Skip to main content Accessibility help

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.

Close cookie message
×
Hostname: page-component-78c5997874-m6dg7 Total loading time: 0 Render date: 2024-11-11T07:17:15.922Z Has data issue: false hasContentIssue false

17 - Compulsory Medical Device Registries

Legal and Regulatory Issues

from Part V - Medical and Legal Oversight of Medical Devices

Published online by Cambridge University Press:  31 March 2022

By
Efthimios Parasidis  and
Daniel B. Kramer
Edited by
I. Glenn Cohen ,
Timo Minssen ,
W. Nicholson Price II ,
Christopher Robertson  and
Carmel Shachar
I. Glenn Cohen
Affiliation:
Harvard Law School, Massachusetts
Timo Minssen
Affiliation:
University of Copenhagen
W. Nicholson Price II
Affiliation:
University of Michigan, Ann Arbor
Christopher Robertson
Affiliation:
Boston University
Carmel Shachar
Affiliation:
Harvard Law School, Massachusetts

Summary

Physicians are entrusted as the sole authorities to assess the competence of fellow physicians, and peer review is the primary pillar in assuring medical quality. A new era of intelligent tools may serve as the death knell for this insular physician-led, self-regulatory process. Increasingly, medical decision-making relies on advanced decision support with AI, and algorithms are asked to triage and prioritize patient care semi-autonomously. These technologies often lie beyond physician expertise, limiting the ability of any review process to determine where fault lies. Since machine learning may identify data patterns that guide treatments where there is current clinical equipoise, the best course of treatment may be swayed by information a physician may not have considered prima facie relevant, or by information that lies beyond published literature. Peer review committees determining if an error occurred will have less information than the machine that directed treatment. Our chapter discusses these challenges; explores implications that intelligent tools have on the organization of medicine and its structures of authority; considers the need for maintaining physician self-regulation; alternative legal approaches to maintaining quality assurance; and proposes new approaches to peer review and quality assurance for an era of medicine that utilizes these smart machines.

Keywords

Research ethicsCardiovascular diseaseFood and Drug AdministrationInformed consentHealth privacyHIPAA
Type
Chapter
Information
The Future of Medical Device Regulation
Innovation and Protection
 , pp. 229 - 243
Publisher: Cambridge University Press
Print publication year: 2022
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

17.1 Introduction

The Food and Drug Administration’s (FDA’s) strategic vision for monitoring high-risk medical devices emphasizes the role of postmarket registries, which are databases that actively collect and maintain information about individual patient exposures.Footnote 1 Registries are cost-effective relative to traditional clinical trials and can enroll large numbers of patients to provide generalizable observations and identification of rare safety events.Footnote 2 Although they differ in their structure, study goals, and stewardship – with varying involvement of professional societies, industry, academic centers, and regulators – registries in general may facilitate advancements in device use, manufacture, and design.

Registries are particularly useful for cardiovascular devices, which make up a large proportion of novel device approvals but also are commonly implicated in recalls and adverse event reports.Footnote 3 The FDA and the Centers for Medicare and Medicaid Services (CMS) can mandate postmarket registries as a condition of marketing approval or reimbursement, respectively. To help generate timely information on device safety and effectiveness, the FDA and the CMS sometimes require compulsory enrollment with no opt-out mechanism. Although regulators provide guidance and oversight on registry design and use, there has been little evaluation of the legal and ethical implications of compulsory medical device registries. In particular, questions remain regarding the extent to which compulsory registries accord with health privacy laws and ethical standards for human subjects research.

This chapter proceeds in three parts. First, we begin by discussing the emerging and integral role of registries in the FDA’s medical device postmarket repertoire, with a focus on cardiovascular medical devices. Second, we evaluate the applicability of the Health Insurance Portability and Accountability Act (HIPAA), the Common Rule, and state laws to compulsory registries. Third, we propose additional guidance for registry development, including rules for enrolment, consent, data use, and access to data.

17.2 The Role of Registries in Postmarket Analysis of Medical Devices

17.2.1 Limitations in the FDA’s Evaluation and Monitoring of Devices

The FDA employs a risk-based regulatory framework that classifies medical devices into three categories: Class I (low risk) devices are those that pose a minimal potential for harm, such as tongue depressors and stethoscopes; Class II (medium risk) devices have a higher potential for harm, such as syringes and electrocardiograph machines; and Class III (high risk) devices have the highest potential for harm, such as pacemakers and defibrillators.Footnote 4

All three classes of medical devices are subject to “general controls,” which include, inter alia, registration, prohibitions against misbranding and adulteration, and adherence to good manufacturing practices.Footnote 5 For Class I and Class II devices where general controls are insufficient to provide a reasonable assurance of safety and efficacy, “special controls” are required, which may include, inter alia, postmarket surveillance, patient registries, and 510(k) premarket notification.Footnote 6 For Class III devices where special controls are insufficient to provide a reasonable assurance of safety and efficacy, a premarket approval (PMA) application is required.Footnote 7

The 510(k) pathway principally seeks to establish that a new device is “substantially equivalent” to a device that the FDA has already cleared for marketing. As the FDA explains, the 510(k) pathway “is comparative” whereas the PMA pathway involves “an independent demonstration of safety and effectiveness.”Footnote 8 The 510(k) process “was specifically intended for devices with less need for scientific scrutiny, such as surgical gloves and hearing aids.”Footnote 9 Over the years, however, the breadth of devices eligible for the expedited review mechanism has been expanded significantly, and only 1 percent of medical devices utilize the more rigorous PMA pathway.Footnote 10

Apart from utilization of the 510(k) pathway for some high-risk devices, other high-risk devices come to market as PMA supplements – a subset available where a new device contains changes to an already approved device.Footnote 11 PMA Supplements may be required when changes impact the safety or effectiveness of a device, including but not limited to new device indications, labeling changes, use of new manufacturing processes or facilities, changes in sterilization procedures, packaging changes, or changes in design specifications or components.Footnote 12 For devices that come to market as PMA supplements, the FDA generally does not require clinical trial data.Footnote 13 In recent years, several high-risk cardiac devices approved as PMA supplements – some of which were implanted into hundreds of thousands of patients – have been recalled due to serious safety concerns.Footnote 14

We summarize the distinctions between the 510(k) and PMA pathways here to highlight the fact that it is common for high-risk medical devices to come to market without providing the FDA with clinical trial data that demonstrates the device’s safety and effectiveness. In part these accelerated pathways to market are due to budgetary constraints – specifically, Congress has not allocated sufficient funds so that regulators have the resources to oversee and review clinical trial data. A second relevant factor is that there are significant budgetary and scientific barriers to applying robust scrutiny to a large number of devices from conception through real-world utilization (often referred to as the “total product life cycle”).Footnote 15 In other words, the cost and time to provide meaningful safety and efficacy data would translate to longer periods of time before which a new device could come to market.

These resource constraints are exacerbated by statutory requirements that the FDA utilize “the least burdensome appropriate means of evaluating device effectiveness that would have a reasonable likelihood of resulting in approval.”Footnote 16 This legal requirement – which is not found in regulations governing FDA review of pharmaceuticals or vaccines – was enacted by Congress, largely at the request of lobbyists and medical device manufacturers.Footnote 17 It forces the FDA’s hands by requiring that the agency think creatively on how to solicit the least amount of information that can illustrate device safety and efficacy. As a practical matter it translates to device approvals that, for the most part, do not require clinical trial data. The least burdensome standard applies even for high-risk medical devices such as implantable cardioverter-defibrillators (ICDs), pacemakers, and artificial heart valves.

Several observers have highlighted limitations in the current legal and regulatory framework, particularly in premarket review.Footnote 18 These critiques also extend to the postmarket surveillance scheme which, despite evolving emphasis on new strategies,Footnote 19 continues to rely significantly on passive surveillance of marketed medical devices, a mechanism that fails to adequately capture postmarket safety and efficacy concerns.Footnote 20 While passive surveillance has been able to capture some instances of patient harms due to faulty devices, underreporting is widespread, and reports submitted to the FDA’s passive surveillance database are often submitted late and lack critical information on adverse events.Footnote 21 In instances where the FDA mandates postapproval studies, studies have found that progress is often inadequate and many requirements go uncompleted.Footnote 22 Inadequate postmarket surveillance is not limited to medical devices, but also plagues postmarket evaluation of pharmaceuticals and vaccines.Footnote 23 For truly novel, transformative, and influential therapeutics, then, a robust postmarket surveillance strategy is of great importance to regulators, payors, and the public because it helps produce meaningful evidence to continuously evaluate the safety and efficacy of marketed medical products.

17.2.2 General Structure and Function of Regulatory Registries

When structured and utilized properly, registries can provide valuable information to support postmarket analysis on safety and efficacy. As noted above, the FDA can mandate registries either as a condition of approval for high-risk device (a so-called postapproval study) or as a “522 study,” which can be applied at any point in a product lifecycle.Footnote 24 Timely completion of these studies is the responsibility of device sponsors and, in theory, the FDA can withdraw marketing approval or clearance for failure to do so.

Registries defined by exposure to a specific device or procedure can generate datasets with large sample sizes that include a more diverse set of patients than those in premarket studies. Registries can include or be linked to additional clinical data, which allows for identification of information related to disease severity and comorbidities and may provide information on the device utilization outside the context of pivotal clinical trials or established guidelines. For example, studies have uncovered divergence from guidelines-based indications for ICDs and cardiac resynchronization therapy.Footnote 25 Registries can provide important insights regarding off-label use of devices, such as transcatheter aortic valve replacement (TAVR), that may guide future regulatory decisions about expanded indications.Footnote 26

Registries also play an important role in coverage decisions and subsequent requirements for evidence generation. Once FDA approval is earned, sponsors of new devices typically submit applications to the CMS to determine whether the product meets the statutory requirement of “reasonable and necessary” for reimbursement.Footnote 27 Both terms remain somewhat nebulous but together are generally understood to reflect a totality of evidence supportive of clinically meaningful benefits with an acceptable safety profile.Footnote 28

While many services (including use of new devices) are covered by the CMS automatically, in select cases, manufacturers, clinicians, or the CMS request a national coverage determination, which grants, limits, or excludes Medicare coverage nationwide.Footnote 29 A small proportion of services thought to be particularly novel, influential for Medicare beneficiaries, or otherwise identified as important from the CMS’s perspective are provided conditional reimbursement – “coverage with evidence development.”Footnote 30 In these cases, payment for services occurs only in concert with a prospective study approved by the CMS as meeting specific scientific goals relevant to safety, effectiveness, or utilization among its beneficiaries. Over the past fifteen years, more than two dozen devices or services have been subject to coverage with evidence development decisions. This includes truly novel and (for Medicare patients in particular, most of whom are aged greater than sixty-five) clinically impactful transcatheter treatments for valvular heart disease, devices for stroke prevention, and new “leadless” designs for implantable pacemakers.

17.2.3 Compulsory Registries for Cardiovascular Devices

FDA review and CMS reimbursement have brought together agencies with overlapping public health mandates to help establish several pivotal cardiovascular devices registries.Footnote 31 While the individual details and methods vary, in general these registries have met the needs of regulatory agencies to develop additional evidence specific to its intended patient population, while also providing a platform for postmarket surveillance studies assessing safety, off-label utilization, real-world outcomes, and potential expansion of indications. The exact purpose, structure, and stewardship of “regulatory registries” – that is, those created primarily to meet requirements of the FDA, CMS, or both – varies according to device. Here we describe two influential cardiovascular device regulatory registries that share the feature of compulsory enrollment.

The National Cardiovascular Data Registry (NCDR) ICD Registry was created in 2005 in concert with expansion of CMS coverage guidelines for primary prevention ICDs, which are ICDs implanted in patients without a history of cardiac arrest or sustained ventricular arrhythmias.Footnote 32 A clinical trial published in 2004 demonstrated a survival advantage for ICD implantation in patients with heart failure from left ventricular systolic dysfunction regardless of etiology, widely expanding the pool of patients eligible for an effective but expensive intervention.Footnote 33 The ICD Registry was developed by the American College of Cardiology (ACC), which manages a suite of registries under the NCDR umbrella, and the Heart Rhythm Society (HRS), a professional society for cardiac electrophysiology, with guidance from the CMS and FDA. Notably, the CMS coverage memo requires only that data be collected for Medicare beneficiaries. However, the majority of the approximately 1,500 participating sites submit data on all patients who receive ICD implants, and thus the ICD Registry serves as an excellent storehouse of postmarket information.

Several specific analytic questions were posed by the CMS as the guiding scientific goals for the ICD Registry. The overall principle was summarized in the original 2005 memo from the CMS, which indicated: “We are concerned that the available evidence does not provide a high degree of guidance to providers to target these devices to patients who will clearly derive benefit.”Footnote 34 Specific hypotheses posited to refine that position through the ICD Registry include Table 17.1:Footnote 35

Table 17.1 Hypotheses

  1. 1. The clinical characteristics of the patients receiving ICDs are similar to those of patients involved in the primary prevention randomized clinical trials.

  2. 2. The indications for ICD implantation in patients are similar to those in the primary prevention randomized clinical trials.

  3. 3. The in-hospital procedure-related complications for patients are similar to those in the primary prevention randomized clinical trials.

  4. 4. Certified providers competent in ICD implantation are implanting ICD devices in patients.

  5. 5. Patients who receive an ICD represent patients for which current clinical guidelines and the evidence base recommend implantation.

  6. 6. The clinical characteristics and indications for ICD implantation do not differ significantly among facilities.

  7. 7. The clinical characteristics and indications for ICD implantation do not differ significantly among providers.

  8. 8. The in-hospital procedure-related complications for ICD implantation do not differ significantly among facilities.

  9. 9. The in-hospital procedure-related complications for ICD implantation do not differ significantly among providers.

  10. 10. The in-hospital procedure-related complications for ICD implantation do not differ significantly among device manufacturer, types, and/or programming.

Data collection is performed for over 100 data elements incorporating patient characteristics, procedural details, laboratory tests, and complications that occur within the index hospitalization. These data include multiple individual identifiers, which have facilitated linkages to other datasets such as administrative claims data as well as industry data.Footnote 36 Over one million patients have had data entered into the registry, including hundreds of thousands of patients who are not Medicare beneficiaries. There is no consent obtained and no mechanism for patients to opt-out or to view their own data. Of note, an updated Medicare coverage memo issued in 2018 ended the requirement for entry into the ICD registry as a condition of reimbursement.Footnote 37 Data from the ICD Registry has been relied upon in several publications that have analyzed safety and efficacy of ICDs, though the impact of the ICD Registry on CMS reimbursement has been less clear.

Similar motivation supports the Transvalvular Therapeutics (TVT) Registry, a partnership between the Society of Thoracic Surgeons (STS) and ACC that has been approved by the CMS to meet coverage requirements related to TAVR and transcatheter mitral valve repair. These two device types have been transformative therapies over the past several years, bringing minimally invasive options to patients previously considered prohibitive or high risk for surgical intervention and increasingly extending towards wider populations of potential recipients. The FDA worked with the CMS to structure the registry. The CMS coverage memo for TAVR echoed elements of that issued for ICDs, including the following specifications (among others) and articulated study goals Table 17.2:Footnote 38

Table 17.2 Specifications and study goals

  1. 1. The heart team and hospital are participating in a prospective, national, audited registry that: 1) consecutively enrolls TAVR patients; 2) accepts all manufactured devices; 3) follows the patient for at least one year; and 4) complies with relevant regulations relating to protecting human research subjects, including 45 CFR Part 46 and 21 CFR Parts 50 and 56.

  2. 2. The following outcomes must be tracked by the registry: and the registry must be designed to permit identification and analysis of patient, practitioner, and facility level variables that predict each of these outcomes:

    1. a. Stroke;

    2. b. All cause mortality;

    3. c. Transient Ischemic Attacks (TIAs);

    4. d. Major vascular events;

    5. e. Acute kidney injury;

    6. f. Repeat aortic valve procedures;

    7. g Quality of Life (QoL).

  1. 3. The registry should collect all data necessary and have a written executable analysis plan in place to address the following questions (to appropriately address some questions. Medicare claims or other outside data may be necessary):

    1. a. When performed outside a controlled clinical study, how do outcomes and adverse events compare to the pivotal clinical studies?

    2. b. How do outcomes and adverse events in subpopulations compare to patients in the pivotal clinical studies?

    3. c. What is the longterm ( > five-year) durability of the device?

    4. d. What are the longterm ( > five-year) outcomes and adverse events?

    5. e. How do the demographics of registry patients compare to the pivotal studies

Again, patients must be enrolled, or the facility risks nonreimbursement. In practice, this means that device recipients are automatically enrolled without consent or an opt-out mechanism. Notably, the ICD registry case report forms can generally be completed entirely from electronic or similar data sources, without the need to speak with patients. The TVT Registry form includes many of the same demographic, clinical, and procedural details as the ICD registry but also captures quality of life information. These additional data points require a brief interview with patients.

17.3 Legal Framework Governing Compulsory Medical Device Registries

There is no uniform legal framework applicable to all registries. Rather, the reach of the law – including health privacy laws and regulations governing research with human subjects – depends on the structure and function of a registry, as well as the registry steward. This is problematic, since a wide range of stakeholders creates and uses registries, including academic medical centers, not-for-profit entities, professional societies and organizations, private companies, health care payors, provider organizations, and medical device companies.Footnote 39 Divergent protections can result in use of health data in ways that contradict the expectations or interests of patients, which may exacerbate lack of trust in data use and the health care system.

17.3.1 The Scope of HIPAA Protections for Registry Data

HIPAA protections apply solely to covered entities (i.e., health care providers, health plans, and health care clearinghouses) and the business associates of these entities.Footnote 40 Several registry stewards fall outside of HIPAA’s reach entirely, so long as they do not collaborate with a covered entity, including medical device companies, patient advocacy groups, and professional societies. Registry data submitted directly from a patient to a registry steward is also not encompassed by HIPAA’s protections.Footnote 41 And, HIPAA’s limitations apply solely to protected health information, not to the collection and use of deidentified data.Footnote 42

For entities that fall under the HIPAA umbrella, the HIPAA security rule requires implementation of a reasonable security plan and security risk assessments.Footnote 43 In addition to the protections mandated under the HIPAA security rule, the HIPAA privacy rule affords protections to individuals whose health information is handled by an entity bound by HIPAA. The privacy rule requires patient authorization if health information is to be used in research, but authorization is not required if the information is to be used for public health activities.Footnote 44 Via this exception, patient authorization is not necessary for public health surveillance registries that do not include research.Footnote 45 This includes registries created to track the quality, safety, or effectiveness of FDA-regulated products.Footnote 46 Overall, HIPAA allows covered entities and their business associates to disclose identifiable patient information without patient authorization in cases where a registry: 1) furthers public health activities, including public health surveillance and review of an FDA-regulated device; 2) supports health care operations; or 3) is created pursuant to a legal mandate of health oversight officials, such as for CMS reimbursement.

If public health research is conducted using registry data assembled for public health practice, HIPAA permits disclosure of identifiable patient information without consent for a limited dataset, so long as an institutional review board (IRB) or privacy board issues a waiver of consent and the data source and registry steward enter into a data-use agreement.Footnote 47 In considering whether a waiver of consent is appropriate, relevant factors include whether 1) the research involves more than minimal risk, 2) adequate data protections are in place, 3) the research could not practically be conducted if patient authorization is required, and 4) the research could not practically be conducted without identifiable information.Footnote 48 Notably, a limited dataset cannot contain certain data points, such as names, device identifiers, and biometric identifiers; accordingly, limited datasets may be of diminished relevance to device registries, and particularly for cardiac device registries where device and biometric identifiers are essential.

Under HIPAA, patient authorization is also not required for health care treatment, payment processing, or health care operations.Footnote 49 Accordingly, registries used solely to tailor treatments for patients would not need patient authorization, nor would registries that facilitate health care quality improvement, outcomes evaluation, and development of clinical guidelines.Footnote 50 This includes registries created by hospitals or health care providers to track patient outcomes against clinical care standards.Footnote 51

Taken together, HIPAA allows covered entities and their business associates to disclose identifiable patient information without patient authorization in cases where a registry: furthers public health activities, including public health surveillance and review of an FDA-regulated device; supports health care operations; or is created pursuant to a legal mandate of health oversight officials, such as for CMS reimbursement. The public health surveillance exception is particularly relevant in the context of compulsory regulatory registries. Also relevant is the exception whereby identifiable patient data can be disclosed for research purposes if the research could not reasonably be achieved if patient authorization is required. As to the latter, such an argument in the context of a compulsory registry may not withstand scrutiny in cases where direct patient contact in a clinical setting could be expanded to include, for example, verbal or written consent to use of patient data in a registry. The lack of a uniform legal framework to apply across all medical device registries leaves registry stewards to act on an ad hoc basis, which may lead to inconsistent protections across the population.

17.3.2 Applicability of the Common Rule to Registries

In instances involving research based on registry information, federal protections governing research with human participants may apply. As a threshold matter, the Common Rule applies to 1) federally funded research sponsored by one of the seventeen federal agencies that have adopted the Common Rule or 2) studies that will be submitted to the FDA in the context of device approval or monitoring. Some institutions – such as academic medical centers – have adopted the Common Rule to all research conducted at the institution, regardless of funding source. Given the breadth of registry stewards, however, there may be instances where a registry steward or data user is not legally bound by the Common Rule. In such instances the steward or data user has the discretion as to whether, and to what extent, to follow the federal guidelines.

The Common Rule’s protections apply solely to research, which is defined as a systematic investigation that is designed or developed to contribute to generalizable knowledge.Footnote 52 At the outset, it is important to note that the Common Rule does not apply to registries that do not include individually-identifiable information.Footnote 53 Moreover, under the statute, research does not include public health surveillance and the provision of health care.Footnote 54 These exceptions are particularly relevant in the context of regulatory registries, since registries are often created to monitor public health or comply with FDA postmarket requirements.

At the same time, if identifiable information is used for public health research – rather than public health surveillance – the Common Rule would apply and patient consent would be required, unless an IRB or privacy board determines that a waiver of consent is applicable.Footnote 55 Along these lines, the Common Rule’s protections apply to registry research in the context of an FDA-regulated device; as with public health research, the Common Rule would apply and patient consent would be required, unless an IRB or privacy board determines that a waiver of consent is applicable.Footnote 56

For registries that fall within the purview of the Common Rule, regulations require that the registry steward and registry data user obtain informed consent from identifiable individuals who are included in the registry.Footnote 57 A waiver of informed consent may apply if the research poses a minimal risk to the research subjects, cannot be practically conducted without a waiver, does not use registry data in identifiable form, and will not adversely affect the rights and welfare of the research subjects.Footnote 58

In instances where informed consent is required, the research participant must be informed of the risks and benefits of the research. This includes information related to privacy protections and the risks of loss of confidentiality.Footnote 59 However, pursuant to revisions to the Common Rule enacted in 2016, “broad consent” is now permitted in instances where researchers are conducting downstream research using identifiable personal information. Under the broad consent principle, at the point of initial consent, all that is required is a general description of the type of research that may be conducted, the identifiable information that may be used, timeframe for research, any plans to share information, and contact information for the researchers.Footnote 60 Thus, at the time of initial collection, the registry steward can utilize a broad consent document that covers future uses of the patient’s information which, as a practical matter, provides little guidance to the patient on how, precisely, their information will be utilized.Footnote 61

The Office for Human Research Protections explains that primary and secondary purposes of an activity are relevant factors to consider in determining whether a project qualifies as research under the Common Rule.Footnote 62 As such, registries created for research purposes, in whole or in part, would fall under the Common Rule if the entity creating the registry is bound by the Common Rule’s protections.Footnote 63 This is distinct from the HIPAA privacy rule, which indicates that the protections apply only if research is the primary purpose behind use of patient information; otherwise, HIPAA classifies the data use as health care operations.

IRB review of the registry protocol would include the research purpose of the registry, informed consent arrangements (or an explanation of why informed consent is not necessary), and privacy and confidentiality safeguards.Footnote 64 Compulsory registries that are required by law fall under the Common Rule’s umbrella only if the registry is used for research. In such cases, consent would be required unless a waiver has been authorized by a governing IRB.Footnote 65 Taken together, although the Common Rule affords protections for research that utilizes registry data, registry stewards and downstream data users must be mindful of the ethical implications of consent waivers and other exceptions to the research guidelines. Just because use of registry data without patient consent may be legal, it does not mean that such use is ethically appropriate.

17.3.3 Additional Laws

Apart from HIPAA and the Common Rule, we also note briefly that several other laws may apply to the creation and use of registries. The additional laws include federal statutes, state statutes, state common law, and, in the case of registries incorporating data derived from patients outside the United States, laws from other nations. For example, coupled with the Common Rule’s application to research involving registries, there are supplemental federal protections and guidelines for research involving prisoners, pregnant women, children, and patients in federally funded substance abuse programs. In addition, the NIH can issue a certificate of confidentiality for a specific project that requires confidentiality beyond the general legal requirements.Footnote 66

Also relevant is the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive trade practices.Footnote 67 Registries fall within the FTC Act’s reach, and it would be a deceptive trade practice to provide individuals with false or misleading information regarding data collection or use.Footnote 68 State laws, such as California’s Consumer Privacy Act, may also dictate rights to bearing on registry design, as will the laws of other nations, such as the European Union’s General Data Protection Regulation, if data are collected from or shared within its jurisdiction.

17.4 Proposed Guidelines for Development and Use of Compulsory Registries

The benefits of compulsory registries are tangible and significant. In light of the significant evidence gaps in premarket review, we believe that the potential benefits to be gained from compulsory registries likely outweigh the risks to participating subjects. Yet we are mindful of the implications of compulsory registries on patient autonomy and respect for persons, and thus recommend that a robust informational-disclosure dialogue be implemented as a component of informed consent for clinical care where enrollment in a registry is a requirement for use of the medical device.

Insofar as all patients will have procedural consent obtained prior to device implant, there is an existing mechanism for clinical contact. Moreover, some registries already incorporate detailed patient interviews purely for research purposes, such as the collection of patient-reported outcome measures for key variables such as quality of life. Incorporating a verbal or written consent into the clinical point of care or patient interview would not pose an unreasonable burden on physicians or investigators.

In addition to robust consent and data-linkage protocols, we likewise recommend that registry stewards and data users be held legally accountable for maintaining the security of patient data and providing patients with clear information on data collection and use. This includes providing detailed information on registry sponsorship and specific uses of registry data prior to patient authorization to clinical use of a device. Accountability also includes a privacy-by-design feature whereby registry stewards must affirmatively obtain consent from patients if patient data is to be used beyond the original scope, allowing patients to opt-out of such downstream uses. To further accountability, patients should have easy access to a tracking system that details data use and downstream research.

To promote public trust in compulsory registries, stewards should task a standing advisory committee to track operational and ethical issues. At least one member of the committee should be trained as an ethicist and not have a relationship with the registry steward or downstream data users. The committee should also be a forum whereby patients can raise questions or concerns about the registry. To the extent these criteria are met by an existing institutional review board, there may not be a need to create a separate committee.

17.5 Conclusion

Compulsory registries promote patient outcomes and facilitate robust lifecycle analysis of medical devices. Insofar as laws and regulations have significant gaps in instances where patient authorization is required prior to collection and use of patient data, providers and registry stewards have an ethical obligation to inform patients about data collection and use. Contemporary data protection and research laws afford limited protections for individuals, but these existing laws need not dictate ethical guidance. This is particularly true in the context of health information, which is widely viewed as one of the most sensitive informational areas. Instilling supplemental privacy safeguards and data-use limits may be appropriate when patients are compelled to include their personal information into a registry as a condition of receiving medical care.

Footnotes

1 Prashant V. Rajan et al., Landscape of Cardiovascular Device Registries in the United States, 8 J. Am. Heart Assoc. e012756 (2019).

2 Mitchell W. Krucoff et al., Bridging Unmet Medical Device Ecosystem Needs with Strategically Coordinated Registries Networks, 314 JAMA 1691 (2015); The Pew Charitable Trusts, Medical Device Registries: Recommendations for Advancing Safety and Public Health (2014).

3 Prashant V. Rajan et al., Medical Device Postapproval Safety Monitoring: Where Does the United States Stand?, 8 Circ. Cardiovasc. Qual. Outcomes 124 (2015).

4 US Food & Drug Admin., Premarket Approval (PMA), https://www.fda.gov/medical-devices/premarket-submissions/premarket-approval-pma; US Food & Drug Admin., Premarket Application Review Process, https://www.fda.gov/medical-devices/premarket-approval-pma/pma-review-process; William H. Maisel, Medical Device Regulation: An Introduction for the Practicing Physician, 140 Ann. Intern. Med. 296 (2004).

5 US Food & Drug Admin., The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications, (2014).

6 Footnote Id.

7 Footnote Id.

8 Footnote Id.

9 Diana M. Zuckerman et al., Medical Device Recalls and the FDA Approval Process, 13 Arch. Intern. Med. 1006 (2011).

10 Footnote Id.

11 US Food & Drug Admin., Modifications to Devices Subject to Premarket Approval (PMA) – The PMA Supplemental Decision-Making Process: Guidance for Industry and FDA Staff (2018).

12 Footnote Id.

13 Benjamin N. Rome et al., Approval of High-Risk Medical Devices in the US: Implications for Clinical Cardiology, 16 Curr. Cardiol. Rep. 489 (2014).

14 Footnote Id.

15 See, e.g., Efthimios Parasidis, Patients Over Politics: Addressing Legislative Failure in the Regulation of Medical Products, 2011 Wisc. L. Rev. 929 (2011).

16 US Food & Drug Admin., The Least Burdensome Provisions: Concept and Principles (2019).

17 John J. Smith & Anne M. Shyjan, Defining “Least Burdensome Means” Under the Food and Drug Administration Modernization Act of 1997, 55 Food & Drug L. J. 435 (2000).

18 Rita F. Redberg & Sanket S. Dhruva, Moving From Substantial Equivalence to Substantial Improvement for 510(k) Devices, 322 JAMA 927 (2019); L. Camille Jones et al., Assessment of Clinical Trial Evidence for High-Risk Cardiovascular Devices Approved Under the Food and Drug Administration Priority Review Program, 178 JAMA Intern. Med. 1418 (2018); Parasidis, supra Footnote note 15.

19 US Food & Drug Admin., Strengthening our National System for Medical Device Postmarket Surveillance (2013).

20 Rajan et al., supra Footnote note 3; Parasidis, supra Footnote note 15.

21 Rajan et al., supra Footnote note 3.

22 Footnote Id.

23 Parasidis, supra Footnote note 15.

24 Rajan et al., supra Footnote note 3.

25 Sana M. Al-Khatib et al., Non-Evidence-Based ICD Implantations in the United States, 305 JAMA 43 (2011); Adam S. Fein et al., Prevalence and Predictors of Off-label Use of Cardiac Resynchronization Therapy in Patients Enrolled in the National Cardiovascular Data Registry Implantable Cardiac-Defibrillator Registry, 31 J. Am. C. Cardiol. 766 (2010).

26 Ravi S. Hira et al., Trends and Outcomes of Off-label Use of Transcatheter Aortic Valve Replacement: Insights from the NCDR STS/ACC TVT Registry, 2 JAMA Cardiol. 846 (2017).

27 Peter J. Neumann et al., Medicare’s National Coverage Decisions for Technologies, 1999–2007, 27 Health Affairs 1620 (2008).

28 Jessica N. Holtzman & Daniel B. Kramer, Harmonizing Standards and Incentives in Medical Device Regulation: Lessons Learned from the Parallel Review Pathway, 46 J. L. Med. Ethics 1034 (2018); Peter J. Neumann & James D. Chambers, Medicare’s Enduring Struggle to Define “Reasonable and Necessary” Care, 367 N. Engl. J. Med. 1775 (2012).

29 Daniel B. Kramer et al., Implications of Medicare Coverage for Magnetic Resonance Imaging in Patients with Capped or Epicardial Leads, 1 JAMA Cardiol. 1139 (2018); Peter J. Neumann & James D. Chambers, Medicare’s Reset on “Coverage with Evidence Determination,” Health Affairs Blog (Apr. 1, 2013).

30 Neumann & Chambers, supra Footnote note 28; Daniel B. Kramer & Aaron S. Kesselheim, Coverage of Magnetic Resonance Imaging for Patients with Cardiac Devices: Improving the Coverage with Evidence Development Program, 1 JAMA Cardiol. 711 (2017).

31 Holtzman & Kramer, supra Footnote note 28.

32 Mark S. Kremers et al., The National ICD Registry Report: Version 2.1 Including Leads and Pediatrics for Years 2010 and 2011, 10 Heart Rhythm e59 (2013); Stephen C. Hammill et al., The National ICD Registry: Now and Into the Future, 3 Heart Rhythm 470 (2006); Stephen C. Hammill et al., Review of the Registry’s Second Year, Data Collected, and Plans to Add Lead and Pediatric ICD Procedures, 5 Heart Rhythm 1359 (2008); Stephen C. Hammill et al., Review of the ICD Registry’s Third Year, Expansion to Include Lead Data and Pediatric ICD Procedures, and Role for Measuring Performance, 6 Heart Rhythm 1397 (2009); Stephen C. Hammill et al., Review of the Registry’s Fourth Year, Incorporating Lead Data and Pediatric ICD Procedures, and Use as a National Performance Measure, 7 Heart Rhythm 1340 (2010).

33 Gust H. Bardy et al., Amiodarone or an Implantable Cardioverter-Defibrillator for Congestive Heart Failure, 352 N. Engl. J. Med. 225 (2005).

34 Centers for Medicare and Medicaid Services, CAG-00157R3, Decision Memo for Implantable Defibrillators (2005).

35 Footnote Id. This list is identified in the CMS 2005 Decision Memo.

36 Joseph G. Akar et al., Use of Remote Monitoring of Newly Implanted Cardioverter-Defibrillators: Insights from the Patient Related Determinants of ICD Remote Monitoring (PREDICT RM) Study, 128 Circulation 2372 (2013); Joseph G. Akar et al., Use of Remote Monitoring Is Associated with Lower Risk of Adverse Outcomes Among Patients with Implanted Cardiac Defibrillators, 8 Circ. Arrhythm. Electrophysiol. 1173 (2015); Daniel B. Kramer et al., Hospice Use Following Implantable Cardioverter-Defibrillator Implantation in Older Patients: Results from the National Cardiovascular Data Registry, 24 Circulation 2030 (2016).

37 Centers for Medicare and Medicaid Services, CAG-00157R4, Decision Memo for Implantable Cardioverter Defibrillators (2018).

38 Centers for Medicare and Medicaid Services, CAG-00430R, Decision Memo for Transcatheter Aortic Valve Replacement (TAVR) (2019).

39 Leslie P. Francis & Michael Squires, Patient Registries and Their Governance: A Pilot Study and Recommendations, 19 Ind. Health L. Rev. 43 (2019).

40 45 C.F.R. § 160.102.

41 45 C.F.R. § 164.514.

42 Footnote Id.

43 45 C.F.R. § 164.306.

44 45 C.F.R. § 164.508; 45 C.F.R. § 164.512.

45 45 C.F.R. § 164.512.

46 Footnote Id.

47 AHRQ, Registries for Evaluating Patient Outcomes: A User’s Guide (Gliklich & Leavy eds., 2014) [hereinafter AHRQ Registries User’s Guide].

48 45 C.F.R. § 46.116.

49 45 C.F.R. § 164.502.

50 AHRQ Registries User’s Guide, supra Footnote note 47.

51 Footnote Id.

52 45 C.F.R. § 46.102.

53 45 C.F.R. § 46.101.

54 45 C.F.R. § 46.102.

55 AHRQ Registries User’s Guide, supra Footnote note 47.

56 Footnote Id.

57 45 C.F.R. § 46.111.

58 45 C.F.R. § 46.116.

59 Footnote Id.

60 Footnote Id.

61 AHRQ Registries User’s Guide, supra Footnote note 47.

62 Footnote Id.

63 Footnote Id.

64 Footnote Id.

65 Footnote Id.

66 15 U.S.C. § 45.

67 Footnote Id.

68 Francis & Squires, supra Footnote note 39.

Figure 0

Table 17.1 Hypotheses

Figure 1

Table 17.2 Specifications and study goals

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×