How medical device manufacturers are implementing standards like GDPR and HIPAA

[Chromemo]

I’m curious from a tactical standpoint how medical device manufacturers are implementing standards like GDPR and HIPAA either inside or outside the QMS. Do you use the same quality systems and the SOP hierarchy you use for QMS processes or roll them into a different business process?

There is resistance to release Operating procedures and Work instructions within the QMS as there is concern that they could be “discoverable” by regulators like FDA and ISO auditors.

I’m concerned if they aren’t structured as QMS requirements they not be followed strictly, and there could be real or perceived conflicts.

 

[Ed Panek]

We added a section to our QMS called BUS for business because is satisfies customer or partner queries and interest. Our QMS is a nice way to control all our documents, not only ones related to a standard. Yes an auditor can review them but what standard and scope would they claim that gives them authority over these processes? We also have in our QMS disaster and recovery plans, some ISMS documents but any 9001 or 13485 auditor would have no governance over them.

If they argue about it show them this from ISO 13485: "It is not the intent of this International Standard to imply the need for uniformity in the structure of different quality management systems, uniformity of documentation or alignment of documentation to the clause structure of this International Standard."

 

[yodon]

This is an interesting discussion. ISO 13485 states:

5.2 Customer focus
Top management shall ensure that customer requirements and applicable regulatory requirements are
determined and met.

Further:

8.2.4 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
a) conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;

(my emphasis added in both).

If you're 13485 and selling into Canada, the AOs I've worked with require that an internal audit cover MDSAP requirements. If you're selling in the US, they can look at compliance to the QSR. And if in EU, the MDR is now in play So where IS the line drawn? What constitutes a 'complete' internal audit? GDPR and HIPAA are "applicable" regulatory requirements if you're in those areas. Why should those be out of scope for either internal or external audit?

 

[Ed Panek]

Interesting.

Can you be non GDPR but CE compliant? Non HIPAA but QSR compliant? Not FCC but QSR compliant? What if a MDR audit finds a a problem with MHLW (Japan) compliance?

 

[yodon]

If you're not collecting / managing protected (health) info then yes.

By MDR audit, do you mean technical file review? If so then they wouldn't care. If an ISO audit and Japan is in scope, ???

 

[Ed Panek]

What if you are collecting data? Would an ISO auditor in the USA know enough to protect EU patients under GDPR and make a finding?