Device manufacturers may share patient-specific information from a device with the patient without violating federal privacy requirements.
With the increased use and availability of remote monitoring and wearable devices, device manufacturers are collecting an extensive amount of patient-specific information. Patient-specific data collected from such devices may include, for example, data on pulse oximetry, heart electrical activity, blood pressure, and blood glucose readings, as well as information on device usage, alarms, and other outputs. This information is used by patients’ physicians to help them develop an adequate patient treatment history and treatment profile, and to improve the device use experience. Privacy requirements, however, have triggered concerns about whether device manufacturers may disseminate patient-specific information to the affected patients themselves. In response to these concerns, on June 10, the US Food and Drug Administration (FDA) issued a draft guidance providing recommendations to device manufacturers on sharing of patient-specific data derived from medical devices with patients.
The enactment of the Health Insurance Portability and Accountability Act (HIPAA) has raised public awareness about patient privacy concerns. However, this increased sensitivity has in some cases led to a misunderstanding of the privacy requirements. Although HIPAA requirements are intended to prevent device manufacturers from sharing a patient’s private health information with covered entities (e.g., health plans, certain healthcare providers), they are not intended to prevent manufacturers from sharing a patient’s data with the affected patient. Indeed, many healthcare experts believe that providing patients with their personal health data will empower them to become more engaged in improving their own health.
The Federal Food, Drug, and Cosmetic Act (FFDCA) generally does not require that manufacturers share patient-specific information with the patient. Device manufacturers, however, are permitted to share patient-specific information from a legally marketed device with a patient—at the patient’s request—without obtaining any additional premarket review, provided that it is consistent with the intended use of the device. In many cases, this information is readily accessible by the patient already, either directly (e.g., via a display on a wearable or remote monitoring device) or through the patient’s healthcare provider.
In the draft guidance, FDA recommends that, in sharing patient-specific information, device manufacturers should exercise care to ensure that information provided to patients is easy to understand and will not be misinterpreted. Specifically, FDA recommends that manufacturers take the following precautionary steps:
Comments on the draft guidance should be submitted to Docket No. FDA–2016–D–1264 by the due date of August 9, 2016, in order to be considered before the final guidance is prepared.
If you have any questions on the issues discussed in this LawFlash or would like assistance in submitting comments to the Docket, please contact any of the following lawyers:Washington, DC
 FDA, Dissemination of Patient-Specific Information from Devices by Device Manufacturers – Draft Guidance for Industry and Food and Drug Administration Staff (June 10, 2016).