Gummies, brownies, sodas, cookies . . . consumer appetite for food and dietary supplement products containing cannabidiol (“CBD”) has grown over the last few years as states have moved to legalize cannabis for medical or limited recreational use.  With the passage of the 2018 Farm Bill on December 20, 2018, which legalized the cultivation of hemp for certain purposes, the “edibles” industry appeared poised for further expansion.

However, recent developments at both the federal and state level may be putting the “edibles” industry on a diet.  In the past week, bans on the sale of foods and beverages with added CBD have been reported in three jurisdictions—Maine, Ohio, and New York City. Maine Department of Health and Human Services officials are reported to have ordered the removal of any edible product containing CBD from store shelves, including foods, tinctures, and capsules.  Further, the Ohio Department of Agriculture is reported to have put an “embargo” on products containing CBD. News sources report that government officials from these states began enforcement of this policy by seizing products from local businesses.  Finally, the New York City Department of Health and Mental Hygiene appears to have instructed New York City businesses to stop selling any foods or drinks with CBD as a food additive.

These state and municipal actions are the most recent governmental bite out of the edibles industry.  Concurrent with the passage of the Farm Bill, FDA Commissioner Scott Gottlieb released a statement cautioning that the new law did not alter the agency’s position on CBD added to food or contained in dietary supplements.  Rather, according to the statement, it is unlawful under the Federal Food, Drug, and Cosmetic (“FD&C”) Act “to introduce food containing added CBD . . . into interstate commerce, or to market CBD . . . products as, or in, dietary supplements, regardless of whether the substances are hemp-derived. This is because both CBD and THC are active ingredients in FDA-approved drugs and were the subject of substantial clinical investigations before they were marketed as food or dietary supplements.” A newly-added FDA webpage, “FDA and Marijuana: Questions and Answers,” similarly asserts this view.

FDA’s position is rooted in two provisions of the FD&C Act, namely 21 U.S.C. §§ 331(ll) and 321(ff)(3)(B). These provisions prohibit the sale of any food or dietary supplement, respectively, which contains an ingredient that was the subject of clinical investigations or approved as a drug by FDA before the ingredient was marketed in the food or dietary supplement. FDA maintains that CBD was approved as a drug ingredient by the agency (i.e., the anti-epilepsy drug Epidiolex®) before it was marketed in food, and therefore “it is a prohibited act to introduce or deliver for introduction into interstate commerce any food . . . to which . . . CBD has been added.”

It remains to be seen whether other state and local governments will follow the lead of Maine, Ohio, and New York City by banning the sale of edibles, either for public health concerns or to conform with FDA policy. Given consumer demand for and industry investment in CBD products, other states and localities may face opposition to such actions.

These same factors also may encourage FDA to reexamine its current policy; indeed, the Commissioner’s statement acknowledged that FDA could, through rulemaking, allow the use of CBD in traditional food and dietary supplement products, and announced the agency’s intent to “hold a public meeting in the near future for stakeholders to share their experiences and challenges with these products, including information and views related to the safety of such products.”  Stakeholders with an interest in consumer-based CBD products—as well as in developing other hemp-derived cannabinoid compounds for the consumer market—may wish to consider an FDA engagement strategy as part of their business development plans.

On December 11, 2018, the Food and Drug Administrative (“FDA”) issued a draft guidance for comment entitled, “Biomarker Qualification: Evidentiary Framework” (the “Guidance”).  The Guidance provides insight regarding standards for biomarker qualification under the 21st Century Cures Act (“Cures Act”).

FDA defines the term “biomarker” as a “characteristic that is measured as an indicator of normal biological processes, pathogenic processes, or responses to an exposure or intervention, including therapeutic interventions.” There are various types of biomarkers including, but not limited to: molecular – (i.e. blood glucose); radiographic (i.e. the size of a tumor); and physiologic (i.e. blood pressure), and each of these biomarkers fall into various categories, all of which are regulated by FDA. The term “biomarker qualification” is defined as “a conclusion, based on a formal regulatory process that within the stated context of use, can be relied upon to have a specific interpretation and application in medical product development and regulatory review.” Importantly, once a biomarker is qualified for a particular context of use, it becomes publicly available, and can be applied in any drug development program for that qualified context of use.

The Guidance discusses the evidentiary framework for supporting biomarker qualification, including needs assessments; context of use; and benefit-risk considerations, and how these considerations can relate to determine the type and level of evidence required to support the qualification of a biomarker. Additionally, the Guidance addresses general statistical and clinical considerations related to the correlation between the biomarker and outcome of interest, and general analytical considerations related to performance characteristics of the biomarker test.

Ultimately, the success of the Guidance in advancing biomarker qualification will turn on its contents and stakeholder input.  The Agency has asked for comments on the Guidance by February 9, 2019, to ensure that comments can be fully considered before the Guidance is finalized, although comments may be submitted on FDA guidance at any time. The formal announcement about the draft Guidance issued by FDA is available here.

On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks.  Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices.  However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation.  As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.

There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT.  Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components.  These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.

The FDA guidance addresses a number of key areas of risk.  In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices.  For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data.  Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety.  Finally, a number of devices are vulnerable to malware without the ability to apply security patches.

To reduce risk, there are several measures that can be implemented to enhance device security.   For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties).  As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.

EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.


Brian Hedgeman


Alaap B. Shah

The federal government entered into a partial shutdown at midnight on Saturday, December 22, 2018. The implications of the ongoing shutdown are far-reaching, but its impact on the Food and Drug Administration (“FDA”) is of particular concern to members of FDA-regulated industries and those with a role in ensuring the public health. Thousands of FDA employees considered non-essential were furloughed and, consequently, routine regulatory and compliance activities at FDA were put on hold. On his Twitter account (@SGottliebFDA), Scott Gottlieb, M.D., Commissioner of the FDA (“Dr. Gottlieb”), has tweeted frequent updates regarding FDA operations. As he explained, FDA officials initially consulted with public health experts and other senior leaders regarding which FDA activities address threats to human life and safety and, thus, should continue during the shutdown.

Many FDA operations halted for two weeks during the holidays, according to schedule. Accordingly, many activities were not considered delayed until early January when FDA was scheduled to resume all operations. To provide examples of the shutdown’s implications at FDA, FDA is currently not accepting new medical product applications that require fee payment or reviewing drug applications that are not user-funded, and FDA’s Center for Drug Evaluation and Research (“CDER”) has paused all non-emergency over-the-counter monograph drug activities because these activities were determined not to address immediate threats to human life and safety. In addition, the thirty-day waiting period before sponsors of investigational new drugs may conduct clinical trials is paused during the shutdown unless the drugs are considered emergency drugs.

During the shutdown, FDA will utilize carryover “user fee” funding to continue review of certain applications that require a user fee, such as New Drug Applications, Biologics License Applications, and Premarket Approval applications for medical devices, if such fee has been paid. However, FDA may require more time than what agency timeframes allot to review these applications. FDA cannot accept new user fees during the shutdown. If fee payment is required, sponsors must wait until the government reopens. Some companies and industry segments, such as allergenic products, negotiated to be excluded from user fees and chose to instead rely on budget authority. Accordingly, when budget authority lapses, routine review activity for these products halts unless an emergency involving safety of human life warrants review.

As the shutdown entered week three, FDA determined it would resume activities necessary to identify and respond to threats to the safety of human life. On January 15, 2019, furloughed food safety inspectors returned to work without pay after Dr. Gottlieb days earlier sought and received permission from the Department of Health and Human Services and the White House to call the inspectors back to work. Resumed FDA activities include:

  • expanded monitoring and analysis of food safety surveillance and detection;
  • surveillance sampling of high-risk foods, drugs, and devices;
  • expanded monitoring and evaluating of medical device adverse event and malfunction reports to include additional types of medical devices;
  • expanded activities related to surveillance and response for recalls as necessary to identify and respond to threats to the safety of human life; and
  • expanded inspection activities beyond “for-cause” inspections to also include foreign and domestic food, drug, medical, device, and pharmacy compounding surveillance inspections focused on the highest risk products and facilities.

Resumed activities are being funded by carryover user fees and from the reduction of any overhead charges to CDER and the Center for Biologics Evaluation and Research. Dr. Gottlieb claims these funding sources give FDA roughly five weeks of funding to review new drug applications. FDA is seemingly operating at the best of its ability despite the circumstances. According to Dr. Gottlieb, carryover user fees supported the January 16, 2019 FDA guidance on drug development to treat rare diseases. Also on January 16, FDA issued draft guidance to support companies seeking final approval for tentatively-approved generic drug applications to promote timely access to safe and effective generic medicines. However, the Prescription Drug User Fee Act, which authorizes FDA to collect fees from companies that produce certain human drug and biological products, is the most vulnerable program, likely to run out of money the first week of February.

Manufacturers, researchers, and others involved in the creation of these products should continue to monitor for developments but should expect likely delays in all FDA review activity. Additional operations may resume as determined to be necessary if the shutdown continues. If the shutdown lasts for more than five additional weeks, it is unclear which FDA operations not addressing an immediate threat to human life can continue. Once the government reopens, FDA will still face a backlog of applications and other regulatory activity, almost guaranteeing a ripple effect of delays that will continue for the foreseeable future.

On December 7, 2018, the U.S. Food and Drug Administration (“FDA”) published a proposed rule (“Proposed Rule”) that, if finalized, would clarify the de novo classification process for medical devices, including (1) the format and contents of a de novo request and (2) the criteria for accepting or denying a de novo request. FDA intends to “enhance regulatory clarity and predictability… [and] provide a regulatory framework that sets clear standards, expectations and processes for de novo classification” through this proposed rulemaking.[1]

FDA regulates medical devices based on risk and has established three general classifications: “class I” (general controls required to provide reasonable assurance of the safety and effectiveness of the device), “class II” (special controls required), or class III (premarket approval required). The regulatory framework for class III devices is especially stringent—FDA reviews class III device safety and effectiveness under a premarket approval (“PMA”) application that takes six months or more to approve, if the device is found suitable for marketing. The 510(k) “premarket notification” submission, however, enables lower-risk devices that are “substantially equivalent” to existing, legally marketed (“predicate”) devices not subject to a PMA to obtain marketing clearance without a PMA. Under section 513(f)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), new devices receiving not substantially equivalent (“NSE”) determinations are automatically designated a class III device. The de novo process serves as an alternative pathway for receiving marketing authorization for class I or II devices.

In the Proposed Rule, FDA seeks to clarify and formalize the de novo pathway for novel devices without predicates. Many of these proposals are contained in various recent guidances from FDA.[2] Below we break down key components of the Proposed Rule:

 

FDA Reviewing Procedures: Facility Inspections Proposed

Perhaps the most controversial component of the proposed de novo pathway is a provision that enables FDA to conduct premarket manufacturing inspections of “relevant facilities” as part of its de novo review process. Although these manufacturing inspections are authorized under the FDCA as an element of the PMA application review, the FDCA does not grant this authority to FDA for de novo review.[3] If this provision remains upon rule finalization, de novo requesters must have their quality systems prepared for inspection. Failing to permit an authorized FDA employee to inspect a relevant facility results in automatic “withdrawal” of the de novo request.

This provision may also be problematic in light of FDA’s proposed timeline for de novo request acceptance. The Proposed Rule requires FDA to grant or decline a de novo request within 120 days from when it receives the request or any additional information. While de novo request devices are required to be classified within the same timeframe under the FDCA, 120 days is rarely met. According to the Medical Device User Fee Amendments 2017 (“MDUFA IV”), FDA articulates that it aims to “issue a MDUFA decision within 150 FDA days of receipt of the submission for . . . 55% of de novo requests received in FY 2019.” (emphasis added). FDA’s self-stated goals appear to make the proposed 120-day codification lofty, especially considering FDA’s authorization and intention to make premarket manufacturing inspections during its de novo request reviews.

 

Notable De Novo Request Content Requirements

The Proposed Rule intends to clarify the minimum content requirements as prescribed in section 513(f)(2) of the FDCA. Most of these components are consistent with de novo guidance recommendations, but there are a handful of new proposed requirements:

  • Bibliography of “all published reports” and other unpublished “identification, discussion, and analysis of any other data, information, or report” relevant to the safety and effectiveness of the device. This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(8).
  • Samples of the device and its components (if requested by FDA). This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(9).
  • Proposed advertisements and labels for the device. Although not uncommon for companies to include sample labeling information in 510(k) notifications, this proposed provision would now make it a requirement in de novo requests, similar to PMA applications under 21 C.F.R. 814.20(b)(10).
  • Information about “known or reasonably known existing [device] alternative[s].”
  • Statement that provides (1) a list of any required information that is omitted in the de novo request and (2) “a justification” for any omissions.

 

Acceptance Review

FDA proposes an acceptance review stage for de novo submissions during which FDA makes a “threshold determination” as to whether the de novo request contains sufficient information to warrant substantive review. Within 15 days of receiving the de novo request or additional information, FDA must complete the acceptance review and notify the requester—after 15 days, the de novo request is automatically accepted for substantive review. The Proposed Rule identifies several “deficiencies” that warrant a refusal to accept (“RTA”), including: (1) incorrect de novo request format; (2) incomplete submission of required content; and (3) the failure to provide a “complete response” to FDA requests for additional information or deficiencies identified by FDA in any prior submissions for the same device. These deficiencies are similar to the Refuse to Accept Policy for 510(k)s guidance and “Acceptance Checklist[s]” issued by FDA in January 2018.

 

Confidentiality Provisions

FDA sets forth confidentiality provisions that are similar to other FDA marketing submissions. FDA must maintain confidentiality of the requester’s de novo application until it issues an order granting the request. FDA must also maintain confidentiality of all information provided in the request. Public disclosure by the requester, however, renders these confidentiality requirements inapplicable.

The preamble makes it clear that FDA is proposing this rule to bring greater structure, clarity, and efficiency to the de novo classification process. This rule essentially formalizes many of the criteria recommended in various FDA guidances and provides more certainty (albeit less flexibility) for both de novo requesters and FDA enforcement.

The Proposed Rule is available for public comment until March 7, 2019. If finalized, FDA the regulations would go into effect 90 days after the final rule is published.

 

[1] 83 Fed. Reg. 63,129 (Dec. 7, 2018).

[2] See, e.g., U.S. FDA, Guidance: De Novo Classification Process (Evaluation of Automatic Class III Designation) (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm080197.pdf; U.S. FDA, Draft Guidance: Acceptance Review for De Novo Classification Requests (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm582251.pdf.

[3] In fact, the FDCA expressly prohibits FDA from conducting these premarket facility inspections in its 510(k) review (“other than a finding that there is a substantial likelihood that the failure to comply with such regulations will potentially presents a serious risk to human health”). See FDCA Sec. 513(f)(5).

On December 18, 2018 the Food and Drug Administration (“FDA”) finalized guidance on its existing Breakthrough Device Program and announced plans for advancement of the Safer Technologies Program (“STeP”).  In the announcement, FDA Commissioner Scott Gottlieb emphasized the FDA’s efforts to promote innovation in medical devices that advance patient safety. This new medical device guidance could signal a year of opportunity for innovative medical device manufacturers that seek to advance patient safety.

Breakthrough Device Program

The Breakthrough Device program was created under the 21st Century Cures Act and seeks to facilitate the development and expedite the review of breakthrough technologies that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. Medical devices and device-led combination products that qualify for this program must meet specific criteria.  First, the device must provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating human diseases or conditions. Second, the device must meet at least one of the following criteria: (1) represent a breakthrough technology, (2) no approved or cleared alternatives exist, (3) offer significant advantages over existing approved or cleared alternatives, or (4) device availability is in the best interest of patients.  A manufacturer can send a breakthrough designation request at any time prior to sending its marketing submission. The Breakthrough Devices program replaces the Expedited Access Pathway and Priority Review for medical devices.

Safer Technologies Program (“STeP”)

STeP was first revealed in the Medical Device Safety Action Plan published in April 2018. The purpose of the program is to serve as an alternative for devices that cannot or do not fit into the breakthrough device construct, but still seek to make current treatments or diagnostics significantly safer.  The FDA anticipates creating guidelines for the STeP in 2019.

Opportunities for Stakeholders

The objective of both programs is to improve development through providing opportunity for additional interactions with FDA and faster reviews through a priority review designation and/or improving alignment on device development prior to regulatory marketing submissions.  These features can provide value to device manufacturers, and potentially accelerate development, although they are not a substitute for a manufacturer’s own planning regarding regulatory strategy.  Since its implementation in late 2016, approximately 110 devices have received Breakthrough Designation, so more manufacturers continue to take advantage of this program.  The STeP program could create even more opportunities.

On January 17, 2019, the FDA will host a webinar to help clarify the Breakthrough Devices program’s final guidance for manufacturers. Manufacturers should view this webinar to become better acquainted with the program and consider its potential benefits to products in development.

On November 26, 2018, the U.S. Food and Drug Administration (“FDA”) announced the process for clearing most medical devices for marketing is being updated to incorporate changes the FDA laid out in an April draft guidance. For over forty years, most medical devices have entered the United States market through the 510(k) clearance process. The 510(k) process offers an expedited approval process available only for products that are substantially equivalent to products already on the market (known as predicate devices). The FDA is considering no longer allowing sponsors to rely on predicates older than ten years and making public information about cleared devices that relied on predicates more than ten years old. In addition, the FDA intends to finalize guidance establishing an alternative 510(k) pathway with different criteria that reflect current technological principles.

In a statement, FDA Commissioner Scott Gottlieb reasoned that newer products relying upon older predicates might not reflect new performance standards or latest scientific and medical understanding. Commissioner Gottlieb believes this change will promote the continual improvement of medical devices. However, the announced change received quick pushback. Many manufacturers argue that reliance upon older predicates can be necessary when no newer predicates are available, and older predicates can provide data that helps sponsors make new devices safer. In addition, many industry-observers believe the FDA’s plans may contradict and exceed its statutory authority, and therefore require additional support from Congress.

If the current proposal becomes law, the implications will include increased costs for manufacturers forced to innovate because of the inability to rely on older predicates. The agency’s statement indicates that new medical devices that utilize the 510(k) pathway should be better than predicates, rather than the applicable legal standard of substantial equivalence. Thus, manufacturers can anticipate increased agency scrutiny when submitting information in the 510(k) summaries. In addition, manufacturers may need to make alternative plans if developing a new device based on an older predicate.

On November 19, 2018, the FDA submitted a proposal to the White House Office of Management and Budget (OMB) to approve a review that will assess current communication practices between FDA review staff and Investigational New Drug (IND) sponsors.  The FDA has contracted with Eastern Research Group (ERG) to determine whether the current mode of communication between these parties needs to be adapted moving forward.  Depending on the results of this review, communication practices and requirements could be altered, which might have an effect on the IND application process. Possible modifications might occur that could assist in removing communication bottlenecks hindering approval timelines.

By filing an IND, a drug developer seeks approval to conduct human trials of investigational new drugs.  After an organization submits an IND application to the FDA for approval, the FDA review team must review the submission within a 30 day period and determine whether to approve or deny the application.  During this period, the FDA review staff and IND sponsors communicate regarding IND status, concerns, and questions, and the clock stops on the 30-day period any time the FDA requests additional information from the sponsor. Overall, this process is designed to minimize the risk of harm to clinical trial volunteers and confirm that the clinical trial protocols are appropriate. Further, the FDA reviews the proposed study protocol to confirm sponsors’ plans support compliance with good clinical practice requirements.  The FDA released guidance last December on best practices for communication between IND sponsors and FDA review staff in order to assist in improving the effectiveness, timeliness, and transparency in communications between the parties.  Additionally, the FDA believes that improved communication may assist in facilitating the availability of effective and safe drugs to consumers.

The FDA expects that the upcoming review, pending OMB approval, will shed more light on how commercial IND sponsors perceive their communications with FDA staff.  During this review, ERG will collect data from sponsors of “a sample of up to 150 active commercial INDs that have activity during a one-year period.”  The surveys (which can be found here) and interviews with IND sponsors are intended to assess sponsors’ experiences when communicating with the FDA review staff, and will examine “what is working well, ongoing challenges and pain points, lessons learned, and opportunities for improvement.” After this data is analyzed and reported by ERG, the FDA will “publish the report on the Agency’s public website and hold a public meeting about the assessment.”

The study findings may be useful in assisting the FDA in meeting its PDUFA commitment to promote transparency between sponsors and review personnel.  The PDUFA plan emphasizes its goal to promote effectiveness and efficiency of the first cycle review process while minimizing the number of review cycles necessary for approval. Sponsor recommendations through the surveys may very well shed light on current communication issues as well as other factors that might hinder the approval process.  An understanding of such hindrances may assist FDA in improving communication and transparency between parties and, thus, the IND approval process itself.

EBG will continue to monitor all developments in FDA’s regulation of the IND approval process as well as the forthcoming results from ERG’s review of IND sponsor communication with FDA review staff.

Following up on its July 2017 guidance on the same topic (discussed in a previous blog post), FDA issued a proposed rule on November 15, 2018 to amend Agency regulations to allow Institutional Review Boards (“IRBs”) to waive or alter certain informed consent elements (or in some cases, waive the informed consent requirement altogether) for FDA-regulated, minimal risk clinical investigations (“Proposed Rule”).

What Clinical Investigations are Affected?

Importantly, the only clinical investigations affected by the Proposed Rule are those that are FDA-regulated and “minimal risk” – a term defined by FDA to mean that “the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.”

Such minimal risk investigations may be approved by IRBs through an expedited review procedure.  Although FDA has designated specific categories of research that may be reviewed through this procedure, the designated activities are not automatically considered minimal risk just because they are on FDA’s list.  Rather, inclusion on the list simply means that the research activity is eligible for expedited review where the specific circumstances of the research involve no more than minimal risk.  Still, the designated research categories shed light on the types of studies that may be deemed minimal risk, including: research on a drug or device where an investigational new drug application (“IND”) or investigational device exemption (“IDE”), respectively, is not required; prospective collection of biological specimens for research purposes by noninvasive means (e.g., hair and nail clippings); collection of data from voice, video, digital, or image recordings made for research purposes; and research on individual or group characteristics or behavior, or research employing survey, interview, oral history, focus group, program evaluation, human factors evaluation, or quality assurance methodologies.

What is the Intent of the Proposed Rule?

Sometimes it’s not practicable for sponsors to obtain informed consent when conducting clinical investigations.  As current FDA regulations offer only very narrow exceptions to the informed consent requirements – for life threatening situations or emergency research –  the inability of an investigator to obtain subject informed consent would have previously brought potentially valuable investigations to a halt.  However, the Proposed Rule seeks to provide increased flexibility with respect to FDA’s informed consent requirements for certain minimal risk studies.

In particular, the Proposed Rule implements changes made to the Federal Food, Drug, and Cosmetic Act (“FD&C Act”) by the 2016 21st Century Cures Act (“Cures Act”).  These changes authorize FDA to allow for exceptions to its standard informed consent requirements where the proposed clinical trial poses no more than minimal risk to the human subject and includes appropriate safeguards to protect the rights, safety, and welfare of the subject.  Specifically, under the Proposed Rule, FDA would allow IRBs to waive or alter informed consent requirements if the IRB finds and documents that:

  1. the clinical investigation involves no more than minimal risk to the subjects (see “minimal risk” definition above);
  2. the waiver or alteration will not adversely affect the rights and welfare of the subjects (in making this determination, the IRB may consider, for example, whether the waiver or alteration has the potential to negatively affect the subjects’ well-being or whether the subject population in general would likely object to a waiver or alteration being granted for the research in question);
  3. the clinical investigation could not practicably be carried out without the waiver or alteration (FDA defines “practicable” to mean (i) recruitment of consenting subjects does not bias the science and the science is no less rigorous as a result of restricting it to consenting subjects, or (ii) the research is not unduly delayed by restricting it to consenting subjects); and
  4. whenever appropriate, the subjects will be provided with additional pertinent information after participation.

As noted above, FDA already issued guidance for immediate implementation in July 2017 that states that FDA does not intend to object to IRBs waiving or altering informed consent requirements, as described in the guidance, for certain minimal risk clinical investigations (see our previous blog post).  However, FDA intends to withdraw this guidance after the Proposed Rule takes effect.

What are the Envisioned Benefits?

If finalized, the Proposed Rule would largely harmonize FDA regulations with the Common Rule, which governs human subject research conducted or supported by HHS and other federal agencies.  The Common Rule has included provisions allowing waiver of informed consent for minimal risk research since it was first issued in 1991.  We note, however, that January 2017 revisions to the Common Rule added a fifth criterion to the four listed above related to IRB waiver or alteration of informed consent (this fifth criterion requires that “if the research involves using identifiable private information or identifiable biospecimens, the research could not practicably be carried out without using such information or biospecimens in an identifiable format”).  FDA is not proposing to adopt this fifth criterion at this time.

Beyond harmonization, the Proposed Rule should pave the way for certain minimal risk clinical investigations to proceed that otherwise would have never gotten off the ground, offering greater opportunities for sponsors and investigators to further their product development efforts and make positive contributions to the public health.

Comments on the Proposed Rule must be submitted to the docket by January 14, 2019.

On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.

On the same date OIG published its report, FDA’s Suzanne B. Schwartz, M.D., M.B.A., published a post on FDA Voices asserting that the OIG report is an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity. The post addresses FDA’s ongoing efforts to improve medical device cybersecurity over the past five years, including entering into a memorandum of agreement between FDA and the Department of Homeland Security (“DHS”) and publishing a new premarket cybersecurity guidance update in October 2018, which we wrote about in a previous blog here. FDA’s post also highlights FDA’s other partnerships with industry that aim to increase awareness of cybersecurity vulnerabilities and related concerns.

FDA reiterated that its regulatory approach to cybersecurity threats “is not static,” and reconfirmed its commitment to “work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first.” FDA has announced that it will hold a public Workshop on January 29-30, 2019 to discuss the newly released draft guidance on cybersecurity in premarket submissions. Instructions for registration are available on FDA’s website here.

In response to the OIG’s report, FDA will likely continue to develop new cybersecurity policies, initiatives, and guidance. Stakeholders in the medical device industry should monitor these developments and be prepared to address any such changes in policy or regulation. Meanwhile, regulated industry should consider reviewing FDA’s current cybersecurity guidance documents and assess whether its internal controls, quality systems, policies, or procedures adequately address potential cybersecurity risks or threats or could be improved.

EBG will continue to monitor all developments in FDA’s regulation of and policies related to medical device cybersecurity.