Okay…everyone listening? What follows is a sin. There’s a regulatory pit in the digital health industry. And if you fall into it, it’s a crime, morally and legally.
Many breaches in digital health regulation can be forgiven. There’s a lot to remember; SCCI 0129, the Medical Device Directive, Security, Privacy, IGTK, GDPR – they all have their own quirks and peculiarities. But there’s one loophole which, if exploited, can land you in a whole heap of trouble.
It goes something like this. The EU Medical Device Directive employs a classification system to ensure that products are assured to a level commensurate with the degree of risk they pose to patient care. The higher-level classes (IIa, IIb and III) all require the involvement of a third party, a Notified Body who will inspect, audit and validate the assurance work to check that it stacks up.
But for the lower-risk Class I devices, the Directive (now a Regulation) permits self-certification – an uninspected and unchecked route to gaining the coveted CE Mark. The manufacturer completes a form called an RG2 and submits this to the MHRA along with a fee of £70. In turn, the regulator provides authorisation to draw up a Declaration of Conformity and affix a CE Mark. For less than a day’s effort, it’s job done.
But here’s the catch; in making the application you are formally declaring that you have successfully completed all of the relevant assurance steps required by the Directive. For the avoidance of doubt, a full risk assessment, literature search, clinical trial, validation, compliance with IEC 62304, 62366, etc. and the implementation of a post-market surveillance strategy will take you a bit longer than a day. For some manufacturers, it might be upwards of six months.
Surely no self-respecting manufacture in a western country would exploit this short-cut and commit such a crime? – And make no mistake, this is a crime under the Consumer Protection Act. Well unfortunately, it seems that it’s far too common.
Some manufacturers are thankfully beginning to see the error of their ways and are addressing the problem. But a new twist in the tale is on the horizon.
NHS Digital’s SCCI 0129 Standard calls for the manufacturers of those Health IT systems which are not Medical Devices, to formally risk manage their products. Increasingly, pressure is being put on NHS suppliers to comply. The work is generally seen as being less arduous than full CE-Marking and the process is reserved for lower risk digital health products.
But the difference here is that the outcome of the SCCI 0129 work has to be shared with the manufacturer’s customers. The manufacturer is forced to bare all in the interests of patient safety. In contrast, the manufacturer of a CE Marked Medical Device can conveniently hide behind the affixed CE Mark – unobligated to disclose anything…and that ‘anything’ might just be ‘nothing’.
Tempting, isn’t it? Spend weeks developing a SCCI 0129 risk management strategy or spend £70 and win the higher prize of a CE Mark. But it’s a risk. Should something go wrong and the MHRA or a court lift the lid on that CE Mark, the directors will be having sleepless nights. Unfortunately, for some, it’s a risk they’re willing to take.
Clinical Risk Management and Regulation are there for a reason – to protect patients. Most manufacturers do the right thing and seek the help they need to properly comply with the requirements. But as a healthcare organisation or systems integrator, you shouldn’t take things at face-value. Ask the difficult regulatory questions because honest and reputable suppliers will have no difficulty in answering them.