EU MDR presents clinics with data protection uncertainty

In May of this year, the transition period for the Medical Device Regulation (MDR), which came into force in 2017, expired. For medical device manufacturers, this means that they will have to comply with the requirements formulated therein from this date at the latest. However, the new regulation also entails additional work for those who collect the medical data for and transmit it to the manufacturers: Physicians and clinics.

The BMWi-funded AIQNET project has therefore set itself the task of intelligently evaluating medical data for the benefit of clinics and industry. First, however, legal hurdles must be overcome. The consortium is currently working to ensure that the collection and transfer of clinical data complies with data protection regulations and is calling for legal clarity from policymakers.

In hospitals, a large amount of medical data is collected every day as part of routine care. This data offers enormous potential for medical care – both for clinics and for industry. To this end, the BMWi-funded AIQNET project has set itself the task of structuring medical data from the clinic using intelligent software solutions and thus making it usable. The approach is that of a digital ecosystem: based on connectivity to the IT systems of clinics and a flexible, interoperable data model based on the FHIR standard, software providers can create highly specialized applications for clinics, research and industry.

By providing connectivity and various basic functions, the development effort for providers of medical software solutions is significantly reduced. Clinics benefit in many ways through access to state-of-the-art software applications and greatly simplified integration into existing IT structures.

Deep medical insights from data on treatment and treatment outcomes can support decisions in the context of personalized diagnostics and therapy. For this purpose, multiple data sources are linked and analyzed, increasingly using artificial intelligence. Software can also be used to automate processes for collecting and analyzing data (patient surveys, case documentation, diagnoses and administrative processes). The pharmaceutical and medical technology industries also benefit from automated data capture and previously inaccessible, fine-granular medical insights. This can make it possible to develop higher-quality care offerings tailored to individual patients.

In addition, AIQNET enables the medical technology industry to meet its legal requirements under the Medical Device Regulation (MDR, EU Regulation 2017/745). The EU MDR obliges manufacturers to continuously monitor their products. A large part of the data required for this can already be obtained from routine care. Another part can be extracted and supplemented by ecosystem software applications.

Scope of clinical data for EU MDR purposes

With the Medical Device Regulation (MDR), manufacturers of medical devices are required to monitor their products more proactively and much more intensively than before with regard to performance and safety as part of post-market surveillance (PMS). To do so, manufacturers must submit data to Notified Bodies for compliance with MDR requirements. The overarching goal of the MDR is to remove problematic products from the market as quickly as possible so that only effective products with favorable risk profiles are offered to physicians and patients.

However, in order to make routine care data usable for EU MDR purposes, clarity must be provided on the scope and nature of the data required. This continues to create uncertainty on the part of manufacturers. “To enable manufacturers to fulfill their obligation effectively and with as much certainty as possible regarding the acceptance of the type and scope of data submitted, we are currently working with a growing number of manufacturers to define product groups and the data required in each case. Our goal is to take the agreed product groups and respective data requirements to consensus building among Notified Bodies in a next step,” said Frank Trautwein, consortium leader of the AIQNET consortium.

Creating security for hospitals

However, in order for a manufacturer to be able to process these data at all, it must rely on hospitals to collect and transmit them. These in turn must be able to rely on effective legal legitimation to collect and, if necessary, pass on such data. The safety and performance of medical devices are to be tested by the notified bodies on the basis of these data from everyday care. The obligation to collect and transmit the data is incumbent on the respective manufacturer within the framework of the “clinical evaluation” to be carried out on an ongoing basis.

For this task, hospitals could possibly invoke an “implicit duty of support of the manufacturer”, derived from Art. 9 (2) lit. i DSGVO in conjunction with the relevant regulations of the MDR (Art. 61 MDR). There is no explicit regulation on this, so that the current data protection uncertainty in practice requires additional steps (obtaining the patient’s consent in each individual case) and thus requires exclusively a prospective collection of corresponding data analogous to clinical studies.

In Germany, more than 60,000 medical devices are registered with the Federal Office for Drugs and Medical Devices (formerly DIMDI), for which EU MDR requires market monitoring at the level of clinical trials. In fact, “only” about 1,500 clinical studies have been registered annually in Germany to date. Due to the sharp increase in the need for product-specific clinical data with the MDR, the collection of these data must be integrated into the clinical treatment process with the least possible additional administrative and medical effort; otherwise, the increase in clinical data collection prescribed by the legislator by a factor of 40 is not feasible. An exclusively prospective collection with individual study protocols is not feasible for the amount of clinical data now required in everyday life and is contrary to the primary care mandate of hospitals.

While data from clinical registries provide a building block for evaluating medical devices, they can only partially meet manufacturers’ needs because of the time lag in providing them and the shallowness of the data. Therefore, under the special commitment of the University Hospital and the BG Clinic Tübingen, the consortium has identified the standardized, prospective collection of MDR-relevant data from everyday care as the only practicable way out to solve the described problem.

Call to politicians and associations

The consortium questions whether and to what extent a hospital can rely on Article 9(2)(i) of the GDPR to regulate the collection and transfer of product group-specific clinical data for quality assurance purposes from medical device manufacturers.

In the view of the consortium, the legislator has failed with the national implementation of the Medical Devices Regulation to create an explicit legal basis for the operators and users of medical devices to collect and transmit relevant data to authorized third parties. Politicians are therefore called upon to create legal certainty for clinics at this point, e.g. by means of a corresponding amendment to the Medical Device Operator Ordinance (MPBetreibV).

In addition, the consortium is asking for the help of other medical device manufacturers to clarify the scope and type of data required. In this way, it may be possible to submit comprehensively coordinated product groups and the respective data requirements to the notified bodies for consensus building.

More news

Arrange a free and non-binding demo appointment

UNITY Research: Powerful analysis and controlling tools to conduct clinical studies efficiently.