Non-binding Guidance: FDA Regulatory & Enforcement Risks Relevant to Academic Medical Centers, Health Systems and Research Institutions

Podcast
June 28, 2024
21:43 minutes

On this episode of Ropes & Gray’s podcast series, Non-binding Guidance, counsel Steve Sencer moderates a discussion on how FDA regulatory issues may impact academic medical centers (AMCs), health systems, and universities/research institutions. Joined by partner David Peloquin, and counsel Sarah Blankstein and Beth Weinman, the episode explores the complexities of FDA regulation, the potential risks, and the best practices to mitigate them. The discussion also highlights the challenges and implications of using digital tools in research studies.


Transcript:

Steve Sencer: Welcome to Non-binding Guidance, a podcast series from Ropes & Gray focused on current trends in FDA regulations and enforcement. My name is Steve Sencer, and I’m counsel in Ropes & Gray’s D.C. office. I represent almost exclusively universities and academic medical centers (AMCs). As you might be able to tell, based on the focus of my practice, this week we are going to take this podcast in a slightly different direction and focus on how FDA regulatory issues may affect universities, academic medical centers, and health systems. I’m joined today by my wonderful colleagues, David Peloquin, a partner in our health care group, and Beth Weinman and Sarah Blankstein, who are both counsel in our life sciences regulatory and compliance group. Each of these attorneys, in addition to representing clients that typically think of themselves as FDA-regulated, such as pharmaceutical and medical device companies, also represent universities, AMCs, and health systems—thus, they are well-placed to discuss how FDA regulation applies to these types of entities.

I joined Ropes & Gray about one year ago after 22 years in-house at Emory University, with the last 12 as general counsel. At Emory, I would episodically encounter FDA issues, and those would always be a challenge. There were not enough issues to justify hiring an FDA specialist in-house, but those that did arise had the potential for significant reputational, financial, and legal harm to the institution. When I arrived at Ropes, with its extraordinary FDA practice and lawyers with an affinity for research universities, institutes, and academic medical centers, I encouraged Beth and others to think about creating some practical guidance for in-house counsel, to help them identify the truly significant issues and develop paths forward to protect their institution without frustrating the mission or breaking the bank. Beth, David, and Sarah were kind enough to listen, and we recently collaborated on an article that will soon be published in the American Health Law Association’s Journal of Health and Life Sciences Law. The article concerns FDA regulatory and enforcement risks that are relevant to universities, academic medical centers, and health systems. On today’s podcast, we want to highlight some of the enforcement risks associated with those FDA-regulated activities.

Beth, to kick us off, would you give us a brief overview of some aspects of FDA regulation that can apply to work that is conducted at universities, health systems, and other research institutions?

FDA Regulatory Obligations

Beth Weinman: Sure, Steve—thank you. For our listeners, I’m Beth Weinman. As for background, I’m a former enforcement lawyer in FDA’s Office of Chief Counsel, and my practice focuses on FDA regulatory compliance and enforcement, like the name of the practice. I work regularly with colleagues, like you and David, on counseling institutions and others on FDA regulatory compliance and in responding to FDA inquiries and inspectional observations.

As many of our listeners may be aware, there are many FDA regulatory obligations that attach to clinical and preclinical research and also to laboratory testing in certain circumstances. There are regulations that outline good laboratory practices that are applicable to preclinical testing conducted to support drug and device research and marketing applications. There are good clinical practice regulations that govern drug and device clinical research. It’s important to recognize that there are current good manufacturing practice regulations that apply to drug and device quality assurance testing that sometimes takes place at universities, and also to the manufacture of investigational drug products that are used in clinical research. And, of course, there are statutory and regulatory provisions that define when products and tools used in medical practice and research may be regulated as drugs or medical devices and, thus, may require research or marketing submissions to FDA. To this point, FDA’s regulatory framework is complex, and it’s broadly applicable to the development and commercialization of medical products.

Steve Sencer: Thanks, Beth. David, I know you do a ton of work in drug and device research working with colleagues to unpack these thorny FDA issues, but also, you focus on other federal and state laws and regulations, such as the Common Rule, that attach to research. Can you tell us how your work goes beyond the FDA obligations? Are the obligations duplicative? Are they conflicting?

David Peloquin: That’s a great question, Steve. As a partner in the health care group at Ropes & Gray, I focus my practice on advising AMCs, universities, and health systems, as well as pharmaceutical and medical device manufacturers on issues related to research. I also counsel on digital health matters and data privacy issues, as well as advising companies investing in entities that are conducting research.

Part of the complexity here is that the way research involving human subjects is regulated in the United States is not at all intuitive. When I explain it to my pharmaceutical and medical device clients that are headquartered outside of the U.S., they’re often surprised by how complex the U.S. regulatory scheme is.

We have one set of regulations administered by the FDA that apply to research that involves a drug, device, or biologic that is regulated by FDA. Then, we have an entirely different set of regulations, typically referred to as the “Common Rule,” that applies when the research is funded by most federal government departments or agencies. While these two sets of regulations are similar—and there is now a proposed rule issued by FDA to further harmonize the two sets of regulations—they are not identical. It is common to have research studies, like an NIH-funded study of a drug or medical device, that must comply with both sets of regulations. To complicate matters further, certain states, like New York and California, impose their own requirements on research involving human subjects. These state laws can often impose additional requirements on research that is subject to the Common Rule or FDA regulations, or they can apply in situations where the Common Rule or FDA regulations wouldn’t attach, such as research that has no federal funding and does not involve a product regulated by FDA.

It is also important to keep in mind that activities involving biomedical research frequently implicate other health care laws that are not specific to research activities. For example, during the COVID-19 pandemic and afterward, there has been a growth in what are often called “decentralized” clinical trials, where research activities involve telemedicine modalities or visits by mobile health care providers to a study subject’s home. These types of studies raise a host of questions that arise under health care laws having nothing to do with research, such as questions about patient consent to telemedicine, questions about whether the investigator conducting the research requires a license to practice medicine in the state where the subject is located, and questions about whether the personnel conducting home visits trigger the need for home health licensure.

Because biomedical research necessarily involves the collection of health information about the study subjects, one needs to consider the applicability of HIPAA to the research activity as well as state laws on medical privacy. For example, several states maintain laws that govern the privacy of specific types of information, such as mental health, infectious disease, or genetic information—all of which may need to be considered. Research is also increasingly international, involving the flow of personal data across international borders. In such cases, one needs to think about foreign privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), when evaluating the research.

The bottom line is that often when university or health system clients come to us with a question about a research study, they may present the question as an issue arising out of FDA regulation or the Common Rule, but as we analyze the specific facts of the study, we often uncover that there are several other sets of health care laws to consider.

Steve Sencer: I see how laboratory practices, clinical practices, and manufacturing practices can be immediately relevant to AMC research operations and clinical studies—but Sarah, can you tell me a little bit more about when research tools may be considered medical devices? It seems pretty clear what a medical device is, and that AMCs and health institutions would know whether they’re working with one or not, right?

Complexity of Device Framework

Sarah Blankstein: I’m happy to speak to that, Steve. For our listeners, I’m Sarah Blankstein. My practice is focused on FDA regulatory and compliance counseling for pharmaceutical, biotechnology, and medical device companies as well as health care institutions. But to get back to your question, I’ve seen this issue come up a lot of when a tool used in clinical practice or research may be a medical device—and it’s not always clear.

Of course, AMCs and health systems employ some tools that are clearly medical devices. One thing that’s not always considered, though, is the potential that software tools, things like algorithms that analyze medical images or decision support tools that calculate risk scores or suggest potential diagnostic or treatment options—whether they’re used in research or clinical practice—that those may actually be FDA-regulated devices. And this is really critical to consider, particularly with the rapid proliferation of artificial intelligence and other digital tools in health care and research contexts, including tools developed by universities and health systems themselves. Depending on their intended uses, these software tools may be regulated by FDA as medical devices. If a software tool does meet the definition of a medical device, use of the software without appropriate clearance or approval from FDA and compliance with device quality system and post-marketing requirements, and (when applicable) compliance with clinical trials-related regulations, can expose institutions to FDA enforcement risk and other legal and reputational risks.

Steve Sencer: That’s the kind of thing that would make me nuts when I was general counsel, because when you’re GC, your job is to issue spot, and these seem to be hidden issues lurking in here. So, Beth, how does an AMC, health system, or a university get on FDA’s radar?

How Institutions Get on FDA’s Radar and FDA’s Available Compliance Actions

Beth Weinman: That’s a good question. Everybody’s familiar with routine surveillance inspections that FDA conducts of regulated product manufacturers to assess their compliance with current good manufacturing practices, and I think people understand and expect that. But what might be less familiar is that the Agency also has a Bioresearch Monitoring inspection program, referred to commonly as the “BIMO” program, through which the Agency assesses the compliance of research sponsors or clinical investigators and laboratories with applicable clinical practice and laboratory regulations. The purpose of this program is to ensure that clinical and preclinical data that’s used to support marketing applications is of sufficient quality to support the safety and efficacy of medical products, so that is one way institutions can get on FDA’s radar. If it is a clinical site that is disclosed in a research application, the name and address of the site will be available for FDA to inspect—and before a product gets approved, oftentimes, FDA will inspect such a site. But FDA can also inspect a regulated site on a “for cause” basis when the Agency has reason to believe, due to a complaint or otherwise, that the site’s not operating in compliance with the law.

If FDA identifies noncompliance, it has a series of mechanisms that it can then employ, including an FDA Form 483, which lays out the observations that an FDA investigator has during an inspection to put a company on notice of areas they should work on that the investigator thinks may be noncompliant. If FDA is not satisfied with the remedial actions taken in response to a Form 483, FDA can issue a warning letter, which is a step up in enforcement. If FDA sees cases of severe and pervasive noncompliance, it can even disqualify a clinical investigator—and that tool prevents that investigator from handling an investigational product. Other potential enforcement options related to potential violations of the Federal Food, Drug, and Cosmetic (FD&C) Act can span civil injunction or seizure actions to criminal prosecution brought by the Department of Justice (DOJ). But, in addition to FDA authorities, there are certainly private litigants that can bring tort or professional negligence lawsuits. The government can pursue federal False Claims Act (FCA) investigations—there are state analogues to that type of statute. There is the availability also of criminal prosecutions based on various fraud and conspiracy provisions in Title 18 of the U.S. Criminal Code, and we have seen that applied in the research context.

Steve Sencer: That is a scary list for a general counsel. So, what actually prompts the FDA to visit in the first place, and what can happen after such a visit?

What May Prompt an FDA Inspection

Beth Weinman: As I think I mentioned a little earlier, study sponsors, investigators, and sponsor investigators are listed in research applications that are submitted to FDA, as are the sites where research is being conducted, so that puts people and places on FDA’s radar. Laboratories that are involved in testing that support an investigational new drug application, an “IND,” or an investigational device exemption, also referred to as “IDE,” must also be listed in those submissions to FDA for permission to conduct the research. So, if a university laboratory is conducting testing that will support a drug or biologic submission, for example, information regarding that laboratory will be submitted to FDA, and the laboratory could be subject to inspection under FDA’s BIMO program. Also, anyone who participates in a clinical study or who becomes aware of concerns about research practices or human subject protection can reach out directly to HHS or DOJ if they’re so inclined, and that can also prompt an investigation. In addition, regulated product safety issues or poor outcomes in clinical practice can lead to whistleblower complaints or class action lawsuits, and resulting media attention can sometimes invite scrutiny from FDA regulators, investigative agents, or DOJ prosecutors. So, all those are possible ramifications arising out of people who are involved in research who think that the wrong thing has happened in a research study or in lab testing. Finally, clinicians, hospitals, and product manufacturers or sponsors may affirmatively tout the benefits of their products and services publicly, and that sometimes invites government attention and leads to further scrutiny if there’s some concern about a potential safety risk or an inappropriate or potentially illegal practice. In each of these cases, FDA and investigators from other agencies may be prompted to pay special attention to the research institution.

Steve Sencer: Thanks, Beth. David, what are some thorny issues you see in your practice that could implicate FDA enforcement?

David Peloquin: Where should I start? Just kidding—no more scaring anyone in this podcast. Look, a lot of the issues we see, Steve, in the clinical research space arise out of well-meaning institutions and health care practitioners who can lose sight of the difference between clinical practice and research. These practitioners always keep the patient well-being top of mind, but sometimes they lose sight of their obligations, especially when serving as investigators, to follow the research protocols exactly, to keep good records, to seek clarifications from study sponsors regarding any ambiguities in the study protocols—especially related to things like dose modifications—and to keep informed consent forms up-to-date. Things like that are where we see issues arise.

I also think it’s worth noting that FDA is particularly interested in protecting human subjects who participate in any FDA-regulated clinical research study. The Food, Drug, and Cosmetic Act (as well as the Common Rule) provide a series of rules regarding the protection of human subjects during clinical studies. That includes rules related to obtaining valid informed consent and the applicable requirements for the substance of an informed consent. These rules also govern institutional review board (IRB) oversight and clinical investigations to ensure risks to subjects are minimized and are reasonable in relation to anticipated benefit of the subjects and the importance of the research. Additionally, there are requirements related to keeping accurate records of the clinical investigation.

It’s also important to note that while we often think of a “sponsor” of a research study as a medical device or pharmaceutical manufacturer that manufactures the product under study, many of our university and AMC clients conduct “investigator-initiated” studies, in which the investigator becomes a “sponsor investigator”—this means that the investigator has the regulatory obligations both of a study sponsor and an investigator. It is important that institutions conducting such research have appropriate policies and procedures in place, so that the investigator can read these two distinct sets of regulatory obligations.

I also see a lot of confusion regarding the use of digital health tools in research. Increasingly, digital tools, like mobile applications and wearables, are being deployed in research studies. While investigators and study teams will often think, “It is just an app—it couldn’t possibly be regulated as a medical device,” these types of digital tools raise interesting FDA issues on which I frequently collaborate with Sarah. So, Sarah, do you have anything to add on this point about use of digital tools in research studies?

Complexity of Software as a Medical Device (SaMD)

Sarah Blankstein: Thanks, David. Yes, that’s definitely something that comes up a lot. I covered some of this earlier in the podcast, when I spoke about software tools that may qualify as a medical device. If we’re talking about research, it’s going to be important to determine if software or really any tool used in the research study is a medical device—and then, if so, what FDA regulatory requirements may be triggered. Depending on the circumstances, FDA regulations could require submission of an IDE to use the device in the clinical trial, or abbreviated requirements may apply, or the use may be exempt from IDE requirements.

Health care providers and others at an institution who are developing or bringing medical software into the institution, as well as clinical trial sponsors, sponsor investigators, and IRBs, should be trained on identifying when the use of digital tools could have regulatory implications and when they should call the legal department in for help. Knowledgeable FDA legal counsel that are closely monitoring FDA’s regulatory decision-making and enforcement in this area can be a really critical resource. We get a lot of questions from health care and research institutions in this area.

Steve Sencer: Thanks, Sarah. That goes back to the point I started with, which is it’s a challenge at a university, health system, or research institute to pay attention to the FDA issues, and this podcast has provided a lot of information to our listeners in those areas. So, to wrap up, can anyone provide a few best practices to reduce the risk of a hiccup resulting from not knowing that certain activities have FDA implications?

Key Takeaways

David Peloquin: Sure—happy to do that, Steve. As we outline in the article, there are three best practices that can greatly mitigate the risk of FDA enforcement action:

  • First and foremost, considering the significant FDA regulatory obligations that attach to activities conducted at AMCs, hospitals, and health systems, it is important for AMCs, hospitals, and health systems to have a robust compliance infrastructure in place that is appropriately resourced.
  • Second, institutions should maintain a robust set of (i) policies that explain the rationale for various categories of compliance obligations and (ii) procedures and work instructions that provide step-by-step instructions for how to comply with established policies.
  • Finally, any employee involved in some of the investigative testing and research functions that we previously discussed should be regularly trained on the rationale for the institutions’ policies and procedures, what they require, and how noncompliance with these safeguards can be detrimental.

And finally, this stuff is tough. If folks aren’t sure how FDA obligations apply to them, ask questions. Seek help from professionals—either within the institution or outside. It saves a lot of grief and aggravation involved in responding to an FDA 483 or warning letter.

Steve Sencer: Having responded to FDA 483s, I can attest to the grief and aggravation. Thanks to all three of you for this very informative podcast. And to any of those listening who aren’t familiar with these issues, the first thing I’ll say is, I’ve been there, and you don’t need to panic. There are experienced regulatory consultants out there, like my colleagues on this podcast, who can assist and aren’t afraid to jump in and help you with the very specific need you have and not boil the ocean.

As we wrap up, I want to encourage all of you to read our full article, which will be available—when published—on our website, for a more in-depth discussion of some of the activities and FDA risks that we discussed. Feel free to reach out to any of us if you think your institution could use a little more help navigating this complex regulatory landscape.

Thanks very much to everybody for tuning in to our podcast. For more information about our college and university, health care, and FDA practices, please visit our educational institutions, health care, and FDA regulatory and life science practice pages at www.ropesgray.com. You can also subscribe to Non-binding Guidance and other RopesTalk podcasts in Ropes & Gray’s podcast newsroom on our website, or by searching for Ropes & Gray podcasts on Apple or Spotify. Thanks again for listening.

Subscribe to Non-binding Guidance Podcast