#1
In ISO 13485:2016 there is a new requirement in section 4.2.5 for Control of Records that states "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements." Since we have a CE mark for our medical device we need to be follow GDRP requirements for patient privacy, which entails many documents we need to create to demonstrate compliancy.

As a result I have a few questions... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient? If not, can I expect during our next 13485 audit that the auditor will also audit to GDRP requirements otherwise how could they know if we are "...in accordance with the applicable regulatory requirements"?
 

Mark Meer

Trusted Information Resource
Trusted
#2
... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient?
Keep the scope of your quality system in mind when determining what documents are necessary to maintain under it. Is the confidential information you are maintaining related to your QMS, or the devices designed, manufactured, sold, and/or monitored under it?

Regarding audits, auditors will want evidence that you've established an effective system for meeting the requirements. If you simply say "system shall comply with GDPR" in your procedures as a way to address the ISO requirement, it would be reasonable for an auditor to then follow up with "ok, show me the evidence". In this case, you'd want your GDPR documentation handy to demonstrate to them that you're doing what your procedures state.
 

JoshuaFroud

Involved In Discussions
#3
I personally have addressed this in our QMS by adding a section to the Control of Document and Records procedure stating, "Confidential health information will be maintained in line with GDPR". This is preceded by a sentence stating that as a general rule we, as a company, will not access confidential health information as part of normal business operations.



Our privacy policy and other related documentation is maintained within our electronic document management system but does not explicitly form part of the QMS.
 
#4
Thanks Mark for your reply. I do have one further question related to your response...

You mention that the auditor may say "ok, show me the evidence" but unless they know how to interpret the evidence how can they possible say we are "in accordance with the applicable regulatory requirement" as ISO 13485 states?
 

Mark Meer

Trusted Information Resource
Trusted
#5
...You mention that the auditor may say "ok, show me the evidence" but unless they know how to interpret the evidence how can they possible say we are "in accordance with the applicable regulatory requirement" as ISO 13485 states?
This is a good point of discussion, as it speaks to a fundamental shortcoming with respect to auditing against this particular ISO requirement. Auditors only have so much time and expertise, and so to check if an organisation is meeting all "applicable regulatory requirements" is not a clearly defined task.

It is within auditors' prerogative to dig as deep as they deem appropriate within the scope of their audit. However, in practice, due to constraints on time and expertise, I think you can assume that in cases like this, if they were to say "show me the evidence", simply pointing them to the documentation is probably sufficient (i.e. the details are unlikely to be scrutinised - but you should be prepared to show something rather than nothing).

Similar case is with respect to design test-reports. You can expect auditors to follow the design verification process down to the documentation outputs (test reports), but it'd be very unlikely that they have either the time or expertise to scrutinise the details (unless they are looking for fulfilment of a specific requirement e.g. justification for sampling).
 

yodon

Forum Moderator
Staff member
Moderator
#6
This is a good point of discussion, as it speaks to a fundamental shortcoming with respect to auditing against this particular ISO requirement.
Indeed, that's a REAL good point of discussion. Without intending to sidetrack this thread, the term (complying with) "applicable regulatory requirement" or similar shows up close to 40 times in the standard. Mr. Meer has hit the nail on the head when he says auditors have only so much time and expertise. This may well be a sore point as things play out. Will an ISO auditor (or the company they represent) be liable for NOT uncovering compliance issues to a regulatory requirement that is outside their expertise?
 
Top