The U.S. Food and Drug Administration (FDA) has released guidelines for medical device manufacturers who share data with patients. Legally purchased medical devices collect, retain, process, and transmit medical data. If patients request copies of the data that the devices record or store, manufacturers may provide the patient-specific data as requested.
The FDA supports data sharing because it allows patients to become more engaged in their own healthcare. If patients can provide the information generated by medical devices to their healthcare providers, it would help their doctors when making medical decisions.
Although data sharing is not required by the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA thought it necessary to give medical device manufacturers some guidance concerning the sharing of patient-specific data with patients. The guidelines are meant to help manufacturers share information responsibly.
HIPAA allows patients to request and get copies of their health information from their healthcare providers. Patients also often request information directly from device manufacturers. The FDA encourages this and states that information can be shared with patients even without going through advance premarket review.
The FDA clarifies that patient-specific information refers to information that’s unique to a specific patient, or specific to the patient’s diagnosis and treatment, all of which are documented, stored, processed, or generated from a legally purchased medical device. Patient-specific information may include documented patient data, statistics generated by device usage/output, healthcare provider notes, incidence of alarms, and/or logs of device malfunctions or outages.
The FDA remarks that labeling, which falls under the FD&C Act, is not included as patient-specific information. Labeling information consists of a description of intended use, benefit and risk data, and directions for use. The disclosure of such data is governed by applicable FD&C Act requirements.
Certain medical devices use a format for recording, storing, and transmitting information that is difficult to share with patients. In certain cases, data is documented in a closed system that the device manufacturer can’t access. The FDA knows that in such instances it may not be possible to share information with patients.
Whenever it is possible to share information, device manufacturers need to respond to requests promptly and information supplied should be complete and up-to-date. Data must include all available data, up to the time that the request is made.
The FDA remarks that the guidance doesn’t create legally enforceable responsibilities. It doesn’t impact any local, state or federal laws, including the HIPAA Privacy Rule, which will be applicable when the device manufacturer is also a HIPAA-covered entity’s business associate.