FDA Urges Company Policy on Web Use

Medical Device & Diagnostic Industry Magazine | MDDI Article Index

Originally published February 1996

Regulatory Affairs

FDA is monitoring the Internet. At present there is no unifying agency policy on this activity, nor is there any formal or concerted effort across the various centers to routinely monitor what company employees say electronically. "But FDA has access to the Internet the same as anyone else," says Byron Tart, director of the promotion and advertising policy staff in the device center's Office of Compliance, "and we do monitor advertising and promotional transmissions. People in the Office of Compliance look at them, and sometimes come over and say, 'I picked this up on the Internet; what do you think?'"

Concerns regarding labeling and promotion are specific to Tart and his staff, but other parts of the device center are also monitoring the Internet, bringing their own concerns to bear. And there is movement toward the development of a comprehensive FDA policy. "We are going to look at this as an agencywide issue, not necessarily center by center," Tart says. In the meantime, he advises device companies to establish a policy about what their employees are permitted to say and do with the Internet.

At present, even medical device com- panies that are oriented toward electronic data transfer--such as telemedicine leader Cemax-Icon (Fremont, CA)--have not yet developed a specific policy for employees using the Internet. "We pretty much use the same level of caution as we do on any written communication," says Oran Muduroglu, Cemax-Icon's vice president for sales and marketing.

However, some companies, such as Becton Dickinson (Franklin Lakes, NJ), are developing policies specific to the Internet. One policy that the company has already approved for use establishes "what information is permitted and what is not permitted to go over E-mail," says Al Battaglia, group president and chief information officer. Becton Dickinson is also in the process of installing a "fire wall" between the Internet and the company. This fire wall, says Battaglia, is a computer-based security system that "acts as a filter, monitoring both incoming and outgoing information traffic."

According to Tart, FDA is treating the Internet just as it would any other source of information. From his perspective as director of promotion and advertising policy staff, a company's use of the Internet to promote an off-label use for a medical device "would be no different than promoting it in a newspaper, magazine, or letter," he explains.

But there are differences between the Internet and other forms of communication--a fact that is not lost on Tart. First, the electronic nature of the Internet raises the issue of whether an electronic posting is labeling. Tart notes only that it "has the potential to be labeling, since it can be downloaded and printed."

Second, the Internet is diverse, interactive, and multidirectional. Information flows to and among people in ways that are unlike those of other media. "There are a lot of home pages and there is a lot of activity by third parties," Tart says. Home pages sponsored by companies are indisputably the responsibility of those companies and subject to FDA regulation.

Despite these differences, making the regulatory jump from paper to web site should not be that difficult, says Tim Mackay, a programmer, analyst, and webmaster of the home page put up by Marquette Electronics (Milwaukee). "A lot of what you see on our web site was printed paper in a former life--it's just been enhanced to fit the medium," he says. "The printed pages went through regulatory affairs for approval like all good advertising material should do."

Cemax-Icon looks on its web page in much the same way. "In effect, our web page document is a repackaged product data sheet, so it inherits all of our usual caution with respect to advertising," Muduroglu says.

And not all home pages are subject to FDA authority. Tart notes that the agency only regulates companies. "The only time we get involved is if there is some connection back to the company and it results in the company promoting the device for an off-label use. Then the page would be subject to FDA regulation," he says.

But the American judicial system has recently added another twist. Court rulings have held that companies are responsible for the contents of their web sites and user forums, even if the information is provided by parties outside the company. Marquette Electronics, for example, offers web access to biomedical organizations that want to publish their newsletters electronically. "Most of these organizations are nonprofit, and coming up with a web server is a fairly big investment for them," Mackay says. "So they E-mail me their newsletters, and I put them up.

"There is a certain amount of trust, a presumption of innocence, in the use of the Internet," Mackay adds. "For the most part users are very responsible, but if people began stepping over the bounds of what is reasonable the sponsoring company would have to step in and stop it. Coming up with ways to do that--such as banishing certain users or placing disclaimers at the end of each communication--is an evolutionary process, because many of these forms of communication are without precedent."

For instance, E-mail presents yet another facet of the problem. An offhand conversation between two friends could be construed by FDA as promotion. Unlike voice conversations that leave no record, or letters that can be destroyed after being read, E-mail is open for anyone to examine.

The unsecured nature and the amplifier potential of the Internet are significant in terms of the damage that a single transmission can do. But these concerns are really nothing new and there are technologies that can at least reduce the hazard. "The security of E-mail--or lack thereof--is something to be concerned about, but if you worry about your E-mail being tapped, you should be likewise worried about your phone," Mackay says. "There are few media that can be considered truly secure for interpersonal communications. If that is a concern with E-mail, a company can do a little research and learn how to encrypt its messages."

Similarly, the sophistication of the Internet is no reason for users to be confused about what can or should be said. "From a regulatory point of view, all of the basic regulations still apply," says Tart.

Applying common sense should keep companies out of hot water, whether or not they have a formal policy. "Employees at Marquette Electronics are trusted to act responsibly," says Mackay, who notes that before sending an E-mail message he looks it over "just as I would any letter. I'd guess most folks can figure out where the ethical bounds lie without too much trouble, and that, I guess, is what FDA is aiming at." --G. F.