Newsletter for Leaders in the Medical Device Industry – July 2008

08 July 2008 Publication
Authors: Nathan A. Beaver Judith A. Waltz

Legal News: Medical Devices

More on the Foreign Corrupt Practices Act and the Medical Device Industry
Sharie A. Brown (

In the April 2007 edition of Foley’s Legal News: Medical Devices (, we informed you that Johnson & Johnson (J&J), a medical device company, voluntarily disclosed to the United States Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) that subsidiaries outside of the United States may have made improper payments in connection with the sale of medical devices in two small-market countries.Since February 12, 2007, when J&J disclosed the information, the medical device industry has received increasing enforcement scrutiny.  

In a press release issued this month, the DOJ accused Plymouth, Minnesota based AGA Medical Corporation (AGA), a manufacturer of products designed for the minimally invasive treatment of congenital heart defects, of conspiracy and violating the Foreign Corrupt Practices Act (FCPA). The DOJ release stated that its criminal information (filed on June 3, 2008) alleged that AGA, some of its employees, and a high-ranking officer sought patents on several AGA products from the State Intellectual Property Office of the People’s Republic of China (SIPO) from 2000 through 2002. According to the DOJ release, in order to have certain patents approved, AGA allegedly agreed to make improper payments through its local Chinese distributor to Chinese officials who were employees of SIPO. In addition, AGA allegedly made payments through a local distributor to government physicians from 1997 to 2005 to induce those physicians to cause their government hospital employers to purchase AGA products for the government hospitals. The DOJ release stated that AGA paid a $2 million penalty and entered a deferred prosecution agreement with the DOJ as a result of these allegations.

In September 2007, Dr. Gioacchino DeChirico, the President and COO of Immucor, Inc, (A U.S. public medical equipment company), settled a civil action with the SEC for violating and aiding and abetting a violation of the FCPA. The SEC alleged that Dr. DeChirico paid 13,500 Euros to the director of a public hospital in Milan, Italy, in April 2004, in exchange for favorable consideration by the hospital relating to a contract for providing goods and services to the hospital. Dr. DeChirico allegedly approved an invoice that falsely described the payment as a consulting fee for services rendered even though Dr. DeChirico knew that the hospital director had never provided any services. Dr. DeChirico subsequently agreed to the entry of a final judgment ordering him to pay a civil penalty of $30,000, and he and Immucor separately agreed to an SEC cease-and-desist order related to the same improper payment activity.

In October 2007, Zimmer Holdings, Inc, a medical equipment and supplies company in Warsaw, Indiana, disclosed in its Form 8-k for the period ending October 11, 2007, that the company had received a letter from the SEC advising that the SEC was conducting an informal investigation regarding potential violations of the FCPA in the sale of medical devices in several foreign countries by companies in the medical devices industry.

Biomet, Inc., issued a press statement in October 2007 on its company Web site disclosing that the company had received a letter from the SEC informing the company that the SEC was conducing an informal investigation of possible violations of the FCPA in the sale of medical devices in a number of foreign companies. Similarly, in October 2007, Stryker Corporation (a public medical device medical technology company) disclosed that the SEC had made an informal inquiry of the company regarding possible violation of the FCPA in connection with the sale of medical devices in certain foreign countries.

In light of the increased FCPA investigative and enforcement focus on medical device and equipment companies, medical device companies should adhere to the warnings and begin to:

  • Develop written policies and procedures for detection and prevention of corrupt payments or activities
  • Conduct a review of operations to determine what groups within the company have regular dealings with “foreign government officials” within the meaning of the FCPA, and develop more robust anticorruption procedures for those groups
  • Train and counsel employees, agents, vendors, and suppliers on ethics and anticorruption policies and procedures
  • Conduct anticorruption due diligence on third parties prior to hiring
  • Discipline employees and third parties that fail to follow policies
  • Assure that internal controls are adequate, and that books and records are accurate
  • Conduct periodic compliance reviews and audits to determine if procedures are followed and if there is any misconduct
  • Include anticorruption contract provisions in all third-party agreements, including audit rights


Medicare Part D Data Available to External Researchers (and Others) Under CMS Final Rule
Judith Waltz ( and Lena Robins (

In many cases, devices work better, or best, when combined with a prescription drug regimen. Medicare-covered beneficiaries constitute a large user population (and target market) for both devices and prescription drugs, with the numbers continuing to rise with the aging population. Information about how particular prescription drugs are being used for this target population can assist in device product design and optimization. Under the auspices of a new regulation, the Medicare program will begin to share its prescription drug data, which should be of critical value to the device maker community and research enterprise.

In a Final Rule published on May 28, 2008, and effective on June 27, 2008, the Centers for Medicare and Medicaid Services (CMS) amended the Medicare Part D regulation at 42 C.F.R.§ 423.505 to set forth the parameters under which Part D claims data may be released for purposes of research, program monitoring, public health, care coordination, quality improvement, population of personal health records, and other purposes. Part D, the voluntary Medicare Prescription Drug Benefit enacted in 2003, is administered through private entities, called Part D Sponsors, that contract with CMS to sponsor Medicare prescription drug plans to act as payers and insurers for administration of prescription drug benefits. Participation is voluntary, but in 2008 Medicare Part D had about 25 million enrolled beneficiaries. The new data-sharing provisions set forth in the Final Rule apply to Part D claims data collected on or after January 1, 2006. The first data, relating to 2006 claims, is expected to be available by December 2008.

Parties to whom this data may be released include external researchers as well as other federal government agencies, states, and beneficiaries for their personal health records. As CMS has noted, Part D data-sharing will provide a critical new source of information about how well drugs work and how safe they are for the elderly and disabled populations, who are often excluded from clinical trials, and hopefully will lead to fewer adverse drug events over time. The Part D data can be linked with claims data for Medicare Part A (hospital and institutional benefits) and Part B (physicians and other supplier benefits) for those 17 million beneficiaries who are in the “Original Medicare” program with a stand-alone Part D prescription drug plan. For those enrolled in the Medicare Advantage program, only Part D data is available.

“Research” is defined, using the definition in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, as “a systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge.” CMS states that it will not release identifiable data to external entities when their research is not designed to develop or contribute to generalizable knowledge. In addition, CMS will not release identifiable data for commercial purposes.

The shared data will be compiled from Prescription Drug Event (PDE) summaries. The PDE is a record that every Part D drug plan (including Medicare Advantage plans) must submit each time a beneficiary fills a prescription under Medicare Part D, and consists of summary extracts using CMS-defined standard fields. PDE information is currently used to enable CMS to make payments to Part D plans and otherwise administer the Part D program. Under the Final Rule, CMS will release only the minimum data necessary to complete the study; will require that the results of the research (if applicable) be in the public domain; and if the study is conducted by an external entity, will require that the researcher have the requisite experience and be working in a reputable institution. External researchers must sign a Data Use Agreement that outlines certain restrictions placed on use of the data, including a requirement that the data must be destroyed, with no copies retained, upon completion of the project.

The Final Rule includes several limitations designed to provide protection for beneficiary privacy and commercially sensitive plan data, which include:

  • CMS will not release beneficiary, prescriber, or pharmacy identifiers to other government agencies or external researchers unless these are absolutely necessary for the study (e.g., to link to another database)
  • The Final Rule addresses only 37 elements (not all elements, as in the Proposed Rule), and does not extend to Part D plan-specific bid data, rebates, risk-sharing, reinsurance, or payment information collected outside of a Part D claim

When released to external researchers, Part D plan identifiers will be encrypted and cost data elements will be segregated. This step is designed to protect against negative implications for plans to negotiate favorable prices.

In announcing the new Final Rule, CMS indicated that it would be developing guidelines and workshops to inform researchers on how they can access the new database. Additional details are available on the CMS Web site at, and at its research data assistance center at


The Implications of Google Health on Medical Devices Design
Peter F. McLaughlin (

What Is Google Health?
When The Wall Street Journal, The New York Times, BusinessWeek, and USA Today all have articles discussing the most recent entrant to the Personal Health Record (PHR) space, then something significant might be happening. Regardless of Google’s success in its recent launch of Google Health, the popularity of Google as a search engine, e-mail service, calendar product, and now PHR service means that it is worth a look at how these rapidly emerging and evolving services impact developers of medical device companies and associated software applications.

According to a November 2007 poll conducted by The Wall Street Journal, three-quarters of respondents agreed that they would receive better care if their providers were able to share information more easily across electronic systems. While at that time only two percent used some form of PHR, more than 90 percent expressed a desire to access to their own electronic records maintained by their physicians.1

Enter Google Health, promoted as an alternative to existing services such as WebMD from which individuals can learn about health issues and find helpful resources, search for doctors and hospitals, build online health profiles, and — significantly — import medical records from hospitals, clinics, and pharmacies. Google Health initially launched in partnership with the Cleveland Clinic earlier this year, and now has numerous well-known partners.

Implications for Device and Software Developers
As health providers increasingly use electronic medical records (EMRs) and as patients slowly acquire personal health records, the necessity for device developers is to keep pace with interoperability. Medical device and software developers should be familiar with the HIPAA Security Rule as a set of guidelines for protecting an individual’s electronic personal health information. While typically neither a Covered Entity nor Business Associate as defined by HIPAA, medical device developers who fail to enable their provider-customers to comply with such requirements will not be successful.

The likely data path for patient information will be from medical device, to provider, to Google Health, although home-based devices may eventually have their data uploaded directly by the patient. In either event, the data elements and structures within such devices should reflect design considerations using the most broadly applicable standards. In the case of Google Health, this means the ability to produce data conforming to the eXtensible Markup Language (XML) standard, increasingly common for Internet and data manipulation.

To the extent that Google Health becomes a successful brand in the PHR space, there is the possibility of manufacturers and service providers to become designated as “compatible” with Google Health.

Design Considerations
XML is an international technology standard, developed and maintained by the World Wide Web Consortium, W3C. XML permits data to be structured and embedded within XML files so that software applications can adapt the content and display it in a variety of formats. While device developers in the past may not have coded data for the Web, the onset of EMR and PHR all but dictate such.

Google Health has published third-party developer policies as well as details of the Google Data (GData) application programming interfaces, which are available online.2 The GData APIs use one of two XML-based syndication formats for reading and writing data to the Web and thus allowing medical device data to interact with the Google Health service.

The Continuing Challenge of Standards
Device makers then find themselves in a bit of a predicament as various electronic record platforms and services sprout. Google Health, the industry consortium Dossia, WebMD, and Microsoft’s HealthVault each claim a role in this rapidly evolving area.

Google Health is distinct from Microsoft’s HealthVault, which is more of a platform for health care providers and other professionals to move personal health information online in the first place. In theory, a hospital or clinic would build a system to push data from a blood pressure monitor or IV pump and share it electronically with other authorized providers. That system might then help an individual move the data to Google Health.

All of this means that the standardization of electronic health information is becoming more important.

Google Health has been designed to meet the Continuity of Care Record (CCR), which is an ANSI-accredited health information technology standard. The CCR output of the CCR standard is a CCR digital file with 17 potential data elements, ranging from diagnosis to vital signs and medical equipment to results. CCR is not the only data standard, though, and it will likely be some time before there is a clear path for consistent product design.

For more information about Google Health, see


1 “Benefits of Electronic Health Records Seen as Outweighing Privacy Risks”, Wall Street Journal, November 29, 2007.


How Medical Device Companies Can Prepare for an FDA Inspection: What toDo When the FDA Shows Up at Your Door
Nathan A. Beaver (

Federal law grants the U.S. Food and Drug Administration (FDA) authority to inspect medical device manufacturers and distributors upon providing written notice (Form 482) and showing appropriate credentials. Inspections may be unannounced and without a warrant, so long as the inspectors show up at a “reasonable” time. For device companies, some of whose products do not require FDA pre-approval, an inspection may be the company’s first hands-on experience with the agency and chance to demonstrate to the FDA its compliance with FDA regulations, especially compliance with the Quality Systems Regulation (QSR). On the other hand, a poor inspection can lead to difficulties, including more frequent inspection or even shutting down further manufacturing. Being prepared for an inspection requires advanced and effective planning. Key components of an effective plan include: (1) understanding the scope of the FDA’s inspection authority; (2) designation of the company’s “inspection team”; (3) having written Standard Operating Procedures (SOPs) for an inspection; and (4) training personnel on what to do and not do during an inspection.

Scope of the FDA’s Authority
The scope of the FDA’s authority during an inspection of a device company is broad, but not unlimited. Generally, the FDA may inspect:

  • Equipment
  • Finished and unfinished materials
  • Containers
  • Labeling
  • All records required by applicable QSR, including good manufacturing practices

Just as important however, is understanding what materials the FDA may not review during an inspection, including:

  • Financial or sales data other than shipment data
  • Pricing information
  • Personnel data other than qualifications for technical/professional personnel
  • Research data
  • Internal audit reports though the FDA may review records indicating that audits were conducted in accordance with the company’s SOPs

It is important to keep records the FDA may lawfully review separate from those records they may not; ideally in a separate room or area from where the FDA records are kept. It also is worth noting that the FDA does not have specific authority to take photographs during an inspection, even though FDA inspectors often attempt to do so. A specific policy should be drafted regarding the taking of photographs during an inspection. Generally, we recommend permitting the FDA inspector to take photos, but keep careful records of the photos taken and ideally take identical photos as well. However, if there are privacy or trade secret issues with respect to the photos, a company may wish to decline the FDA’s request gently.

Designation of an “Inspection Team”
The first step any device company should take to prepare for an FDA inspection is to designate an “inspection team.” This team will be responsible for developing the procedures for dealing with an inspection and during any inspection should act as the company’s liaison with the inspector. At least one member of the team should accompany the inspector at all times and document the inspection.

Drafting Effective SOPs
For any company, the most critical aspect of preparing for an inspection is having written SOPs that address the procedures that should be followed during an inspection and training employees to follow them. A company’s SOPs should:

  • Designate the members of the “inspection team”
  • List immediate actions taken at the arrival of an inspector — who gets notified (inspection team, corporate officials, regulatory counsel)
  • How to interact with the inspector — being courteous and cooperative, but understanding when it is appropriate to say no
  • Properly documenting the inspection from the company’s view — keeping a daily log of who the inspector interviews and what the inspector reviews as well as documenting what records the FDA requests
  • Address procedures for the end of the inspection — reviewing a 483, close-out meetings, signing of affidavits, preparing inspection reports
  • Address timeframes for responding to 483s or warning letters if necessary

Personnel Training
Written SOPs are effective only if personnel are properly trained to follow them. While the main responsibilities during an inspection will fall on the inspection team, all personnel should be trained on these procedures to understand how to proceed during an inspection. For example, all employees should know to direct all inspector requests through the inspection team, and that they should be polite but not volunteer information to the inspector.

With proper training, a device company should not fear an inspection from the FDA. By understanding the FDA’s authority for an inspection and having in place procedures and trained individuals, any company can be prepared.