An ISO executive responds to the legislation

By Jim Spearman, MBA

On April 25, Congressmen Ryan Costello (R-Pa.) and Scott Peters (D-Calif.) introduced H.R. 2118, “Ensuring Patient Safety Through Accountable Medical Device Servicing.” The bill references Chapter 5 of the Federal Food, Drug and Cosmetic Act (FD&C), the Code of Federal Regulations (CFR), and 21 USC 360 Registration of Producers Drugs or Devices.

The intent is to close a long-standing loophole that allows the servicing of medical devices to go unregulated by the U.S. FDA and be performed by entities other than the original equipment manufacturer. (Interestingly, service operations conducted by the device-user are exempt from this legislation.)

H.R. 2118 has three main requirements:    

  1. Servicers of medical devices must register with the FDA.
  2. Adverse events must be reported to the FDA.
  3. A complaint handling system equivalent to 21 CFR 820.198 must be established by the entity performing the service.

This legislation is a result of a public workshop hosted by the FDA on Oct. 27-28, 2016. I attended that event, along with multiple device manufacturers, third-party service, and in-house service organizations. During the workshop, I voiced my concerns and best-practices openly in the spirit of supporting constructive dialogue between the opposing views. My intent was to help find effective solutions that address the various stakeholders’ concerns.

Reasons for Concern

Joe Robinson, senior vice-president with Philips North America and chairman of the board of the Medical Imaging & Technology Alliance (MITA), provided Congress with documented cases of improper and unsafe medical repairs that had not been reported to the FDA. Note: Many of the members of MITA are medical device manufacturers like Philips and GE Healthcare, which are mandated by law to report adverse events to the FDA.

Independent service providers are making a case that statistical evidence of improper servicing by third-party service companies doesn’t point to a widespread problem. International Association of Medical Equipment Resellers and Servicers (IAMERS) Counsel Robert Kerwin, for instance, was among the panelists who testified on May 2 in a hearing before the U.S. House of Representatives Committee on Energy and Commerce on the legislation. During his testimony, Kerwin mentioned that third parties have evidence of unreported, adverse service events performed by the device manufacturers, as well.

During the May 2 hearing, committee members posed two questions to the panelists specific to patient safety: “How do independent service organizations obtain their training?” and “What regulations currently govern third-party service providers?” The responses revealed a wide range of competency, as well as a general lack of awareness about precisely how many third parties were performing service.

One response addressed the fact that there is currently no regulatory accountability or oversight of third-party service providers. The issue of voluntary reporting was discussed in-depth—and the chairman of the committee, Michael C. Burgess of Texas, questioned why the FDA didn’t treat all entities performing the same service work equally.

Patient safety appeared to be the overarching concern. Cost wasn’t far behind, and a specific focus was centered on small and rural hospitals. A key concern is that service providers will pass along the increased costs of complying with this legislation to hospitals and other end-users. In my opinion, this could certainly add even more cost to an already cost-laden industry.

Moreover, Jeffrey E. Shuren, MD, director of the FDA’s Center for Devices and Radiological Health (CDRH) testified that there was a lack of visibility to potential adverse patient safety events and even the precise number of third-party service entities. He went on to say that the FDA has not definitively taken a position on whether the proposed legislation should be enacted.

How Will This Impact ISOs?

The question-and-answer portion of the May 2 congressional hearing framed the elements that will most likely be required of independent service organizations. As I listened closely, there was a subtle hint that this would be an “important first step,” like Joe Robinson mentioned. Those who intend to build an infrastructure to comply with all proposed future regulatory legislation should especially take note of this.

In its current form, H.R. 2118 mandates FDA registration, which could cost several thousand dollars; however, someone mentioned that the FDA could waive that fee during the congressional hearing. Mandatory reporting of adverse service events also isn’t so bad.

Furthermore, complaint-handling may seem like the least troublesome of the required elements, but this simply isn’t so. Carefully read 21 CFR 820.198—it’s apparent that almost every service event could technically be classified as a complaint.

A service management software platform is the most common method for creating a robust reporting framework. Still, these can be very costly, with individual user licensing fees along with recurring subscription fees. Moreover, proper complaint-handling without such an infrastructure is a major—if not monumental—task.

In my opinion, addressing the key requirements of the proposed legislation can be done in one of two ways:

  1. Implementing programs, as well as an infrastructure, that comply with all portions of 21 CFR 820 that pertain to your business
  2. Certifying your quality management system to ISO 13485:2016—the newest version of the standard that mandates regulatory reporting

If a service organization hasn’t had a long-standing culture of quality that senior managers—as well as the ultimate business leader—explicity support, I strongly recommend the creation of a dedicated compliance leader role. After all, a true culture of quality must come from the top of the organization; otherwise, the initiative will fail.

If your organization or current service partner services medical devices and is not compliant with all current medical device regulations, I strongly recommend monitoring this activity closely. Get connected and follow updates on the FDA’s CDRH website or Twitter account, and stay informed via our friends at 24×7 Magazine.

Navigating the Next Steps

The congressional hearing on May 2 concluded with the chairman giving committee members 10 working days to submit additional questions and the witnesses another 10 working days to respond. June 1 will be the next time we could see formal action, so be sure to get visibility before then. [Editor’s note: 24×7 Magazine went to presstime before any decision was made.]

At Consensys, for instance, we’ve kept our customers informed of this activity along the way and provide service solutions like FirstLook™—which trains in-house service engineers and provides all parts and technical support. This comes with the full backing of our ISO 13485-certified quality management system, which can buy facilites time until they build their own program. In other words, assume this legislation will be enacted and identify a plan to achieve compliance either with a partner like Consensys or another viable means.

Uncertainty is always bad for business. It’s like the old adage goes: “He/she who is well prepared is seldom surprised.” Today, there are more service organizations than ever  before, and we know adverse event reporting to the FDA isn’t happening consistently. But while the data may not appear to be statistically significant, if it wasn’t happening at all, there wouldn’t be documented evidence that’s now part of the congressional record.

The good news? Regardless of congressional action, it’s possible for third parties to be compliant. After all, Joe Robinson even mentioned that Philips uses third parties as an integral part of the company’s offerings.

Hopefully, Congress takes a balanced and reasonable approach. But to think that no action will be taken is naïve in my opinion. So I’ll simply highlight Chairman Burgess’ questions at the end of the May 2 hearing:

• “Shouldn’t each entity be equally responsible for submitting adverse events related to their work?”

• “If you’re each doing the same service work, why does the FDA treat you differently?

• “What about the sharing of passwords, manuals, and training?”

These questions hint at a commonsense approach to addressing the gap in accountability. If your organization or current service provider isn’t compliant today, teaming with partners further ahead on the learning curve is a great option. The proposed legislation gives an 18-month compliance period—so make sure that whichever plan you choose incorporates that deadline. Good luck!

Jim Spearman, MBA, is President and CEO of Consensys Imaging Service, Inc. The viewpoints expressed in this article are solely of the author. For more information, contact chief editor Keri Forsythe-Stephens at kstephens@medqor.com.