Compliance with Compliance with FDA Regulations:FDA Regulations:

Collecting, Collecting, Transmitting and Transmitting and Managing Clinical Managing Clinical

InformationInformationDan C PettusDan C Pettus

Senior Vice PresidentSenior Vice President

iMetrikus, Inc.iMetrikus, Inc.

Confused?Confused?

• 25 Years in technology development

• 20 Years in Healthcare Informatics

• When it comes to FDA (HIPAA, and others) regarding regulatory requirements for telemedicine and clinical data …. and I’m still confused?

FDA CurrentlyRegulates

FOOD BiologicsAnimal Feed and

DrugsCosmetics

RadiationEmittingProducts

Drugs Medical Devices

PremarketApproval(s)

Contract ResearchOrganizations

(CRO)

Clinical Trials

PMA or 510(k)FDA Submission

QSR

Validation

Quality

ManufacturingRecords

IncidentReporting

CorrectiveActions

21 CFR Part 11“Cloud”

What does Regulation What does Regulation Mean?Mean?

For devices, drugs, etc., it means the For devices, drugs, etc., it means the manufacturer is held accountable for GMP manufacturer is held accountable for GMP and QSR under Title 21 parts 1 to 1299 and QSR under Title 21 parts 1 to 1299 (e.g., part 801- Labeling, part 820 – Quality (e.g., part 801- Labeling, part 820 – Quality System)System) Ability to electronically authenticate is permitted Ability to electronically authenticate is permitted

under 21 part 11 of the FDA regulationsunder 21 part 11 of the FDA regulations

The FDA issued guidance documents which The FDA issued guidance documents which identify portions of title 21 part 11 as being identify portions of title 21 part 11 as being applicable for clinical trials submissionsapplicable for clinical trials submissionsNOTE: Clinical Information may be regulated by NOTE: Clinical Information may be regulated by

additional state and federal agencies. HIPAA is a additional state and federal agencies. HIPAA is a good example. good example.

A Device is…A Device is…According to the FDA, a device is:According to the FDA, a device is: "an instrument, apparatus, implement, machine, "an instrument, apparatus, implement, machine,

contrivance, implant, in vitro reagent, or other similar or contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory related article, including a component part, or accessory which is:which is:

recognized in the official National Formulary, or the recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, United States Pharmacopoeia, or any supplement to them,

intended for use in the diagnosis of disease or other intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or prevention of disease, in man or other animals, or

intended to affect the structure or any function of the intended to affect the structure or any function of the body of man or other animals, and which does not achieve body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical any of it's primary intended purposes through chemical action within or on the body of man or other animals and action within or on the body of man or other animals and which is not dependent upon being metabolized for the which is not dependent upon being metabolized for the achievement of any of its primary intended purposes." achievement of any of its primary intended purposes."

If the primary intended use of the product is achieved If the primary intended use of the product is achieved through chemical action or by being metabolized by the through chemical action or by being metabolized by the body, the product is usually a drug. Human drugs are body, the product is usually a drug. Human drugs are regulated by FDA's regulated by FDA's Center for Drug Evaluation and Center for Drug Evaluation and ResearchResearch (CDER). (CDER).

When is a device a When is a device a device?device?

Diagnostic Patient Monitoring – Diagnostic Patient Monitoring – yesyes Electronic Medical Record Systems – Electronic Medical Record Systems –

no?no? ICU Clinical Data Management ICU Clinical Data Management

Systems – Systems – no?no? Anesthesia Data Management Anesthesia Data Management

Systems – Systems – depends on who you ask?depends on who you ask? Telemedicine – Telemedicine – maybe?maybe?

Case History - ARKIVECase History - ARKIVE 1985-1986: Ohmeda develops a 1985-1986: Ohmeda develops a

semiautomatic electronic anesthesia semiautomatic electronic anesthesia record keeper as an “accessory” to its record keeper as an “accessory” to its gas machinegas machine

1986 Arkive files 510(k) as an 1986 Arkive files 510(k) as an anesthesia information system. FDA anesthesia information system. FDA classifies Arkive a gas machine classifies Arkive a gas machine accessory. FDA is informed that Arkive accessory. FDA is informed that Arkive is a stand-alone information is a stand-alone information management system and not an management system and not an accessory to anything. …FDA response accessory to anything. …FDA response – reclassify Arkive – no longer an – reclassify Arkive – no longer an accessory – it’s now a “gas machine”? accessory – it’s now a “gas machine”?

Is Telemedicine device?Is Telemedicine device?Although FDA does not regulate the delivery of health care services or the transmission of information related to care between physicians and patients, FDA does regulate the commercialization of technologies associated with health care delivery (devices). As FDA has stated; “The use of advanced telecommunications technology to deliver health care brings with it a host of concerns about safety and effectiveness.” In its White Paper, FDA’s Center for Devices and Radiological Health (CDRH) declared that many “products” used in telemedicine are medical devices subject to regulatory authority.

Clinical Data is Clinical Data is Regulated When:Regulated When:

It is part of a clinical trialIt is part of a clinical trial It is embedded as part of a regulated It is embedded as part of a regulated

devicedevice The data acquisition is an accessory The data acquisition is an accessory

to a regulated deviceto a regulated device Accessory to a regulated device is a bit Accessory to a regulated device is a bit

fuzzy fuzzy

In GeneralIn General The collection, transmission, and The collection, transmission, and

management of clinical data for the management of clinical data for the purpose of care management and purpose of care management and medical treatment is not usually medical treatment is not usually regulated by the FDAregulated by the FDA (May be regulated by other agencies and (May be regulated by other agencies and

laws, e.g., HIPAA)laws, e.g., HIPAA)

Reasonable efforts should be used to Reasonable efforts should be used to avoid deliberate or accidental disclosureavoid deliberate or accidental disclosure

Patients have rights under state laws and Patients have rights under state laws and HIPAA regarding privacy and disclosureHIPAA regarding privacy and disclosure

Best PracticeBest Practice

Policies and operating procedures that Policies and operating procedures that clearly describe your organization’s clearly describe your organization’s collection and use of clinical datacollection and use of clinical data Business Associate Agreement under HIPAABusiness Associate Agreement under HIPAA

Best practice to protect a patient’s privacyBest practice to protect a patient’s privacy Best practice to ensure security Best practice to ensure security

throughout the networkthroughout the network Regular audits that validate your processRegular audits that validate your process

Example of Technology SecurityExample of Technology Security

PIX Firewall

Marketing Servers

MediCompassServers

PIX Firewall

CITRIX Access

RedundantPIX 520Firewalls

RedundantF5 BiGIP

LoadBalancer

CheckpointFirewalls

OLTPDatabase Engine

OLAPDatabase Engine

Third-party andDomain Servers

Checkpoint VPN FirewallCustomer Access

Internet

SMTP ALERTS

SD

PROLIANT

6400R

POWERSUPPLY 2

POWERSUPPLY 1

SD

PROLIANT

6400R

POWERSUPPLY 2

POWERSUPPLY 1

SD

SD

SD

SD

PROLIANT

6400R

POWERSUPPLY 2

POWERSUPPLY 1

SD

PROLIANT

6400R

POWERSUPPLY 2

POWERSUPPLY 1

SD

SD

SD

Two MultiTech48 Wide Modem

Banks

RedundantTELCO PRI

Modem Lines

Checkpoint VPN FirewallEmail Campaign Server

SDPROLIANT 1850R

Email Server

VPN Server

SDPROLIANT 1850R

HTTP Layer AccessFirewall

Administration Firewall VPN Access Firewall Backend DatabaseFirewall

SDPROLIANT 1850R

Optic NerveReal-timeMonitoring

SD

PROLIANT

6400R

POWERSUPPLY 2

POWERSUPPLY 1

PIX Firewall

Siebel Web Server

Siebel Application andDB Servers

SDPROLIANT 1850R

SummarySummary

With regards to clinical information, With regards to clinical information, the FDA regulates devices and drug the FDA regulates devices and drug submissions (clinical trials)submissions (clinical trials)

Your organization may be required Your organization may be required to comply with FDA if the clinical to comply with FDA if the clinical information is part of a clinical trialinformation is part of a clinical trial

May be subject to other state and May be subject to other state and federal (HIPAA) regulations federal (HIPAA) regulations