I've been getting a lot of questions about this. Here's the latest:
I am hoping you can answer this question for me. Would [redacted company name] a data storage company come under the MDDS final Ruling? Are hw/sw services all types of companies including medical.
Unfortunately, where the FDA is concerned, very little is black or white. Short to-the-point questions usually don't result in meaningful answers.
One unambiguous issue we can get out of the way is that the FDA regulates products through their regulation of manufacturers. All regulatory questions revolve around the product, but it is the manufacturer of the product that has to jump through the regulatory hoops. A manufacturer may chose to have one set of policies and procedures that conform to the FDA regulations for their medical device, and another for unregulated products.
Is Your Product a Medical Device?
Now let's get into the basic issues. The first is whether you have a product that meets the legal definition of a regulated medical device. If so, then one must consider whether it is a device the FDA feels compelled to regulate (some are already regulated, while others are not - typically because the FDA views the products as low risk). How all this applies to any one company and their products is not so cut and dried.
Are You Making Medical Device Claims?
The next basic issue targets the claims you make about a product. Claims include your product's value proposition or intended use, features and benefits as described in promotional materials, by employees like sales reps, and in your user manuals. If you make medical device claims, even if your product does not meet the definition of a regulated medical device, FDA may want to regulate you (again, based on their perception of risk).
All this is intended to indicate that there's a lot more to this than the short and sweet question that I usually receive.
Is It a MDDS?
Regarding the specific question, "Is my product a MDDS?" if you have a product that:
- Directly receives data from medical devices,
- Converts the data from one format to another according to preset specifications (e.g., parses the original protocol and converts it into a format used by your system, and/or converts units of measurement or changes data labels),
- Stores and/or displays the data, and
- Makes that data available to other systems,
then yes, your product is a MDDS. A product must meet the minimum requirements above to qualify as a MDDS. If you fall short of the criteria, you do not have an MDDS. If you exceed the criteria, i.e., provide additional capabilities or features beyond what's defined for a MDDS, you do not have a MDDS - but your product is likely still a regulated medical device, it's just something other than a MDDS.
UPDATE: Be sure to read this post, Final MDDS Rule Signals FDA Shift to Enforcement, to get a more definitive definition of MDDSs. You can also find a link to the actual rule in aforementioned post.
What about Claims?
Should you make MDDS claims however, don't be surprised if the FDA knocks on your door whether your product meets the definition of a MDDS or not. Suppose you provide a component or some necessary infrastructure for a MDDS (or any other kind of medical device) and want to do some "solution" marketing to end-user-buyers - where you promote the entire solution that's made up of your product and those of other solution "partners," that are all described in the brochure.
Typically resellers or systems integrators are the ones that actually assemble the components described in your brochure and sell it to health care providers. Your intent is to just sell your part of the solution by presenting the overall MDDS in your marketing materials. You clearly don't manufacture the entire MDDS solution.
This marketing technique results in you making a marketing claim for a MDDS, or perhaps something else, that's a regulated medical device. Legally, you're now a medical device manufacturer simply based on your claims regardless of your product. At their discretion, the FDA can pursue enforcement actions against your company for making these claims.
In most cases when I get questions like this, the company's product is probably not a medical device. But from a corporate risk management perspective, it's a good idea to make sure whether your product is a regulated medical device or not. If it is, then you need a business strategy to deal with that. If your product is not a MDDS or other kind of regulated medical device, you need to figure out exactly what you need to do and not do to maintain your status as "not a medical device." This is not a huge effort, but it does take some work.
See this post, Charting Your Regulatory Course for next steps.
I think your “Is It a MDDS?” section is a little misleading. The way I read your language, it implies your system must do ALL these (based on the word: “and” in the third bullet). In fact the legal definition of an MDDS system is a system that does ‘one OR more of those things’.
Also, I’m pretty sure the preamble of the legal ruling doesn’t include the concept of “Directly receives data from medical devices”. Medical Device Data can be human entered (NOT received directly from a device), it can be subsequently transferred by the system and THAT would classify as an MDDS.
Rob, I’ve dealt with the definition of a MDDS in detail elsewhere. You’re right that it’s my mistake that I did not include links to those posts here. Thanks for bringing that to my attention.
Regarding, “directly receives data from medical devices,” you’re right again that this is not explicitly stated in the rule. FDA has, however, made public presentations that to be an MDDS, the system must acquire data directly from the medical device. (They mean that in a logical sense and not necessarily a physical one.)
If a company that has a product that collects data streaming out of medical devices through serial ports, in order to display and store this data, and then this product puts on its own time stamp, as the time when the data was received, does this then make this device not an MDDS?
I would expect an MDDS to address time stamping in the risk analysis for that product, and mitigate any risks associated with incorrect or unknown times of when the data was generated.
While time stamping is not mentioned directly in the final MDDS rule, it is a characteristic of the data (e.g., when it was generated) much like a data label or unit of measure. Without a time stamp generated somewhere, medical device data is of questionable value - and can even have a negative impact on patient safety.
I would argue that so long as the methods used to manage associating time with the data acquired from a medical device are done according to preset specifications (like other conversions of the data called out in the final rule) you have not exceeded the definition of an MDDS.
If time stamping is not addressed from a risk mitigation perspective in the MDDS, and an adverse event results, I would expect to see some sort of FDA enforcement.
Is a medical cart that houses videoconferencing equipment for telehealth considered a MDDS? Also, what about a telemedicine cart with camera, mic and other electronic peripherals?