It’s a new year and decade – the perfect time to review your company’s documentation practices to limit your company’s potential civil and criminal exposure. Over the next few years, we expect FDA to continue to focus on data integrity issues, with an increasing spotlight on medical device companies.

What is data integrity? Data integrity means that data is reliable because it is accurate and complete. As the product developer, manufacturer, or distributor, you need to have established procedures and practices that can support the accuracy of your data. Activities should be documented correctly at the time of performance, dated, reviewed or verified, and traceable to individuals through signatures or audit trails. Essentially, all information submitted to FDA or relied upon as part of development, manufacturing, and distribution should be accurate, complete, and reliable.

FDA is concerned about data integrity at various stages of a medical device’s lifecycle from pre-approval to post-approval. Overall, FDA wants to make sure that activities and results are documented, in part to make sure they actually occurred and were performed in line with your procedures and by trained personnel. Additionally, documentation allows the records to be reviewed during inspections. Moreover, if issues arise with a product, accurate and complete documentation can help determine the root cause. Therefore, it is important that data is captured and documented, information is dated, and the data is traceable to individual device components, lots, and people.

But, it’s not only your company’s practices that matter. Device companies are expected to have effective oversight over their suppliers. Therefore, your supplier’s data integrity practices can negatively impact your company’s compliance vis-à-vis FDA. More importantly, it can impact the quality, safety, and effectiveness of your devices. How frequently do you audit your component suppliers? Do they follow good documentation practices?

Why You Need To Worry

The consequences of data integrity gaps can range from relatively benign to life-threatening. The worst outcome would be for a patient or user to die because of a device failure or malfunction that stemmed from falsified quality control test results. Any outcome that negatively affects the quality of your product is a bad outcome that can lead to products liability and long-standing reputation harm.

FDA and the Department of Justice can also respond to data integrity violations with criminal sanctions. Violations of the Federal Food, Drug, and Cosmetic Act (FDCA), come with strict liability for misdemeanors. See e.g., United States v. Park, 421 U.S. 658 (1975). If there is intentional or willful fraud involved due to the submission of false statements or documentation, there may also be liability under the Federal False Claims Act.

FDA could also seek to restrict distribution of your devices through the seizure of products, an injunction (which typically includes a request to a court that distribution of products cease), requesting or mandating a recall, or delaying, denying, or withdrawing approval of a marketing application. Additionally, FDA could document your noncompliance and issue a FDA Form 483 or Warning Letter, which could lead to bad press. None of these outcomes are desirable. The more prepared you are, the less likely they are to occur.

Some regulatory sections that discuss data integrity requirements include 21 C.F.R. Parts 11, 812, and 820. For example, sponsors must have “accurate, complete, and current records relating to an investigation.” 21 C.F.R. § 812.140(b). This means, for example, that information about product distribution that occurred as part of the investigation should include correct information about batch numbers, quantity shipped, where the product was shipped, and to whom it was shipped. See 21 C.F.R. § 812.140(b)(2). Other requirements applicable to medical devices, such as medical device reporting per 21 C.F.R. Part 803, correction and removal reports per 21 C.F.R. Part 806, and post-marketing requirements per 21 U.S.C. § 360l, must also include accurate information.

Recommendations and Best Practices

To achieve or maintain a state of compliance, we have the following recommendations:

If a data integrity event occurs or a gap is identified, open an investigation as soon as possible. The investigation should be appropriately scoped to determine whether issues are systemic and broader than the issue originally identified. Similarly, corrective and preventive actions (CAPAs) may need to be broad. The investigation and CAPAs should be well-documented, and effectiveness checks should be performed. A priority should be determining whether there is any product quality impact, which lots are potentially impacted, and whether FDA needs to be notified. Also, consider engaging a third party for help with the investigation and the corrective action plan.

A company’s culture is often a root cause of data integrity incidents. Employees and/or management may not fully understand the importance of good documentation, may feel overly confident that a test result will always pass, may be pressed for time, or may fear reporting or dealing with bad results that could cost the company money. Providing incentives that encourage employees to speak up can be an effective tool in preventing incidents before they occur or are discovered by a regulator.

The views expressed in this article are exclusively those of the author and do not necessarily reflect those of Sidley Austin LLP and its partners. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.