Log in

The Long-Term Effects of the Safe Medical Devices Act Are Still Unknown

Ms. Schuster and Ms. Butler are associates, Greensfelder, Hemker & Gale, P.C., St. Louis.

Summary

Unlike previous medical device laws, the Safe Medical Devices Act of 1990 (SMDA), which became effective November 28, 1991, applies to "device-user facilities" such as hospitals and long-term care facilities. Final regulations are scheduled for release later this spring.

The SMDA's primary goals are to:

• Ensure all devices currently in or entering the marketplace are safe and effective
• Enable the U.S. Food and Drug Administration (FDA) to learn quickly about serious problems with medical devices
• Remove defective devices (old and new) from the market

To achieve these goals, Congress has given the FDA new review and enforcement powers, including the authority to impose fines on those in violation of the law.

Incidents in which a medical device caused or contributed to the death, serious illness, or serious injury of a patient are referred to as medical device—reportable (MDR) events. A user must report MDR deaths to the FDA and to the manufacturer (if known). Serious illnesses and serious injuries caused by or attributed to the use of a device must be reported to the device manufacturer or, if the manufacturer is unknown, to the FDA.

Facilities must report MDR events to the FDA semiannually and maintain incident files for two years after reporting the MDR event. The FDA may assess civil penalties against parties that do not comply with the SMDA's reporting provisions. Healthcare facilities must develop and implement employee training and education programs to help physicians, nurses, and other allied health employees identify and report MDR events.

The Safe Medical Devices Act of 1990 (SMDA) became effective on November 28, 1991. Unlike previous medical device laws, the SMDA applies to "device-user facilities" such as hospitals, ambulatory surgical facilities, outpatient treatment and diagnostic facilities (excluding physicians' offices), and long-term care facilities. The SMDA's primary goals are to:

• Ensure all devices currently in or entering the marketplace are safe and effective
• Enable the U.S. Food and Drug Administration (FDA) to learn quickly about serious problems with medical devices
• Remove defective devices (old and new) from the market

Specifically, the SMDA requires any device-user facility that becomes aware of information reasonably suggesting that a medical device caused or contributed to a death, serious illness, or injury to a patient in a facility to report the incident to the FDA, the device manufacturer, or both (Public Law 101-629, 104 Stat. 4511 [1990]; and 21 U.S.C. 360i [1990]).

To achieve the SMDA's goals, Congress has given the FDA new review and enforcement powers, including the authority to impose fines on those in violation of the law. Although hospitals already have in place a variety of reporting procedures and protocols related to drugs and devices, many long-term care facilities do not. Therefore the SMDA's requirements may present long-term care facilities with a challenge to prepare and enforce appropriate reporting policies.

The new reporting requirements enable the FDA to obtain information about the safety and effectiveness of new medical devices, as well as devices already on the market. In light of recent concerns regarding the safety of silicone breast implants, the FDA has committed itself to particular scrutiny of medical devices entering the market before May 1976. In addition, the SMDA requires device manufacturers and distributors to report device corrections or removals and allows the FDA to recall devices when they pose a risk to the public.

The SMDA mandates strict compliance with reporting requirements and provides for civil penalties for failure to comply. Device-user facilities, including hospitals and long-term care facilities, are not immediately subject to these penalties; however, they may be subject to penalties in the future. The FDA published proposed final regulations on November 26, 1991, and March 27, 1992, that further define the SMDA reporting requirements. Final regulations are scheduled for release later this spring.

Medical Device Incident Reports
A facility is required to report incidents in which a medical device caused or contributed to the death, serious illness, or serious injury of a patient. Such incidents are referred to as medical device—reportable (MDR) events.

The term "medical device" is defined as any instrument, apparatus, implant, or in vitro reagent used in the diagnosis, cure, mitigation, treatment, or prevention of disease. Essentially, a medical device is anything used in direct patient care that is not a drug (e.g., ventilators, wheelchairs, feeding tubes, cotton swabs, catheters, geriatric chairs, hospital beds, and blood pressure cuffs).

A user facility must report MDR deaths to the FDA and to the manufacturer (if known). A facility must report serious illnesses and serious injuries caused by or attributed to the use of a device to the device manufacturer or, if the manufacturer is unknown, to the FDA. Reports must be made within 10 working days of the facility becoming aware of an MDR incident.

FDA regulations exempt a facility from the reporting requirement if it determines that the information received is erroneous in that a death, serious injury, or serious illness did not occur. One problem with this exception is that in many cases the user facility may not know whether a device caused or contributed to the death, injury, or illness until after the device is inspected, which may not happen until after the reporting period has passed.

The FDA has released MDR report forms facilities may use until the agency issues final forms.

Semiannual Reports
User facilities are also required to report semiannually to the FDA all MDR events reported to the FDA and/or device manufacturers during the preceding six-month reporting period. These reports may consist of the actual reports sent to the FDA or to the manufacturer.

Submission of MDR reports does not constitute an admission that the reporting entity, its employees, or the device caused the MDR incident. Reporting entities should affix a disclaimer to this effect on the first page of any report submitted pursuant to the SMDA.

Incident Files
User facilities must maintain incident files for two years after reporting an MDR event to either the FDA or a manufacturer. Incident files must contain the actual MDR report (if made), all information the user facility evaluated during its investigation of the incident, a record of all oral or written communication between the user facility and the FDA pertaining to the incident, and any supplemental information the FDA requested. If more than one patient is involved in an incident concerning the same device, only one file need be maintained. Facilities must also maintain incident files for those incidents it determined were not reportable.

User facilities must allow FDA employees to access, verify, and copy any information the agency requests so long as the time requested for access is reasonable and a reason for access is provided. Although the SMDA authorizes the FDA to access and copy confidential patient medical records, the FDA has indicated it will review patient medical records only when fraud is suspected or under other extreme circumstances. To avoid potential confidentiality issues, facilities should segregate as much MDR incident information as possible from patient records and maintain MDR information in the separate incident files required by the SMDA. By maintaining all relevant event-specific information (including patient information) in the incident file, facilities may be able to discourage the FDA from copying entire patient records.

Civil Penalties
The FDA may assess civil penalties against parties that do not comply with the SMDA's reporting provisions. These penalties include civil fines of up to $15,000 per violation and up to $1 million for all violations adjudicated in a single proceeding. Civil penalties can be immediately charged against device manufacturers, distributors, and importers; however, these penalties are not immediately applicable to user facilities. The secretary of Health and Human Services will conduct a study of user facility compliance with the SMDA to determine whether civil fines are appropriate for those not in compliance. If the secretary finds that user facilities are in substantial compliance with the SMDA, no civil penalties will be applied so long as this level of compliance is maintained.

In addition, civil penalties may be imposed for violation of certain other provisions of the SMDA, such as failure to provide the FDA with requested information, failure to provide access to records, or failure to maintain incident files. These penalties may not exceed a $1,000 fine and/or imprisonment for up to one year. For repeated violations, the FDA may impose civil fines of $10,000 and/or up to three years' imprisonment.

Confidentiality Issues
Under the Freedom of Information Act (FOIA), any person may request and receive copies of records maintained by a federal agency in the normal course of its activities, so long as such information does not jeopardize personal privacy, the agency's integrity, or national security. Absent these factors, reports made to the FDA pursuant to the SMDA are available to the public.

Of paramount concern are the issues of patient and facility confidentiality for records that may be released under an FOIA request. The SMDA requires the FDA to delete, before releasing any MDR report, any information that is a trade secret; confidential commercial or financial information; or personal, medical, and similar information that would constitute an invasion of privacy. The definition of these terms, however, is left to the FDA's discretion.

The FDA will delete from a report the identity of a report initiator (a user facility, employee, or person affiliated with a user facility) before public disclosure. However, if it is discovered that a report initiator knew that information in a report was false, the reporter's identity will not be protected from disclosure. The identity of a physician voluntarily reporting from his or her office is also confidential.

Despite the confidentiality provisions in the SMDA, the potential still exists for public disclosure of the identity of a report initiator. For example, a patient injured by a device that was the subject of an MDR report may receive a copy of any report or any information concerning the MDR incident. The FDA's interim reporting forms do not request the name of the patient involved; however, the forms do request the patient's initials. If a patient is able to identify the incident or report number in which he or she was involved, the FDA may, under the FOIA, release its information to the patient.

In addition, it is unclear whether FOIA requires the FDA to release information other than the actual MDR report contained in the incident files maintained by a user facility. Since incident files must contain all information obtained during a healthcare facility's investigation of an incident (including conversations with the FDA and employee interviews), it is possible that the FDA could release such information in response to an attorney's discovery request. Furthermore, it is unclear whether any screening mechanisms exist to monitor release of these reports to the public. Moreover, information in reports to device manufacturers would be discoverable to a greater degree than that in reports to the FDA.

Incident Identification and Reporting Procedures
Hospitals, long-term care facilities, and other medical device—user facilities must develop and implement employee training and education programs to help physicians, nurses, and other allied health employees identify and report MDR events. Such education programs should describe the types of MDR events and the procedures the facility has established for internal reporting of MDR events.

Facilities should establish internal MDR identification systems for evaluating, reviewing, and providing feedback about MDR-reportable events and should introduce a system for creating and maintaining incident reports.

From a practical perspective, one employee should be responsible for coordinating a facility's entire MDR program. This person should be responsible for educating and training employees, receiving initial reports of MDR events, and coordinating the investigation of MDR events. The SMDA requires each user facility to identify an FDA liaison. One person could easily perform both the roles of educator-implementer and FDA liaison. Several healthcare facilities have designated the person responsible for risk management and quality assurance as their MDR program coordinator.

Medical Device Tracking
Medical device manufacturers are required to track any of their devices if their failure would be reasonably likely to have serious adverse health consequences, if they are either life-sustaining or life-supporting devices used outside of a user facility, or if they are permanently implantable devices. Examples include continuous ventilators and defibrillators.

Under these regulations, which become effective August 29, 1993, a manufacturer must track devices the FDA identifies as subject to tracking, so that it can provide the FDA with a variety of device- and patient-specific information within specified time frames. Although the FDA has not mandated the tracking method to be used, it has prescribed the types of information that must be obtained and the time frames for providing such information.

Information Required The regulations require medical device distributors to assist manufacturer tracking efforts by maintaining device-specific information that enables expeditious identification of defective or hazardous medical devices. Under the regulations, user facilities are defined as either final or multiple distributors, depending on whether the distributed device is intended for use by one patient or several patients over the useful life of the device. A "final distributor" is any person who distributes a tracked device intended for use by one patient. This category includes physicians, dentists, retail pharmacies, hospitals, nursing homes, and other types of user facilities. A "multiple distributor" is any device-user facility, rental company, or other entity that distributes a life-sustaining or life-supporting medical device intended for use by more than one patient.

All distributors are required to provide the manufacturer with the following information at the time of purchase or acquisition of any interest in a device:

• The distributor's name and address
• The lot, batch, model, serial, or other identifying number the manufacturer uses to track the device
• The date the device was received
• The person from whom the device was received
• If applicable, the date the device was explanted, returned to the distributor, permanently retired from use, or disposed of, or the date of the patient's death

At the time of sale or other distribution of a device to a patient, a final distributor must provide the manufacturer with:

• The final distributor's name and address
• The device's lot, batch, model, serial, or other identifying number
• The name, address, telephone number, and social security number (if available) of the patient receiving the device
• The date the device was provided for use by the patient
• The name, address, and telephone number of the prescribing physician and regular attending physician (if different)
• When applicable, the date of device explantation; the name, address, and telephone number of the explanting physician; and the date of the patient's death or the date the device was returned to the manufacturer, permanently retired from use, or permanently disposed of

A multiple distributor is required to keep written records of the following information each time a tracked device is distributed for patient use:

• The device's lot, batch, model, serial, or other identifying number
• The name, address, telephone number, and social security number (if available) of the patient using the device
• The device location
• The date the patient received the device
• The name, address, and telephone number of the prescribing physician and regular attending physician (if different)
• When applicable, the date that the device was permanently retired from use or otherwise disposed of

A multiple distributor must provide this information to the manufacturer within five working days of a manufacturer's request or to the FDA within ten working days of the agency's request. Additionally, multiple distributors must maintain these records for the useful life of each distributed device. For example, a record may be retired if the device is no longer in use, it has been explanted or returned to the manufacturer, or the patient has died.

Patient Name Disclosure The goal of device tracking is to ensure that the FDA and device manufacturers are able to contact physicians and patient in the event of a device-related hazard or device recall. Therefore patient names or other identifiers may be disclosed to a device manufacturer, physician, or other person subject to these regulations if patients' health or safety requires such disclosure. This disclosure is made with the agreement that the information will not be further disclosed except as patients' health requires and that the information will not be available to the general public.

Requests for Release of a Device Occasionally, healthcare facilities may receive requests from patients, medical device manufacturers, or the FDA to release a medical device after its explantation or other retirement from patient use. Such requests have come from patients who have had silicone breast implants removed and from manufacturers and the FDA when a device involved in an MDR event has been the subject of litigation.

All facilities involved in device tracking and user-facility reporting need to develop policies to respond to such requests. Such policies must balance a patient's ownership rights (when an implanted device is involved), the public health implications of releasing the device, and the FDA's authority to inspect devices involved in MDR events. In most cases, the facility can accommodate all these needs by allowing the requesting party to inspect or evaluate the device, without jeopardizing public health or risking the loss or destruction of evidence. Inspection or testing of a medical device by third parties, or release of the device from a healthcare facility, should never be permitted without approval of the facility's legal counsel and administration.

SMDA's Effects Still Unknown
The long-term impact of the SMDA reporting and tracking requirements on long-term care facilities, hospitals, and other user facilities remains to be determined. Although the device-tracking requirements will impose significant record-keeping burdens on user facilities, reporting requirements are of greater concern. In the months following the imposition of these requirements, facility concerns have focused on whether certain device-related incidents need to be reported in view of the SMDA's broad terminology and the broad nature of the interim report forms.

Facilities have also expressed concern regarding the potential for increased liability should patients and their attorneys obtain the FDA's copies of facility incident files, especially in those circumstances where facilities identify "user error" as contributing to a device-related incident. The extent to which the FDA has anticipated and addressed these issues will be apparent when it releases the final SMDA regulations later this spring.

Facility Checklist to Implement the SMDA

1. Designate an individual to be responsible for the facility investigation and reporting program and the tracking program.
2. Develop policies, procedures, and forms for internal investigations, reporting, and tracking.
3. Educate professional staff and other employees on the facility's investigation and reporting program and tracking program.
4. Integrate these programs with the risk management and quality assurance program to identify and address identified problems.
5. Establish procedures for release of devices on request of patients, manufacturer, and the FDA.

Copyright © 1993 by the Catholic Health Association of the United States
For reprint permission, contact Betty Crosby or call (314) 253-3477.