FDA guidance on Quality Agreements for drug manufacturing has been somewhat scattered, with companies left to glean FDA expectations from interpretations of the regulations, portions of a number of different cGMP-related guidance documents, 483s and Warning Letters, and informal statements of FDA policy. 

In late May, FDA issued a new draft guidance for industry, “Contract Manufacturing Arrangements for Drugs: Quality Agreements.” 

The draft guidance addresses – in one place – methods of defining, establishing and documenting the responsibilities of each party involved in the contract manufacturing of drugs subject to current Good Manufacturing Practice (cGMP), with special emphasis on Quality Agreements.  Although FDA’s expectation of Quality Agreements has been evident in recent years, the issuance of this draft guidance is still significant; due to some differences in the underlying regulations, the basis of FDA’s expectation of a Quality Agreement has historically been more clear on the device side, due to “purchasing controls” requirements in 21 C.F.R. § 820.50.

While the draft guidance is new, concern around cGMP compliance is not.  In recent years, industry has seen the potential for significant consequences of alleged non-compliance with FDA quality requirements.  See our prior discussion on the topic here.  Because the agency considers contractors an “extension of the manufacturer’s own facility,” both the owner (i.e., the party that introduces a drug into interstate commerce) and contracted facilities are responsible for ensuring that their products are not adulterated or misbranded.  21 C.F.R. § 210.10.  Although the drug cGMP regulations do not explicitly require owners and contracted facilities to document their respective responsibilities in contract manufacturing arrangements, the regulations do require that Quality Unit responsibilities and procedures be in writing.  Id. § 211.22(d).  Accordingly, the agency encourages all parties involved to work together to ensure that the drug is neither adulterated nor misbranded as a result of its contract manufacturing operations and recommends the use of Quality Agreements to facilitate compliance with cGMP requirements. 

In the draft guidance, FDA suggests that a Quality Agreement clarify which of the cGMP activities are to be carried out by each party and track the basic subparts of the cGMP regulations or guidelines (e.g., for APIs, ICH Q7 guidance).  At a minimum, a Quality Agreement should contain the following basic sections: 

• Purpose/scope
• Terms (including effective date and termination clause)
• Dispute resolution
• Responsibilities, including communication mechanisms and contacts, and
• Change control and revisions (including subcontractors).

Areas of responsibility include Quality Unit, facilities and equipment, materials management, product-specific requirements and responsibilities, laboratory controls and documentation.

FDA has issued various guidelines addressing quality management principles related to contract manufacturing operations and recommended the use of Quality Agreements in the past, but the new draft guidance is significant for its focus on the importance and the details of written Quality Agreements.  Although, as the agency notes, written Quality Agreements do not relieve either party of their respective cGMP responsibilities under the regulations (you can’t contract away regulatory responsibility), parties can draw on quality management principles to carry out the complicated process of contract drug manufacturing by utilizing Quality Agreements.  In other words, a Quality Agreements is an important tool that  can be used to achieve compliance, to the benefit of all involved.

The draft guidance would apply to human drugs, veterinary drugs, certain combination products, biological and biotechnology products, finished products, active pharmaceutical ingredients (APIs or drug substances, or their intermediates) and drug constituents of combination drug/device products. 

* * * *

Please contact us if you would like more information about  how we can assist you with Quality Agreements and cGMP compliance.

Globalization in the life sciences sector shows no signs of slowing down.  When planning a product development strategy and evaluating the pros and cons of conducting research in different jurisdictions, companies frequently question their ability to use data from outside the U.S. to support an FDA application. 

On February 25, 2013, the U.S. FDA issued a proposed rule, which, if finalized, would allow companies to use data from clinical studies conducted outside the U.S. to support device applications to the FDA—even if the foreign studies were not conducted under a U.S. IDE— if the studies were conducted in accordance with "good clinical practice" (GCP) as defined in the proposed revisions to U.S. device regulations.   

The proposed rule would be relevant to investigational device exemption (IDE) applications, premarket notification (510(k)) submissions that include clinical data, premarket approval (PMA) applications, product development protocol (PDP) applications, and humanitarian device exemption (HDE) applications.

This rule, if finalized, would modify the approach taken by FDA to date with respect to non-IDE foreign devices studies:

• Current FDA regulations provide that FDA would accept and consider the results of a non-IDE foreign study submitted in support of a PMA if the study was conducted “in conformance with the Declaration of Helsinki” or the laws and regulations of the country in which the research was conducted, whichever accords greater protection to the human subjects.  The Declaration of Helsinki is a collection of high-level ethical principles for research involving human subjects.
• Instead of setting the Declaration of Helsinki as the minimum standard for acceptability of non-IDE foreign data, FDA would define GCP expectations for foreign data and make the approach consistent with the parallel regulations that apply to drugs. 
• Likely a reflection of the increasing frequency with which FDA is requiring clinical data for 510(k) submissions, FDA would make concurrent revisions to the IDE, PMA, and 510(k) regulations, eliminating the regulations’ lack of clear requirements for non-IDE foreign data supporting a 510(k).

 “Look to make your course regular, that men may know beforehand what they may expect.” – Francis Bacon

FDA intends for the proposed rule to provide greater consistency, whatever the product or application type, and to help ensure the protection of human subjects and the quality and integrity of foreign clinical data.  

The proposed changes are not surprising given that drug regulations were revised, effective October 27, 2008, to replace reference to the Declaration of Helsinki as the “floor” for GCP expectations with reference to an FDA-defined standard of GCP.

FDA's definition of “GCP” for purposes of non-IND foreign drug data is: “a standard for the design, conduct, performance, monitoring, auditing, recording, analysis, and reporting of clinical trials in a way that provides assurance that the data and reported results are credible and accurate and that the rights, safety, and well-being of trial subjects are protected.”  FDA’s proposed definition of GCP for non-IDE foreign device data uses exactly the same language.

FDA is requesting comments on the proposed rule by May 28, 2013.

Please contact us if you would like to submit comments on the proposed rule, or if you would like more information about how this proposed rule might affect your business.

      On January 25, 2013, the Office of Civil Rights (OCR) within the Department of Health and Human Services published guidance on whether banks and other financial institutions must comply with the Health Insurance Portability and Accountability Act (“HIPAA”) when they receive, transmit, use or disclose Protected Health Information (“PHI”) - patient-specific health information created by health care providers, health plans, health care clearinghouses, and other specified entities. 

      The OCR clarified that financial institutions are not required to comply with HIPAA when they conduct certain payment processing activities.  These activities include cashing a check, conducting a funds transfer, and authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.

      However, OCR instructed that a financial institution may be a “business associate,” which must comply with HIPAA, where the institution performs functions “above and beyond” payment processing activities “on behalf of a covered entity,” such as accounts receivable functions on behalf of a physician, hospital, or other health care provider.  OCR did not describe what is “above and beyond payment processing” or define “accounts receivable functions.”  For health care providers, “accounts receivable functions” include payment processing activities and billing, but they may also include mailing letters to patients who are behind on payment, reviewing the terms of coverage agreements and provider contracts with health plans and other payers and applying them in dealing with patients, setting up payment schedules, and tracing changes to patient addresses.  Presumably, financial institutions performing these kinds of activities on behalf of providers are business associates.

      Thus, unlike other entities, whether financial institutions must comply with HIPAA does not turn on their receipt, disclosure, or use of PHI.  If this were the test, all banks would be business associates according to experts who have estimated that 40% of the information contained in most bank lockbox accounts meets the definition of PHI.  However, OCR instructs that the focus is on the nature of the information but on what financial institutions are doing with the information.

      If you are a bank or other financial institution that is performing an activity beyond processing payment, such as an accounts receivables function, you need:

• Internal audits of current practices and a risk assessment;
• Written HIPAA policies and procedures based on the results of the audits and risk assessment;
• Workforce training on HIPAA designed around the activities and the results of the audits and risk assessment;
• Contract review, development, and negotiation;
• Assurance that existing methodologies render PHI “secure” within the meaning of HIPAA and take advantage of “safe harbors”;
• Information about compliance deadlines and fast-paced modifications to HIPAA law;
• Experienced legal analysts equipped to perform compliance audits and risk analyses, make compliance recommendations, deal with covered entities and other business associates, and offer informed and educated mitigation advice;
• Support in responding to any potential breaches of PHI;
• Representation when a breach occurs; and
• General guidance from qualified health care attorneys on HIPAA, HITECH, and other federal and state privacy regulations.

DLA Piper’s Health Care Practice Group offers unique expertise in issues relating to financial and claims’ services, from regulations to coding.  Our attorneys also work with consultants and experts who focus on assisting financial institutions with expanding their health care service revenues.  We can assist with education and training, operations, and transactions in the health care industry.  For further information, please contact Marcia L. Augsburger at marcia.augsburger@dlapiper.com.

Contributed by Marcia Augsburger as part of the ongoing Compliance Matters series

On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  The final rule is effective March 26, 2013.  Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013. 

            The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA.  The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry. 

            The rule clarifies that persons who undertake patient safety activities are BAs,[1] as are organizations such as Health Information Organization,[2] E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI.  As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.

            Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA.  OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.

Read more about the Final HIPAA Rule after the jump

[1] This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq.  PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers.  Such reports may include PHI.  42 CFR 3.10 et seq.

[2] OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.

I.            The “Conduit Exception” Is Recognized and In General, Conduits Are Not BAs

For years, many HIPAA pundits talked and acted as though the “conduit exception” was a figment of a lawyerly imagination – a hobgoblin of our own creation, to paraphrase a literary work usually saved for the holiday season we just left behind.  Imaginative lawyers are vindicated:  In the final rule, OCR emphasizes that “mere conduits” for the transport of PHI who do not access the information other than on a random or infrequent basis are not BAs.

However, the OCR cautioned that “[t]he conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.”  That is, a “conduit” does not access PHI “other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”  This includes reviewing whether data transmitted is arriving at its intended destination.  “In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity such as record locator services is not a conduit,” and is therefore a BA. 

 Accordingly, OCR preserved a fact-based analysis with regard to whether entities have more than “random” access to PHI and thus are BAs.  On one end of the spectrum sits those entities that manage the exchange of PHI through a network or perform oversight and governance functions for electronic health information exchanges.  These, the final rule establishes, are BAs because they have more than “random” access.  However, where on the  spectrum other businesses or activities lie depends on all relevant facts and circumstances – a test that makes the risk averse nervous while everyone else celebrates the joys of flexibility.  OCR declined to define what it means to have “access on a routine basis,” saying such a determination “will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.” 

 OCR emphasized that whether an entity acts on its ability to access PHI is not determinative of whether the entity is a BA.  OCR clarified, for example, that a records storage facility that maintains PHI on behalf of a CE is a BA “even if the entity does not actually view” the PHI, while a transmission service (digital or hard copy) that temporarily stores transmitted data is not even if it “peeks.”  OCR explained that while transmission services have access equal to that of storage facilities, the difference between the two situations is the “transient versus persistent nature of that opportunity.” 

 If a test arises from all of this, it is one that asks not only whether the entity creates, receives, maintains, or transmits PHI, but also whether the entity has a persistent opportunity to access PHI, as opposed to a transient one.  If the answer is yes, the entity is BA without regard to whether it randomly, infrequently, or ever views the PHI.  This is a new test.

II.            Entities That Are Agents of CEs And of Other BAs Are Themselves BAs

The final rule also gives unprecedented credence to a fact-based agency theory for determining whether vendors are BAs.  For example, the OCR instructed that vendors are BAs when they contract with a CE to offer personal health records to one or more individuals on behalf of the CE.[1]  In contrast, OCR explained, if PHI is provided pursuant to an individual’s written authorization, then the vendor is not acting on behalf of the CE and is not a BA even if the vendor also has a contract with the CE governing the exchange or data.  That is, the final rule indicates that the extent to which a vendor will be considered a BA depends on whether the vendor is acting like an agent of a CE in connection with the PHI at issue.

OCR justified its application of the Federal common law of agency by citing § 160.402(c), which references the Federal common law of agency, and reiterating its belief that “adopting the Federal common law to determine the definitions and application of these terms achieves nationwide uniformity in the implementation of the HIPAA Rules.”[2]  Nationwide uniformity, OCR said, furthers “the efficiency and effectiveness of the health care system as a whole.”  Whether the 50 states would agree, or federal court judges for that matter, it is now therefore established:  Federal agency law applies.

The agency test must always bow to the overarching definition of a BA of course, i.e., if an entity receives, maintains, or transmits PHI or has a persistent opportunity to access PHI, the entity is a BA.  However, understanding the agency test is important to determining who is liable for whose failure to comply with HIPAA and the scope of responsibility.  If agency is not analyzed, an entity may incorrectly believe it is not a BA because it did not agree to perform services that fall within the strict statutory definition of a BA.  If agency is not considered, a person may perform services without having a BA agreement, which OCR may determine is unlawful because the person was acting as a CE’s agent.  If a CE blames a vendor for a HIPAA violation but has no BA agreement with the vendor, the CE may want to hold the vendor liable on an agency theory.

 OCR provided guidance on the federal common law of agency it is discussion of how a CE may be liable for the acts of a BA under § 160.402(c).  Over all, OCR emphasized the importance of a fact-specific analysis, “taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties.”   More specifically, “[t]he essential factor in determining whether an agency relationship exists between a covered entity and its business associate … is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.”  According to OCR’s further tutorage, CEs, BAs, and vendors should analyze their relationships, determine their obligations, and draft their agreements based on the following principals: 

(1)  If the time, place, and purpose of the vendor’s conduct show that the vendor is under the control of a CE or BA, the vendor may be an agent;

(2)  If the vendor engaged in a course of conduct that was subject to a covered entity’s control, the vendor may be an agent;

(3)  If a vendor’s conduct is commonly performed by BAs to accomplish the service performed on behalf of a CE, the vendor may be an agent;

(4) If the CE or BA reasonably expected that the vendor would engage in the conduct in question, the vendor may be an agent;

(5)  If the terms of the parties’ agreement states that the vendor “must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of the covered entity,” the vendor is an agent with regard to this activity; 

(6)  If a CE contracts out or delegates a particular obligation under HIPAA to the vendor, the vendor is probably an agent;

(7)  If the type of service and skill level required to perform the service are such that the CE or BA would not have the expertise to provide interim instructions to the vendor regarding the service, the vendor is probably not an agent;[3]

(8)  If a CE is legally or otherwise prevented from performing the service or activity to be performed, the vendor is probably not an agent;[4]

(9)  If a contract between the parties sets terms and conditions that create contractual obligations such that the only avenue of control is for the CE to amend the terms of the agreement or sue for breach of contract, the vendor is probably not an agent;

(10)  An agency relationship may exist even if a CE does not retain the right or authority to control every aspect of its business associate’s activities;

(11)  An agency relationship may exist even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right;

(12)  An agency relationship may exist even if a covered entity and its business associate are separated by physical distance (e.g., if a covered entity and business associate are located in different countries);

(13)  The terms, statements, or labels given to parties (e.g., independent contractor) do not control whether an agency relationship exists – it is the the manner and method in which a covered entity actually controls the service that decides the analysis.

Accordingly, a mere contract phrase to the effect that a vendor is not an agent will not make it so, will not help the vendor avoid obligations as a BA under HIPAA and HITECH, and will not protect a CE from responsibility for the vendor-BA’s conduct.  As OCR stated, the analysis of whether a BA is an agent “will be fact specific and consider the totality of the circumstances involved in the ongoing relationship between the parties.”   

 OCR left little to the imagination of creative lawyers where an agency relationship exists.  The final rule is crystal clear that person or entity that creates, receives, maintains, or transmits PHI or performs a PHI-related service or delegated HIPAA obligation on behalf of another entity is a BA subject to the HIPAA Breach Notification Rule.  Perhaps for emphasis, OCR asserted that these BAs are subject to HIPAA rules, “and not that of the FTC.” 

 The FTC governs "PHR-related entities.”  Businesses are PHR-related entities if they interact with a vendor of personal health records either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in a personal health record or sending information to a personal health record.  “Many businesses that offer web-based apps for health information fall into this category.”  http://business.ftc.gov/documents/bus56-complying-ftcs-health-breach-notification-rule.  Examples include Apps that help consumers manage their medications or let them upload readings from a device like a blood pressure cuff or pedometer into a personal health record.  The final rule does not change such PHR-related entities into BAs in all circumstances, emphasizing that consumers still control their own information.   For example, the final rule does not change FTC guidance that if a site is simply available to consumers for inputting their own information in a way that does not interact with personal health records offered by a vendor, the site operator is not a PHR-related entity.  Accordingly, for example, if the site “just allows consumers to input their weight each week to track their fitness goals” the site operator is not a PHR-related entity, is not a BA, and is not subject to the breach notification rules.  However, OCR makes it clear that where consumers are not in control – where a CE or BA ultimately controls the handling of the PHI - then PHR-related entities become BAs, subject to HIPAA’s breach notification rule. 

 III.            “Subcontractor” Is A New Term of Art, and Subcontractors Are BAs

The final rule also establishes that a person to whom a BA “delegates a function, activity, or service” other than someone acting as a member of the BA’s workforce, is indeed called a “subcontractor,” a neologism that caused angst in many a grammarian and raised the ire of lexicologists far and wide.  More importantly, the final rule establishes that where the delegated function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information, the subcontractor is a BA. 

Responding to commentators’ concern that this rule would require covered entities to contract with subcontractors, OCR underscored that BAs are the parties obligated to obtain satisfactory assurances that their subcontractors will safeguard PHI.  “The final rule makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor.”  See §§ 164.308(b)(1) and 164.502(e)(1)(i).” 

As a practical matter, CEs are very concerned when their BAs delegate obligations to unknown parties over whom the CEs have no control.  Elaborate provisions are included in business associate agreements to ensure that BAs obtain covenants from subcontractors that PHI will be protected to the same extent required under the CE’s agreement with the BA.  Almost acknowledging the need to continue this practice, OCR further opined:  “[W]e believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors.”  (Emphasis added.)

IV.            Conclusion

The final rule seeks to ensure, perhaps above all else, “that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions.”   Everyone “down the chain,” as OCR put it, from CE to BA to Subcontractor1 to Subcontractors 2-5, and so on, and so on, and so on, must ensure that they comply with HIPAA and HITECH and that they obtain satisfactory assurances that the parties with whom they contract will comply with HIPAA and HITECH.  Reading between the lines of the final rule, it is as if OCR shrugged and said, “there’s strength in numbers” or “the more the merrier.”  Indeed, who can argue with such accepted wisdom.

[1] Section 13408 of HITECH requires that such organizations enter into “a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.” 

[2] Referencing the Enforcement Rule preamble, 71 FR 8390, 8403-04.

[3] For example, OCR instructed,  a BA “that is hired to perform de-identification of protected health information for a small provider would likely not be an agent because the small provider likely would not have the expertise to provide interim instructions regarding this activity to the business associate.”  In this situation, the BA would be directly subject to HIPAA and HITECH, but the CE would not be responsible for the BA’s conduct. 

[4] As OCR explained:  “[A]n agency relationship would not likely exist when a covered entity is legally or otherwise prevented from performing the service or activity performed by its business associate [such as] accreditation functions performed by a business associate” that cannot be performed by a covered entity seeking accreditation because a covered entity cannot perform an accreditation survey or award accreditation.” 

One option that GAO considered is government-subsidized insurance against erroneous food recalls.  Another is one-time acts of Congress, or private laws, to address specific events.  Other potential solutions are government-funded loans for producers affected by an erroneous recall, and non-monetary methods "such as a government promotional campaign or a public statement acknowledging an error recalling a product."

GAO notes that any compensation system faces the threshold challenge of determining what constitutes an "error."  GAO cites the recent spinach recall, in which the contagion was ultimately traced to a specific farm but the recall covered all bagged spinach, as one example of a recall that industry thought was over-broad but that FDA thought was prudent.  GAO also cites the tomato e.coli outbreak, in which epidemiologists identified tomatos but later confirmed that serrano and jalapeno peppers could also be a source, as an example of an "error."

GAO's report comes as food advocates complain that the Obama Administration is holding up regulations to implement the Food Safety Modernization Act, particularly the provisions regarding foreign importers and recall procedures.  

Read the full report here.

On June 28, the Supreme Court issued its highly anticipated decision on the constitutionality of portions of the Affordable Care Act (Nat. Fed'n Indep. Business v. Sebelius, Florida v. Dept. of HHS; and Dept. of HHS v. Florida). The majority of the Court concluded the following on the key questions in the case:

1. The individual mandate is constitutional as an exercise of Congress' power under the Taxing Clause (although it could not be upheld based on the Commerce Clause and the Necessary and Proper Clause).

2. The expansion of Medicaid to additional populations is constitutional, but the federal government cannot withhold existing (non-expansion) Medicaid funds for non-compliance with the expansion requirements.

Roundtable discussion examines outcome

The Supreme Court’s ruling on the Affordable Care Act will have significant legal and business impact on the health care industry and beyond. Plans, providers, employers and businesses will need to quickly evaluate options for moving forward and will need to understand the federal and state policy questions resulting from the Court’s decision.

On July 11, our Washington, DC, office will host a breakfast discussion, Health Care at the Crossroads: The Path Forward from the Supreme Court Decision, to examine the full impact of the outcome with esteemed policy and business leaders led by Senator Tom Daschle, Governor Mike Castle and Mary Langowski, Chair of the DLA Piper Health Care Public Policy and Regulatory group.  Visit this page to register for the event.

Here is our monthly summary of selected FDA Warning Letters recently made public by FDA. The statistics for this report: 

- 24 letters re cGMP device violations; 

- 9 letters re medical device reporting (Animas Corporation (including cGMP violations), Health Science Products, Incorporated (including cGMP violations), APC Medical Limited (including cGMP and registration and listing violations), Teh Lin Prosthetic & Orthopedic, Inc. (including cGMP violations), Sorin Group Deutschland GmbH (including cGMP violations), The Lasik Vision Institute, Newman Lasik Centers LLC, Soring Medical Technology (including cGMP violations) and Okamoto Industries Inc. (including cGMP violations)); 

- 7 letters re cGMP pharma violations;

- 6 letters re unapproved new drugs (Herbal Extracts Plus, LLC, Agora Publishing Inc., Natural Health Team, The hCG Drops LLC, Mushroom Wisdom, Inc., and BioAnue Laboratories, Inc.);

- 3 letters re unapproved new use of devices (Medical Quant USA (including cGMP violations), Merit Medical Ireland Ltd. and BioElectronics Corporation);

- 2 letters re unapproved new devices (Akers Biosciences, Inc., and Spencer Forrest, Inc.);

- 2 letters re tobacco product marketing and sales (The Pinkerton Tobacco Company and Tobacco Source Three LLC);  

- 1 letter re an unapproved new OTC homeopathic (Schwabe North America, Inc.);

- 1 letter re an unapproved new dietary supplement (Almased USA, Inc.);

- 1 letter re unapproved new use of an OTC device (CuraeLase, Inc. (including cGMP and MDR violations));

- 1 letter re drug study violations (Betty Tuller, Ph.D.); and

- 1 letter re import for export (MedPharm, LLC). 

And of particular note:

• FDA cited one manufacturer of drug components and its immediate shipper for violation of Import for Export provisions because of failure to provide IFE records and a report, despite multiple requests by FDA.
• FDA issued a warning letter to one company for promoting unapproved new drugs that made unsubstantiated claims about treatment of a wide variety of conditions, including cancer, autism, schizophrenia, multiple sclerosis, hepatitis C, and HIV infection.
• FDA cited another company for making unsubstantiated therapeutic claims, including treatment of cancer and Alzheimer’s disease, about its mushroom supplements that FDA considered unapproved new drugs.  In addition to inclusion of these claims on the company’s website, they were also supplemented by metatags used to bring consumers to the site.
• FDA issued a warning letter to the manufacturer of a laser system for the unapproved new use of a device, as well as violation of Electronic Product Radiation Control requirements because of failure to submit product reports and file its annual report.
• FDA also cited a tobacco company for violating the agency’s regulations restricting the sale and distribution of tobacco products to minors by promoting its “No Nonsense Rewards” program, wherein customers were offered a check in exchange for providing proof of purchase of specially marked packages of the company’s moist snuff product.
• FDA continues to focus on Good Manufacturing Practices and posted warning letters for the following devices: steam sterilizers, an anti-embolism wrap system, lower limb prosthetics, bone densitometers, anesthetic delivery systems and respiratory therapy equipment, contact lenses, external penile rigidity devices, infusion pumps and urological catheters, neurosurgery and hemostatic devices, wound and burn dressings, temperature indicators, dental prosthetics, plasma coagulation control devices, an enteral infusion pumps, sterile syringes, an orthogonal percussion adjusting instrument, a turning medical bed, a pharmaceutical compounding device, telemetry devices, electrocardiogram monitoring equipment and software devices, a non-sterile blood pressure monitor, a total knee replacement system, a ventricular assist system, and a powered muscle stimulator device.  In addition to the cGMP violations, FDA cited twelve companies for MDR violations, two for unapproved devices, two for unapproved new uses of a device, one for Report of Corrections and Removal violations, and two for Registration and Listing violations.  
• FDA also posted seven warning letter for cGMP violations regarding finished pharmaceuticals and dietary supplements.  In addition to the cGMP violations, FDA cited one company for labeling violations, and one company for unapproved new drugs and field alert report violations.

Regardless, yesterday FDA said no.  Corn syrup and corn sugar are not the same thing so the corn industry can't make the swap.  According to FDA, sugar is "a solid, dried and crystallized food," whereas syrup is an "aqueous solution or liquid food."  FDA recognizes glucose syrup, cane syrup, maple syrup, sorghum syrup and table syrup, but not corn syrup.  Read FDA's full response here.

So it's back to the drawing board for the corn industry.  Stay tuned to this channel for the next episode of the Sugar Wars.

On March 5, 2012, France adopted a new law on clinical trials and studies (Law No. 2012-300) (the "Law").  The Law, which has been in discussion since early 2009 and which will become effective once the implementing measures have been published in the Official Journal of the French Republic, is intended to encourage the development of clinical trials and studies in France, while at the same time clarifying the applicable legal framework.  Many provisions of the Law are awaiting implementation by decree and ministerial decision ("arrêté") which the French Agency for Safety of Health Products (Agence Nationale de Sécurité Sanitaire des Produits de Santé - AFSSAPS) expects to be issued no sooner than summer 2012.  

Continue reading for highlights of the principal developments.

The new Law creates a common legal framework applicable to all types of clinical trials and studies, creating three separate categories of trials, each based on the level of risk to the subjects. Accordingly, each category of trial or study is bound by specific rules as concerns the protection of the human subject. The categories include:

(i) interventional studies where it is possible to intervene in treatment decisions and that do not constitute the subject's usual care ("Interventional Studies");

(ii) interventional studies that present minimal risks and constraints and that do not involve pharmaceutical products, a list of which will be set out in a ministerial decision ("Interventional Studies Presenting Minimal Risks"); and

(iii) studies where it is not possible to intervene in treatment decisions and where the researcher observes treatment and results in a systematic manner without changing, influencing or interfering with diagnosis, treatment or monitoring ("Observational Studies").

Information in respect of trials in each of the above three categories is to be included on a publicly available registry.

Harmonizing diverging requirements, the Law provides that each of the three categories of trials or studies will be subject to the prior approval of an Ethics Committee (Comité de Protection des Personnes - CPP). A newly created authority called the National Human Research Commission (Commission Nationale des Recherches Impliquant la Personne Humaine - CNR) will coordinate Ethics Committee activities. The Law provides that starting in 2014, an Ethics Committee will be randomly assigned by the CNR to a request for approval of a trial or study. This is potentially a significant development from the current system, where only the territorially competent Ethics Committee may grant approval to a trial or study.

Furthermore, consent and information requirements have been clarified. In the case of Interventional Studies, the Law has left current rules in place: the clear and informed consent of the subject is required to be given in writing, once the subject has received the required information regarding the study. In respect of Interventional Studies Presenting Minimal Risks, the required clear and informed consent of the subject can now be provided either in writing or verbally. While not subject to similar express consent requirements, Observational Studies cannot be conducted on a subject who has objected thereto after being informed of the study.

The Law also contains provisions designed to promote research activities. In this regard, data protection formalities have been streamlined in respect of Observational Studies, such that researchers will not need to consult the Health Research Consultation Committee (Comité Consultatif sur le Traitement de l'Information en Matière de Recherche dans le Domaine de la Santé - CCTIRS), prior to consulting with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés - CNIL). In addition, for example, provided that a subject has been informed of the research and has not raised an objection thereto, researchers are permitted to study the subject's genetic characteristics on the basis of material that was taken from the subject's body for other purposes. Furthermore, as concerns Interventional Studies Presenting Minimal Risks and Observational Studies, the Law provides for the possibility that the trail or study investigator need not be a physician. In this regard, the CPP is responsible for ensuring that the qualifications of the investigator are appropriate for the particular study. In addition, subjects who are not affiliated with a social security regime will be able to participate in Observational Studies, and with the approval of a CPP, in both Interventional Studies and Interventional Studies Presenting Minimal Risks.