From Servers to Medical Devices

Elisabethann Wright

Hogan & Hartson LLP, Belgium

Prof.Dr.med. Björn Berg

Director of Information Technology & Medical Engineering

University Hospital Heidelberg, Germany

Anne-Sophie Bricca

Director EMEA Legal Affairs, CaridianBCT, Belgium

Petra Wilson

Director, Internet Business Solutions Group

Cisco Systems

The legal landscape of medical

devices – the needs

Point-of-care diagnostic device for:

• Seamless integration of data at ward level

• Data integration to national summary EHR

• Anonymous data aggregated locally for

research purposes

• Routine automated device testing

Home monitoring device for:

• Patient clinical data collection

• Routine remote follow-up of patients

• Automated alert of the treating

physician

The legal landscape of medical

devices – legal issues

Medical Device Certification for physical medical devicesMedical Device Certification for software which supports devices Local modifications of the devices - hardware and software Data processing of data from devices Liability for use of on-site and off-site devices

What is a Medical Device?

The current Medical Device Directive defines a medical device as:• “any instrument, apparatus, appliance, software, material or other

article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of:

• diagnosis, prevention, monitoring, treatment or alleviation of disease;

• diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap;

• investigation, replacement or modification of the anatomy or of a physiological process;

• control of conception;

• and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means”.

What is an accessory?

An accessory is defined in the Directive as: • “an article which whilst not being a device is intended specifically by its

manufacturer to be used together with a device to enable it to be used in accordance with the use of the device intended by the manufacturer of the device”.

• The European Commission Guideline (MEDDEV 2.1/1 April 1994), provides: • “the definition of "accessory" requires that the accessory is specifically

intended by the manufacturer of the accessory to be used together with a device. The intended use of the accessory must be such as to enable a device to be used in accordance with its intended use. Therefore a product can only become an accessory to a medical device if the manufacturer of such a product establishes an intended use in conjunction with one or several medical devices.”

• The Directive provides that “accessories shall be treated as medical devices in their own right”.

Software as a Medical Device

• No specific definition of “software” in either regulation or guidance at present. However the Medical Devices Directive provides some direction:• “For devices which incorporate software or which are medical

software in themselves, the software must be validated according to the state of the art taking into account the principles of development lifecycle, risk management, validation and verification” (Annex 1 Essential Requirements, point 12.1a)

• “Stand alone software is considered to be an active medical device” (Annex IX Classification criteria, point 1.4)

• “Software, which drives a device or influences the use of a device, falls automatically in the same class” (Annex IX Classification criteria, point 2.3)

• Harmonised international standards provide guidance: • EN 62304:2006 Medical device software - Software life-cycle

processes (IEC 62304:2006).

Data Flows

Patient

Care

Providers

Point of care

Diagnostic

Device

home

monitoring

devices US Vendor

Technical

support

academic

nephrologists

Tech. Data

Pers. Data

Pers. Data

Scientific Data

Pers. Data Tech. Data

Directive 95/46/EC

Scope: protection of individuals with regards to the processing of

personal data and on the free movement of such data.

Appllicability: to data processed by automated means and data

contained in or intended to be part of non automated filing systems.

Content: strict limits on the collection and use of personal data and

demands that each Member State set up an independent national

body responsible for the protection of these data.

Personal Data

Definition:

Chapter I – Article 2 (a)

“Any information relating to an identifiable

natural person (“data subject”); an identifiable

person is one who can be identified, directly or

indirectly, in particular by reference to an

identification number or to one or more factors

specific to his physical, physiological, mental,

economic, cultural or social identity”.

Derogation

Article 8.3: “processing of data concerning

health is (authorized when) required for the

purposes of preventive medicine, medical

diagnosis, the provision of care or treatment or

the management of health-care services, and

where those data are processed by a health

professional subject under national law or rules

established by national competent bodies to the

obligation of professional secrecy or by another

person also subject to an equivalent obligation of

secrecy.”

Data Controller’s obligations

Controller’s obligations:

• Collection of the data subject's consent (Article 2(h))

• To give information to the data subject (Article 10) :• the identity of the controller and of his representative, if any;

• the purposes of the processing

• the recipient(s)

• To provide a right of access to and a right to rectify

(Article 12)

• To ensure the confidentiality of processing (Article 16)

• To ensure the security of processing (Article 17)

• To notify the supervisory authority (Article 18)

• To act as a Data exporter in case of

transfer to a third country.

Liability Flows

PatientHospital / care

institution

Vendor

Health care

professional

Questions of Liability:

Key actors

5 potentially groups of people have

liability issues:

• The device manufacturer(s)

• The Hospital

• The Healthcare Professionals

• The Internet Service Provider

• The patient

Questions of Liability

Relevant EU level Legislation

Liability for defective products(Dir. 85/374/EC & Directive 1999/34/EC)

General product safety(Dir. 2001/95/EC)

Sale of consumer goods(Dir. 1999/44/EC)

Information society services and eCommerce

(Dir. 2000/31/EC)

Questions of Liability

Key Concepts

• Professional liability for good healthcare services

• Institutional and Vicarious Liability of hospital

• No-fault Liability

• Special liability of Information Society Services providers

• Contributory Liability of Patients