requires melding business development acumen with attributes of a Chief Information Officer. In some organizations, the CDO may oversee the collection of all of the company’s data in order to transform it into a more meaningful resource to power analytical tools.

A survey of CDO positions identified three common aspirations that organizations have for the role: Data Integrator, Business Optimizer, and Market Innovator. Data Integrators primarily focus on infrastructure to give rise to innovation. Business Optimizers and Market Innovators focus on optimizing current lines of business or creating new ones. These aspirations will likely vary depending on the nature and maturity of organizations. Regardless of the specific role, CDOs can help organizations bridge the widening gap between business development, data management, and data analytics.

Further, a key component of a CDO’s activity will relate to responsible data stewardship.  CDO activities will heavily depend on developing a data strategy that complies with legal, regulatory, contractual and data governance boundaries around data collection, use and disclosure.  CDOs should work closely with legal counsel and compliance personnel to effectively navigate these challenges.  Further discussion of the legal and regulatory landscape around data use is available here.

The Importance of CDOs in Transforming Healthcare Companies

It is clear that leveraging data will be key to innovating, gaining efficiencies, and driving down costs over time.  Yet, many organizations continue to struggle with making sense of the data they possess.   For some, the CDO may be a critical driving force to advance a business into a new landscape.  Just as the CCO helped address decades of frustration with corporate ethics and practices (and was soon demanded by lawmakers and regulators), the role of the CDO has emerged in response to demand for efficiencies in business practices and the recognition that data has become the world’s most valuable commodity.

In light of the explosion of data in the healthcare industry, organizations should consider whether and how a CDO will fit into the corporate structure. Furthermore, organizations should work to understand how having a person at the table with a keen eye towards giving life to an organization’s data resources can benefit the business long term from internal and external perspectives.  The ultimate question a CDO can help solve is:  What don’t we know that, if we knew, would allow our organization to innovate or operate more efficiently or effectively?


Alaap B. Shah


Andrew Kuder

On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks.  Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices.  However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation.  As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.

There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT.  Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components.  These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.

The FDA guidance addresses a number of key areas of risk.  In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices.  For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data.  Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety.  Finally, a number of devices are vulnerable to malware without the ability to apply security patches.

To reduce risk, there are several measures that can be implemented to enhance device security.   For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties).  As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.

EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.


Brian Hedgeman


Alaap B. Shah

The federal government entered into a partial shutdown at midnight on Saturday, December 22, 2018. The implications of the ongoing shutdown are far-reaching, but its impact on the Food and Drug Administration (“FDA”) is of particular concern to members of FDA-regulated industries and those with a role in ensuring the public health. Thousands of FDA employees considered non-essential were furloughed and, consequently, routine regulatory and compliance activities at FDA were put on hold. On his Twitter account (@SGottliebFDA), Scott Gottlieb, M.D., Commissioner of the FDA (“Dr. Gottlieb”), has tweeted frequent updates regarding FDA operations. As he explained, FDA officials initially consulted with public health experts and other senior leaders regarding which FDA activities address threats to human life and safety and, thus, should continue during the shutdown.

Many FDA operations halted for two weeks during the holidays, according to schedule. Accordingly, many activities were not considered delayed until early January when FDA was scheduled to resume all operations. To provide examples of the shutdown’s implications at FDA, FDA is currently not accepting new medical product applications that require fee payment or reviewing drug applications that are not user-funded, and FDA’s Center for Drug Evaluation and Research (“CDER”) has paused all non-emergency over-the-counter monograph drug activities because these activities were determined not to address immediate threats to human life and safety. In addition, the thirty-day waiting period before sponsors of investigational new drugs may conduct clinical trials is paused during the shutdown unless the drugs are considered emergency drugs.

During the shutdown, FDA will utilize carryover “user fee” funding to continue review of certain applications that require a user fee, such as New Drug Applications, Biologics License Applications, and Premarket Approval applications for medical devices, if such fee has been paid. However, FDA may require more time than what agency timeframes allot to review these applications. FDA cannot accept new user fees during the shutdown. If fee payment is required, sponsors must wait until the government reopens. Some companies and industry segments, such as allergenic products, negotiated to be excluded from user fees and chose to instead rely on budget authority. Accordingly, when budget authority lapses, routine review activity for these products halts unless an emergency involving safety of human life warrants review.

As the shutdown entered week three, FDA determined it would resume activities necessary to identify and respond to threats to the safety of human life. On January 15, 2019, furloughed food safety inspectors returned to work without pay after Dr. Gottlieb days earlier sought and received permission from the Department of Health and Human Services and the White House to call the inspectors back to work. Resumed FDA activities include:

  • expanded monitoring and analysis of food safety surveillance and detection;
  • surveillance sampling of high-risk foods, drugs, and devices;
  • expanded monitoring and evaluating of medical device adverse event and malfunction reports to include additional types of medical devices;
  • expanded activities related to surveillance and response for recalls as necessary to identify and respond to threats to the safety of human life; and
  • expanded inspection activities beyond “for-cause” inspections to also include foreign and domestic food, drug, medical, device, and pharmacy compounding surveillance inspections focused on the highest risk products and facilities.

Resumed activities are being funded by carryover user fees and from the reduction of any overhead charges to CDER and the Center for Biologics Evaluation and Research. Dr. Gottlieb claims these funding sources give FDA roughly five weeks of funding to review new drug applications. FDA is seemingly operating at the best of its ability despite the circumstances. According to Dr. Gottlieb, carryover user fees supported the January 16, 2019 FDA guidance on drug development to treat rare diseases. Also on January 16, FDA issued draft guidance to support companies seeking final approval for tentatively-approved generic drug applications to promote timely access to safe and effective generic medicines. However, the Prescription Drug User Fee Act, which authorizes FDA to collect fees from companies that produce certain human drug and biological products, is the most vulnerable program, likely to run out of money the first week of February.

Manufacturers, researchers, and others involved in the creation of these products should continue to monitor for developments but should expect likely delays in all FDA review activity. Additional operations may resume as determined to be necessary if the shutdown continues. If the shutdown lasts for more than five additional weeks, it is unclear which FDA operations not addressing an immediate threat to human life can continue. Once the government reopens, FDA will still face a backlog of applications and other regulatory activity, almost guaranteeing a ripple effect of delays that will continue for the foreseeable future.

On December 7, 2018, the U.S. Food and Drug Administration (“FDA”) published a proposed rule (“Proposed Rule”) that, if finalized, would clarify the de novo classification process for medical devices, including (1) the format and contents of a de novo request and (2) the criteria for accepting or denying a de novo request. FDA intends to “enhance regulatory clarity and predictability… [and] provide a regulatory framework that sets clear standards, expectations and processes for de novo classification” through this proposed rulemaking.[1]

FDA regulates medical devices based on risk and has established three general classifications: “class I” (general controls required to provide reasonable assurance of the safety and effectiveness of the device), “class II” (special controls required), or class III (premarket approval required). The regulatory framework for class III devices is especially stringent—FDA reviews class III device safety and effectiveness under a premarket approval (“PMA”) application that takes six months or more to approve, if the device is found suitable for marketing. The 510(k) “premarket notification” submission, however, enables lower-risk devices that are “substantially equivalent” to existing, legally marketed (“predicate”) devices not subject to a PMA to obtain marketing clearance without a PMA. Under section 513(f)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), new devices receiving not substantially equivalent (“NSE”) determinations are automatically designated a class III device. The de novo process serves as an alternative pathway for receiving marketing authorization for class I or II devices.

In the Proposed Rule, FDA seeks to clarify and formalize the de novo pathway for novel devices without predicates. Many of these proposals are contained in various recent guidances from FDA.[2] Below we break down key components of the Proposed Rule:

 

FDA Reviewing Procedures: Facility Inspections Proposed

Perhaps the most controversial component of the proposed de novo pathway is a provision that enables FDA to conduct premarket manufacturing inspections of “relevant facilities” as part of its de novo review process. Although these manufacturing inspections are authorized under the FDCA as an element of the PMA application review, the FDCA does not grant this authority to FDA for de novo review.[3] If this provision remains upon rule finalization, de novo requesters must have their quality systems prepared for inspection. Failing to permit an authorized FDA employee to inspect a relevant facility results in automatic “withdrawal” of the de novo request.

This provision may also be problematic in light of FDA’s proposed timeline for de novo request acceptance. The Proposed Rule requires FDA to grant or decline a de novo request within 120 days from when it receives the request or any additional information. While de novo request devices are required to be classified within the same timeframe under the FDCA, 120 days is rarely met. According to the Medical Device User Fee Amendments 2017 (“MDUFA IV”), FDA articulates that it aims to “issue a MDUFA decision within 150 FDA days of receipt of the submission for . . . 55% of de novo requests received in FY 2019.” (emphasis added). FDA’s self-stated goals appear to make the proposed 120-day codification lofty, especially considering FDA’s authorization and intention to make premarket manufacturing inspections during its de novo request reviews.

 

Notable De Novo Request Content Requirements

The Proposed Rule intends to clarify the minimum content requirements as prescribed in section 513(f)(2) of the FDCA. Most of these components are consistent with de novo guidance recommendations, but there are a handful of new proposed requirements:

  • Bibliography of “all published reports” and other unpublished “identification, discussion, and analysis of any other data, information, or report” relevant to the safety and effectiveness of the device. This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(8).
  • Samples of the device and its components (if requested by FDA). This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(9).
  • Proposed advertisements and labels for the device. Although not uncommon for companies to include sample labeling information in 510(k) notifications, this proposed provision would now make it a requirement in de novo requests, similar to PMA applications under 21 C.F.R. 814.20(b)(10).
  • Information about “known or reasonably known existing [device] alternative[s].”
  • Statement that provides (1) a list of any required information that is omitted in the de novo request and (2) “a justification” for any omissions.

 

Acceptance Review

FDA proposes an acceptance review stage for de novo submissions during which FDA makes a “threshold determination” as to whether the de novo request contains sufficient information to warrant substantive review. Within 15 days of receiving the de novo request or additional information, FDA must complete the acceptance review and notify the requester—after 15 days, the de novo request is automatically accepted for substantive review. The Proposed Rule identifies several “deficiencies” that warrant a refusal to accept (“RTA”), including: (1) incorrect de novo request format; (2) incomplete submission of required content; and (3) the failure to provide a “complete response” to FDA requests for additional information or deficiencies identified by FDA in any prior submissions for the same device. These deficiencies are similar to the Refuse to Accept Policy for 510(k)s guidance and “Acceptance Checklist[s]” issued by FDA in January 2018.

 

Confidentiality Provisions

FDA sets forth confidentiality provisions that are similar to other FDA marketing submissions. FDA must maintain confidentiality of the requester’s de novo application until it issues an order granting the request. FDA must also maintain confidentiality of all information provided in the request. Public disclosure by the requester, however, renders these confidentiality requirements inapplicable.

The preamble makes it clear that FDA is proposing this rule to bring greater structure, clarity, and efficiency to the de novo classification process. This rule essentially formalizes many of the criteria recommended in various FDA guidances and provides more certainty (albeit less flexibility) for both de novo requesters and FDA enforcement.

The Proposed Rule is available for public comment until March 7, 2019. If finalized, FDA the regulations would go into effect 90 days after the final rule is published.

 

[1] 83 Fed. Reg. 63,129 (Dec. 7, 2018).

[2] See, e.g., U.S. FDA, Guidance: De Novo Classification Process (Evaluation of Automatic Class III Designation) (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm080197.pdf; U.S. FDA, Draft Guidance: Acceptance Review for De Novo Classification Requests (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm582251.pdf.

[3] In fact, the FDCA expressly prohibits FDA from conducting these premarket facility inspections in its 510(k) review (“other than a finding that there is a substantial likelihood that the failure to comply with such regulations will potentially presents a serious risk to human health”). See FDCA Sec. 513(f)(5).

On November 26, 2018, the U.S. Food and Drug Administration (“FDA”) announced the process for clearing most medical devices for marketing is being updated to incorporate changes the FDA laid out in an April draft guidance. For over forty years, most medical devices have entered the United States market through the 510(k) clearance process. The 510(k) process offers an expedited approval process available only for products that are substantially equivalent to products already on the market (known as predicate devices). The FDA is considering no longer allowing sponsors to rely on predicates older than ten years and making public information about cleared devices that relied on predicates more than ten years old. In addition, the FDA intends to finalize guidance establishing an alternative 510(k) pathway with different criteria that reflect current technological principles.

In a statement, FDA Commissioner Scott Gottlieb reasoned that newer products relying upon older predicates might not reflect new performance standards or latest scientific and medical understanding. Commissioner Gottlieb believes this change will promote the continual improvement of medical devices. However, the announced change received quick pushback. Many manufacturers argue that reliance upon older predicates can be necessary when no newer predicates are available, and older predicates can provide data that helps sponsors make new devices safer. In addition, many industry-observers believe the FDA’s plans may contradict and exceed its statutory authority, and therefore require additional support from Congress.

If the current proposal becomes law, the implications will include increased costs for manufacturers forced to innovate because of the inability to rely on older predicates. The agency’s statement indicates that new medical devices that utilize the 510(k) pathway should be better than predicates, rather than the applicable legal standard of substantial equivalence. Thus, manufacturers can anticipate increased agency scrutiny when submitting information in the 510(k) summaries. In addition, manufacturers may need to make alternative plans if developing a new device based on an older predicate.

On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.

On the same date OIG published its report, FDA’s Suzanne B. Schwartz, M.D., M.B.A., published a post on FDA Voices asserting that the OIG report is an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity. The post addresses FDA’s ongoing efforts to improve medical device cybersecurity over the past five years, including entering into a memorandum of agreement between FDA and the Department of Homeland Security (“DHS”) and publishing a new premarket cybersecurity guidance update in October 2018, which we wrote about in a previous blog here. FDA’s post also highlights FDA’s other partnerships with industry that aim to increase awareness of cybersecurity vulnerabilities and related concerns.

FDA reiterated that its regulatory approach to cybersecurity threats “is not static,” and reconfirmed its commitment to “work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first.” FDA has announced that it will hold a public Workshop on January 29-30, 2019 to discuss the newly released draft guidance on cybersecurity in premarket submissions. Instructions for registration are available on FDA’s website here.

In response to the OIG’s report, FDA will likely continue to develop new cybersecurity policies, initiatives, and guidance. Stakeholders in the medical device industry should monitor these developments and be prepared to address any such changes in policy or regulation. Meanwhile, regulated industry should consider reviewing FDA’s current cybersecurity guidance documents and assess whether its internal controls, quality systems, policies, or procedures adequately address potential cybersecurity risks or threats or could be improved.

EBG will continue to monitor all developments in FDA’s regulation of and policies related to medical device cybersecurity.

On November 2, 2018 CMS announced the finalization of the 2019 OPPS and ASC payment rules which were initially proposed in July of 2018.[1] [2] While the final document will not be officially published until November 21st, an Inspection Copy is available for the public to review on the Federal Register website. These new payment rules in many ways expand the range of services that CMS will reimburse when performed at Ambulatory Surgical Centers (ASCs), most notably, by including certain cardiac catheterization procedures on the approved list, and by lowering the threshold that determines allowable device intensive procedures.

Increase in Covered Cardiac Catheterization Procedures:

The Final Rule will add 17 procedures relating to cardiac catheterization to the list of ASC Covered Surgical Procedures.  The final list includes five procedures that were not included in the July 2018 proposed rule, due in part to commenters requesting that additional procedures be added to the list, and CMS adopting their request, at least in part.[3] [4] [5] The expanded list reflects the growing trend of cardiac procedures being transitioned from an inpatient to an outpatient setting. This shift will have a continuing business impact on inpatient providers and may also lead to state-level regulatory changes. States that currently prohibit cardiac catheterization procedures at outpatient facilities may decide to adopt changes to allow certain procedures that have been deemed acceptable by CMS to be performed at facilities without on-site inpatient services, including ASCs.[6] Furthermore, these additions could be a springboard for CMS to later add more complicated procedures to the list of ASC covered services.

Decrease in Device Offset Percentage:

CMS has also taken steps to make device-intensive procedures more accessible in the ASC setting. Procedures categorized as “device-intensive” are paid at the higher OPPS rate, even if performed in an ASC.  However, a procedure only qualifies as “device-intensive” if the portion of the procedure’s cost related to the device falls within a predetermine percentage. The Final Rule decreases the device offset percentage threshold from 40 percent to 30 percent, meaning that procedures utilizing lower-cost devices will now be eligible for reimbursement as “device-intensive.”  As a result, ASCs will have the financial capacity to perform more procedures that involve lower cost medical devices.[7] CMS directly states its purpose behind this move saying “We believe allowing these additional procedures to qualify for device-intensive status will help ensure these procedures receive more appropriate payment in the ASC setting, which will help encourage the provision of these services in the ASC setting.”[8] The implementation of the new payment rules will undoubtedly lead to an increase in the amount of device-intensive procedures performed in the ASC setting as ASCs expand their scope of services to include more device-intensive procedures and patients choose to have these procedures performed in an outpatient setting. This change may also indicate future moves by CMS to encourage complex, device intensive procedures, such as joint replacements, in the ASC setting.

Government Shift to Outpatient Providers

These rule changes reflect Medicare’s continued shift towards encouraging services to be provided in the less costly outpatient setting. Anticipating a continued incline in the amount of individuals eligible for federal programs based on the expectation that 10,000 baby boomers will retire per day for over the next decade, CMS is likely to continue making changes to its payment rules to encourage the provision of care in lower cost settings.[9] These changes provide opportunities for ASCs and physicians to expand their business, but also threaten more “bread and butter” revenue streams on which hospitals have historically relied. Thus, hospitals, ASCs and physicians should consider addressing these changes in their long-term strategic plans, including possible joint ventures for outpatient services, in general, or specific service lines, such as cardiac catheterizations.

____

[1] CMS Inspection Copy

[2] 83 Fed. Reg. 37046.

[3] CMS Inspection Copy (at page 746)

[4] 83 Fed. Reg. 37046, 37160.

[5] CMS Inspection Copy (at page 743-44)

[6] N.J.A.C. 8:33E-1.3.

[7] 83 Fed. Reg. 37046, 37108.

[8] Id.

[9] http://www.pewresearch.org/fact-tank/2010/12/29/baby-boomers-retire/

On October 15, 2018, the Centers for Medicare and Medicaid Services (CMS) unveiled its proposed rule requiring direct-to-consumer television advertisements for prescription drug and biological products to contain the list price (defined as the Wholesale Acquisition Cost) if the product is reimbursable by Medicare or Medicaid. Medical devices are not included in the proposed rule, although CMS seeks comment on how advertised drugs should be treated if used in combination with a non-advertised device. If finalized, the requirement will be sweeping and only purports to exclude products costing under $35 per month for a 30-day supply or a typical course of treatment.

CMS prescribes specific language for manufacturers to use at the end of an advertisement:

The list price for a [30-day supply of ] [typical course of treatment with] [name of prescription drug or biological product] is [insert list price]. If you have health insurance that covers drugs, your cost may be different.

The list price is determined “on the first day of the quarter during which the advertisement is being aired or otherwise broadcast.” This pricing statement must be legible, “placed appropriately against a contrasting background for sufficient duration,” and must be in an easily read font and size. Manufacturers are permitted under the proposed rule, “[t]o the extent permissible under current laws,” to include a competitor’s current product list price, so long as the disclosure is done in a “truthful, non-misleading way.”

CMS proposes that drug and biological products in violation of the proposed rule would be publically listed on its website. Although CMS acknowledged that it was proposing no other HHS-specific enforcement mechanisms, CMS anticipates an influx in private actions under the Lanham Act as the primary enforcement mechanism if the proposed rule is finalized.

Health and Human Services Secretary Alex Azar emphasized the proposed rule’s intent to mitigate consumer out-of-pocket costs and reduce unnecessary Medicare and Medicaid expenditures. Interested stakeholders can submit comments online to the regulations.gov docket or by mail until December 17, 2018.

The FDA issued a new Draft Guidance today to ensure medical devices – an increasing potential target for hackers – are better protected from unauthorized digital access.

According to the FDA’s draft guidance issued today, “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.”

Under the proposed draft guidance manufacturers will be required to better protect their devices in a more uniform manner as prescribed by the FDA. The new pre-market submission proposals are designed to help guide the industry in designing these digital safety mechanisms from the beginning of product design and development.

The New Guidance covers Premarket Notification (510(k)) submissions (including Traditional, Special, and Abbreviated); De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs) that contain software (including firmware) or programmable logic; as well as software that is a medical device.

While manufacturers are required under Quality System Regulations to establish and maintain procedures for validating the devices design including software validation and risk analysis, FDA is recommending validation include design controls to ensure medical device cybersecurity and maintain medical device safety and effectiveness. Including these design controls may make it easier for FDA to “find your device meets its applicable statutory standard for premarket review.”

The recommendations in the newly released Draft Guidance describe using a more risk-based approach to the design and development of appropriate cybersecurity protections. The FDA wants manufacturers to design programs to follow their devices throughout the device lifecycle, monitor new and potential threats, and issue cybersecurity updates to thwart new attempts at unauthorized digital access of the devices.

Because devices that connect to the internet or wirelessly to other devices pose a new and larger threat to cybersecurity, the FDA is requiring a Cybersecurity Bill of Materials be included in the manufacturers filing to identify key components and accessories that could render the device vulnerable to “hacking”. The FDA is creating a new Tier 1 level of standards for these devices to ensure greater security than Tier 2 devices (those that are not wirelessly or internet connected).

Design controls should include appropriate authorization such as ID’s, passwords, time limited sessions with auto logout, layered authorization (i.e. patient, healthcare professional, technician) should now be used in the design of these devices. Authentication and authorization of critical safety commands will be considered in new submissions. In addition, proper labeling to warn patients and providers of the cyber security risks involved in these devices is essential.

For an updated list of FDA recognized consensus standards the Agency recommends that you refer to the FDA Recognized Consensus Standards Database.