CDRH: Email Recall Notices Could Pose HIPAA Risks
Emailing recall notices to clients may seem efficient, but it could cause a host of concerns around confidentiality and effectiveness, a CDRH official warns.
Ronny Brown, chief of the CDRH recall branch, told attendees at FDAnews’ 11th Annual Medical Device Quality Congress that while the FDA has been looking at ways to incorporate newer technologies into recall announcements, questions about due diligence remain.
Moreover, the purchase or use of certain products, such as in vitro diagnostics, may be considered sensitive health information under the Health Insurance Portability & Accountability Act, Brown said. If that’s the case, an emailed recall notice might be viewed as violating HIPAA and infringing patient privacy.
The FDA also needs more time to determine whether Twitter is an effective way to communicate a recall, Brown told conference-goers. The concern isn’t that a public Twitter notice might cause a panic, but that it may not reach enough clients or include all pertinent information. Current regulations on how to issue a recall notice are badly outdated and make mention only of mailed and telegram notifications, he said.
Rule of Thumb
The rule of thumb, said Brown, is that a manufacturer should make three attempts to contact a customer before declaring them unreachable. If failure of customers to respond is preventing a company from closing out a recall, Brown advises the manufacturer to contact their FDA district office to explain the situation. District offices have an interest in avoiding a backlog of unclosed recalls, he said.
Brown noted that companies will also need to incorporate unique device identifiers in their recall notices as they are added to labeling.
Some large healthcare systems want recall notices sent to a central address for easier processing, rather than being distributed to each separate site. In such cases, Brown encourages devicemakers to work with the customer to design an effectiveness check that will ensure the notice reached all staff who use the device. One response from a central office isn’t sufficient to show a recall was effective, he said.
Manufacturers also need to coordinate messages with any secondary distributors to avoid confusion, Brown noted. He suggests that devicemakers draft a press release for the distributor to issue and work with the FDA to ensure the messaging is consistent.
Another common concern for devicemakers is classifying recalls, said Pamela Forrest, a partner at King & Spalding. While, theoretically, very minor fixes might be considered unrepeatable “corrections,” she’s never seen the FDA declare anything brought to its attention as less than a Class III recall.
Forrest stressed that the agency is also conservative in its definition of “stock removal,” or undeclared corrections made to undistributed devices. To be eligible, devices typically should not have left manufacturer control, she said. Devices carried by an employee may be acceptable, but ones in a warehouse owned by a third party or given to an independent sales representative normally would not.
When a company becomes aware of a problem with a device, a thorough health hazard evaluation is crucial, Forrest said. The evaluation must be thorough enough to defend the decision not to recall a device, if that’s what the company decides. Forrest cautioned that if an MDR has been filed on the problem, it’s almost certainly FDA-reportable.
Make sure your recall plan is up-to-date, purchase Recall Management for Medical Devices today!