August 9, 2016
Division of Dockets Management (HFA-305)
Food and Drug Administration
5630 Fishers Lane, Rm. 1061
Rockville, MD 20852.
Comments of members of the Patient, Consumer, and Public Health Coalition
on the draft guidance
Dissemination of Patient-Specific Information from Devices by Device Manufacturers
[Docket No. FDA-2016-D-1264]
Members of the Patient, Consumer, and Public Health Coalition appreciate the opportunity to comment on the draft guidance Dissemination of Patient-Specific Information from Devices by Device Manufacturers. We generally support the draft guidance but the document needs further clarification, especially the paragraph on the Health Insurance Portability and Accountability Act (HIPAA).
The purpose of the draft guidance is to “clarify that manufacturers may share with a patient patient-specific information” collected from devices regarding that same patient. In other words, device companies may share with a patient the information that the device collects about him or her. The draft guidance defines “patient-specific information” as including “recorded patient data, device usages/output statistics, healthcare provider inputs, incidence of alarms, and/or records of device malfunctions or failures.” We agree with FDA that providing the above information “will empower patients to be more engaged with their healthcare providers in making sound medical decisions.”1
FDA recommends that device makers take steps to avoid “disclosure of confusing or unclear information that could be misinterpreted” by patients. The draft guidance does not provide details on how device makers should accomplish this goal. If the information from the device is summarized, key data could be omitted. Alternatively, if all data is released (e.g. via data dump), the information could be overwhelming and useless to the patient.
Information communicated to patients should be done in a manner that is easy for them to understand. Only 12 percent of adults have proficient health literacy, according to the National Assessment of Adult Literacy. This indicates that many patients may not be able to understand information that is complicated or communicated using medical terminology. Patients benefit from interactive, simple to follow, and practical communications that are appropriate to the intellectual and social skills of the patient and the caregiver.
FDA notes that device makers “may share patient-specific information…with patients at the patient’s request without obtaining additional premarket review before doing so.” FDA then cautions that additional information from devices shared with patients by the manufacturer could meet the definition of labeling and would be subject to FDA labeling regulations. Although FDA cites the labeling section of the Federal Food, Drug, and Cosmetic Act (section 201 (m)), the draft guidance does not provide an example of when information shared from a device would meet the labeling definition.
FDA states that often the patient-specific information is “accessible by the patient’s healthcare providers,” or patients may contact the manufacturer directly to obtain the information. The advantage of receiving the information from a healthcare provider is that the information will more likely be interpreted and put in context, and the patient can ask follow-up questions. The disadvantage is that the patient will have to pay for the appointment, and may not be able to access the information in a timely manner.
We agree with FDA that patient-specific information shared with patients should be “comprehensive and contemporary” and the information from a patient’s blood pressure device provides a good example. But again, we are concerned that “comprehensive” could become a useless “data dump.”
We agree with FDA that patient-specific information should include “relevant context” so that the information will not be misinterpreted, “thus leading to incorrect or invalid conclusions.” Invalid conclusions could lead to additional tests (i.e. over diagnosis), or false negatives, which could put the patient’s health at risk. We also agree with FDA that device makers who provide patient-specific information should include information “about whom to contact for follow-up information.”
The draft guidance dedicates one paragraph to HIPAA. It notes that HIPAA protections apply to device makers to prevent the sharing of “individually identifiable health information” but the protections “are not intended to prevent a device manufacturer from sharing patient-specific information with the affected patient.”
A recent article criticized FDA’s definition of “Patient-specific information” because it “appears to be, at least in part, inconsistent with HIPAA’s definition” of Protected Health Information (PHI). The article also notes that “there are a number of instances where a device manufacturer may be a HIPAA-regulated entity.” For example, if a medical device company has contracted with a covered entity (such as a doctor’s office or hospital) so that the device will transmit electronic protected health information directly to the provider, compliance with HIPAA requirements is mandated. This type of scenario is not addressed in the draft guidance.
Others have noted that the guidance appears to offer an incorrect interpretation of HIPAA when it states that device manufacturers are prevented under HIPAA from sharing this information with covered entities, such as health plans and health-care providers that electronically transmit health data, without the patient’s consent. We agree that HIPAA was never meant to prohibit patient data collected by devices from being shared with the patients’ own physicians. Clarification of these issues is needed.
Also, nothing is mentioned about encrypting sensitive personal health information, or the risk of data breaches. The draft guidance should recommend steps device makers can take to mitigate the risk of data breaches, and to make sure the information is not compiled in any databases that are shared with health plans or healthcare providers.
We generally support this brief draft guidance but the HIPAA section needs clarity, and Content section needs more details on how device makers can avoid disseminating “confusing or unclear information” to patients.
American Medical Women’s Association
Breast Cancer Action
Connecticut Center for Patient Safety
MRSA Survivors Network
National Center for Health Research
National Consumers League
Our Bodies Ourselves
The TMJ Association
Washington Advocates for Patient Safety
The Patient, Consumer, and Public Health Coalition can be reached through Paul Brown at (202) 223-4000 or email@example.com
 Food and Drug Administration (June 10, 2016). Dissemination of Patient-Specific Information from Devices by Device Manufacturers; Draft Guidance of Industry and Food and Drug Administration Staff. http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm505756.pdf
 Quick Guide to Health Literacy. US Department of Health and Human Services. https://health.gov/communication/literacy/quickguide/factsbasic.htm
 Schooley B, San Nicolas-Rocca T, Burkhard R. Patient-provider communications in outpatient clinic settings: a clinic-based evaluation of mobile device and multimedia mediated communications for patient education. JMIR Mhealth Uhealth. 2015 Jan 12;3(1):e2. http://www.ncbi.nlm.nih.gov/pubmed/25583145
 Weinrieb JM, Weeda JM (June 15, 2016). FDA Publishes Draft Guidance on Dissemination of Patient-Specific Data—But Doesn’t Say Much About HIPAA. OFW Law. http://www.ofwlaw.com/2016/06/15/fda-publishes-draft-guidance-dissemination-patient-specific-data-doesnt-say-much-hipaa/
 Hartford, J (August 25, 2015). Are your medical devices HIPAA compliant? MDDI DeviceTalk. http://www.mddionline.com/blog/devicetalk/are-your-medical-devices-hipaa-compliant-08-25-15.
 Williamson MD (June 13, 2016). FDA Guidance on Device Data Sharing Aligns With HIPAA: Attorney. Bloomberg BNA. http://www.bna.com/fda-guidance-device-n57982074036/