Some technology companies are sitting on the sidelines, or just dipping their toes in the mHealth waters, out of fear of the unknown. Will FDA regulate this space? If we get into healthcare, will we get sued if someone breaks a finger nail using our app? Will the FTC come after us if we don’t have a bunch of clinical trials to support every claim we make? Will a patient come after us if personal health information somehow gets into the wrong hands? What about the company’s reputation if something goes wrong? And don’t get me started if your product triggers Medicare reimbursement. In many ways, the healthcare field seems scary at first, just based on the headlines we all read concerning regulatory and legal landmines.
Equally troubling, some technology companies are diving in without understanding the risks or having a plan to mitigate them. Indeed some just seem to be in a state of denial, as if not thinking about these issues makes them go away. Something akin to don’t ask, don’t tell. Others figure that as long as they don’t intend any harm, nothing bad can happen to them.
Both approaches are equally misguided. Instead of those approaches, I suggest you deal with the risk--understand and address it. This isn’t rocket science. I promise you can handle this, and make money doing so if your idea is good.
I am not going to do a treatise and describe all of the obscure legal and regulatory risks. If you like reading statutes and regulations, you’re in the wrong place. I’m not even going to paraphrase the law most of the time. My goal is simply to give you practical guidelines for how to navigate these uncertain waters.
I’m also not going to cover the myriad of legal and regulatory risks including product liability, HIPAA compliance, fraud and abuse, and the FTC. Instead I’m going to focus on FDA, partly because it’s representative of the other risks, and partly because it’s the area I know best. If your product doesn’t work well and someone gets hurt, you will have to both deal with FDA and face product liability.
A technology company new to the potentially regulated mHealth space needs to start by understanding: (1) the regulatory risk-- its sources, nature, magnitude and likelihood and then (2) more importantly, the primary risk mitigation strategies-- how to avoid getting in trouble with FDA. I’m calling the second topic risk mitigation probably just because I’m a lawyer; most people would refer to it as best business practices. It also has elements of strategic planning, in that you can think of it as considering all of the possible threats, and also looking at the possible opportunities.
At its heart, FDA regulatory risk is fairly intuitive because you only need to remember one thing: it’s all about putting the patient first. Every FDA requirement can be explained by reference to what’s necessary to protect the patient. And that includes protecting the patient from misleading information, not just physical harm.
To make this more manageable, I thought in part one I would address the regulatory risk, and save the mitigation strategies for part two to be published soon.
Root Cause of Regulatory Risk
I’ve been doing this stuff nearly 30 years, and it’s been my observation that companies get in trouble for one of three reasons:
1.FDA has not spelled out the regulatory requirements clearly enough so you know what to do. Now this has quite obvious applicability to mHealth, considering we don’t have a final guidance yet from FDA. But even after we receive that guidance, there will still be many issues of interpretation left open. Consider the list of open issues I previously posted. In the case of extreme ambiguity, this could even be a defense, because criminal statutes are supposed to be clear enough that a person knows what they need to do to comply. As a practical matter, out of fairness, FDA is usually reluctant to proceed with enforcement if the rules are not clear. Indeed, FDA has been very slow to enforce the rules in the mobile app space since they haven’t yet published their guidance, frankly even when the violations appear reasonably clear.
2.You don’t know what you don’t know. It’s possible that the FDA requirements are clearly specified somewhere, for example, on the agency’s website, but you don’t know what those requirements are out of simple ignorance. As probably everyone in America knows, though, ignorance of the law is no excuse. So this represents one of the most dangerous pitfalls.
3. You screw up the execution. Here, I’m assuming the law is clear and that you know what it was, but in a big organization sometimes the left hand doesn’t know what the right is doing, or you simply do a poor job of complying. These can be hard cases to defend if the violation itself is clear. It all comes down to the facts and what you did or didn’t do.
FDA cleared: Telcare's Blood Glucose Meter
So these basically are the ultimate sources of regulatory enforcement risk, and I want you to keep these in mind as you go through these two posts, particularly part two. That’s because, if I’ve done this right, the mitigation strategies all relate back to these three fundamental risks.
FDA’s Fairness in Practice
FDA is pretty fair and practical. I think a lot of people outside the device industry fear that FDA is arbitrary and unreasonable, but that’s not been my experience. These industry people fear that if they make an innocent mistake, FDA will come down on them with a sledgehammer. But that’s a myth. Instead, FDA approaches enforcement in a common sense way, where they start with the least aggressive action first to see if they can bring about compliance. They do this both because it’s fair, and because it is more cost-effective than getting too aggressive too early. The following tends to be the escalating steps FDA would take to bring a company into compliance.
1.Private communication. Sometimes in the form of an untitled letter, FDA may simply talk to you or send you a letter asking about your compliance, or suggesting the need to address some deficiency. They will do this for what might be minor violations.
2.Warning letter. This is an official correspondence that indeed gets posted on the FDA’s website. The warning letter is directed at a more significant deficiency that requires immediate attention.
3.Administrative or judicial enforcement action. An administrative enforcement action is one that the agency has the power to do without involving the court. An example in the medical device realm is “administrative detention” where they can literally quarantine your products for up to 20 days. Most of the other really severe enforcement steps require the involvement of the court. This includes actions like seizures, injunctions and criminal penalties.
In practice, when FDA is really concerned about the conduct of a company, FDA has two additional very powerful weapons up its sleeve that do not require the direct involvement of a court. The first is adverse publicity. FDA has the power to talk to the media where, for example, they believe the public is at risk. In my observation, FDA has been using this more and more to get their point across, and there’s no question that it has a punitive effect on the companies that are the target of FDA’s wrath. From a legal standpoint this is a bit scary because there are very few legal controls over what FDA can do. The second is recalls and other field corrections. Technically this is not a punishment, but it sure feels like one sometimes. FDA can push companies into very expensive recalls – both in terms of out-of-pocket but also reputational. Ostensibly necessary to correct the violation, I do believe that FDA also uses them occasionally to make a point. At the same time, to the agency’s credit, I believe they only pursue these when they are genuinely very concerned about the conduct of the company and the public health risk.
Types of Regulatory Risk
So, you screwed up. The question is, what can they do to you? I hate it when someone asks me that because essentially they’re asking the question broadly of what are all the possibilities. The honest answer is offhand “I’m not sure what they can’t do to you.” For example, they can:
1.Detain your product. I’m not exactly sure how they would do that in the case of software, but I would guess they would think of something.
2.Seek to impose criminal sanctions, either on the company as a whole or the responsible officers.
3.Go to court and get an order for you to do or not to something.
4.Seek fines.
5.They can shoot you, bury you, dig you up, shoot you again, and your mother too.
If you are debating whether to intentionally violate the law based on the magnitude of the regulatory risk, you might want to comply.
At the same time, for fair balance, I don’t want to leave you with the impression that if you screw up they will throw you in jail. It depends very much on nature of the screw up and your intentions. In fact, the phrase screwup suggests an innocent mistake, and for those you ordinarily simply get a warning and an opportunity to do the right thing.
What Triggers These Risks?
I will bypass the technical, mumbo-jumbo about jurisdiction. Basically if you doing business in the U.S. and you are putting a medical device in commerce, you are subject to FDA regulation. Exactly what is a medical device in the context of mHealth is a topic I’ve dealt with in other posts.
But regulatory liability comes into play when you fail to meet the standards that apply to a given activity associated with bringing a medical device to market. The following table illustrates some of the more common requirements and the activities to which they relate.
If the requirement applies, the responsibility for meeting it can’t simply be contracted away, generally speaking. However, you can shift the whole activity and with it much of the day-to-day work. But typically, if you control (1) the specifications for the product and (2) the marketing strategy for the product, you will possess ultimate responsibility for regulatory compliance.
Intent: What It’s Not And What It Is
Anyone who has watched Law and Order knows that intent plays a very important role in the American justice system. But what you would not get from the show is the relevance of intent to a regulatory violation of the Federal Food, Drug and Cosmetic Act. It’s different. Boy is it different.
For starters, for a low level violation, most of the time no one cares whether you intended the violation or not. For example, to establish a violation, no one cares whether you had specific intent to do something you knew was wrong, or whether you were even directly involved in the wrongdoing. Further, no one really cares if you feel good about yourself or have a clear conscience. And certainly no one gives a darn whether you think your conduct is legal.
Intent does come into play in that it is the distinction between a felony and misdemeanor. But if we’re talking felonies and misdemeanors, you probably ought to be reading something more scholarly than this article. For the rest of you, the following chart depicts very broadly and imprecisely the role of intent in the various levels of FDA enforcement. I don’t want any comments from attorneys asking me where in the statute this language appears. It doesn’t. Instead, this is based on my observation of FDA practice.
For me, the key take away from the chart is the very first row where the chart explains you do not need any intent at all for the vast majority of FDA enforcement actions. It’s not about blaming someone, but rather simply the existence of a violation. If the device is broken, it needs to be fixed, whether anyone is blame worthy or not. The second take away is that traditional intent really doesn’t come into play until you arrive at the last row, where we are talking about criminal felonies. For the stuff in the middle, the issue is more about whether the company fulfilled its obligation to be duly diligent in controlling its people, and whether an individual had the power to do something to avoid the violation, and the responsibility to act.
FDA cleared: WellDoc's DiabetesManager
Statistically, well more than 99.99 percet of people in the medical device industry will never have to worry about whether they had the requisite intent for a felony. Those prosecutions are very rare. But there is an aspect of intent that is much more relevant to developers of mHealth apps. A few folks have asked me over the last couple of years what I would expect the FDA response would be to a software developer that produces a medical app without complying with FDA requirements, if it turns out they are indeed required. My response is to describe two different scenarios that involve two different types of intent.
1.The first is a true borderline case where it is unclear, based on all the different sources of FDA guidance (and there are many beyond the draft mobile apps guidance), that the app is FDA regulated and the developer truly believed that they had a reasonable case for deciding that it is not. I would also include in this category a situation where there is reasonable ignorance of the law. You’ve always heard that ignorance of the law is no excuse, but in practical terms FDA is willing to cut some slack to very small businesses that don’t have many resources. The larger the business, the more sophistication FDA expects. In these cases, I would expect FDA to respond with either a private or public warning directing the company to come into compliance. If it was truly a reasonable interpretation and low public health risk, I would imagine FDA would try as hard as it could to allow for a reasonable transition to regulatory compliance without disrupting patients and the delivery of healthcare.
2.A different scenario would be where the company took a more reckless or arrogant or sneaky position where it really was clear that the FDA requirements applied, and maybe the company was just gambling on flying under the radar or simply felt that it wanted to wait until FDA got serious. In that instance, I would expect FDA to respond with a more public warning but also to be much less willing to accommodate a smooth transition. Among other things, FDA might demand (a) that the product be taken off the market until compliance is achieved, (b) that the existing products on the market be recalled, and (c) public warnings be issued. If you add to the scenario that the public was put at risk by the noncompliance, which is frankly more often than not because every FDA requirement is there to protect the public, or more extreme sneakiness or indifference you might also see the agency pursue the penalties described in the next section.
Magnitude and Likelihood of Regulatory Risk
If someone casually picks up the statute to read about the penalties (okay I have no idea why anyone might do that), that person might be surprised to see that the basic misdemeanor violation of the act is punishable by no more than one year in prison and a fine of not more than $1000. That doesn’t seem so bad. The problem is, that’s for each violation, and each widget sold in violation of the act is a separate violation. So if you sell thousand adulterated widgets, that means the maximum penalty is 1000 years in prison and 1 million bucks. Actually, in that case, calculating the prison term is more complicated, but you get the idea-- it multiplies. In practice, FDA has quite a bit of discretion, and the penalties they seek are generally proportionate to the blameworthiness of the conduct as they see it.
The likelihood of facing FDA penalties is really hard to predict. In another post recently, I’ve complained that FDA enforcement these days is very uneven. I’ve seen in many cases blatantly unlawful conduct to which at least publicly FDA does not respond. In this area of mobile apps, FDA has not yet developed, let alone publicly articulated, an enforcement strategy to deal with the torrent of new mobile apps. They’ve talked about doing things almost like class actions, where they would send a raft of warning letters to a bunch of companies all doing the same thing, as they did with the pharmaceutical companies over the issue of sponsored links. I’m hoping they don’t go too far down that road because at the end of the day this is America. They need to take appropriate steps to document a violation first. I hope we don’t see ready, fire, aim.
FDA cleared: AliveCor's Heart Monitor, AliveECG
That said, traditionally the likelihood of FDA enforcement depends on five factors, as follows:
1.Visibility of the conduct. Obviously visibility doesn’t mean some conduct is actually worse than others, it just means that in practical terms when an agency is strapped for resources, if you go and stand in front of their offices in Silver Spring, Maryland and shout about all sorts of off label uses for your product, it seems more likely they will pursue you. That’s obviously hyperbole, and a more realistic example would be an app that makes a big splash in the media or on the Internet. FDA loves to surf the Internet because they can do that very inexpensively. They also love to go to large trade shows because they can walk up and down the aisles and see what everyone is doing all in one visit.
2.Disgruntled employees. Statistically, a very large portion of the complaints FDA receives about the conduct of companies comes from the company’s own employees. This tends to be one of two scenarios. The first is where an employee is pissed off at a company for any number of reasons, including being laid off or simply not getting the pay raise they were expecting. But the other kind is the conscientious employee who is bothered by the conduct of her employer. Particularly in the quality field, those jobs attract people who are personally very invested in the safety and quality of their products, and are bothered in their souls when the company decides to cut corners. In either case, the FDA is only a phone call away, and they use it.
3.Competitor dynamics. An even bigger percentage of the complaints FDA receives are from competitors. While the reason is obvious, there are some more subtle predictors that you want to watch. One is if your competitor has gone to the trouble and expense of complying with the FDA requirements, you know darn well that they will expect you to the same.
4.Public health consequences. In reality, FDA lets a lot of minor stuff slide simply because they don’t have the time to do anything about it. But what will galvanize FDA most quickly is if they believe the consumer is at risk. If your conduct even arguably puts people at risk, your regulatory risk goes up substantially.
5.Clarity. Here I am referring both to the clarity of the FDA rules as well as the clarity of your conduct. When pursuing an enforcement action, FDA always has to think about how well it can prove its case, and the clarity of the lines that were crossed and the documented conduct by the manufacturer get scrutinized carefully before FDA proceeds. The government doesn’t like to invest in enforcement cases they might lose.
So there you have it. That’s what I see in terms of the regulatory risk of entering, or skirting the edges of, the medical device industry. The reason for going through all of that to lay the foundation for the next post, which will be all about ways to minimize the risk of those regulatory consequences. Today’s post is the painful part; I promise the next post will be more uplifting.
