3 Key Sources Of Data-Related Compliance Risk (And How To Fix Them)

By Colleen Hittle, Stephanie Lewko, and Jim Williams, Navigant Consulting

Life sciences companies face unique challenges when storing, updating, and analyzing critical compliance-related data. Many companies store data in outdated computer systems, which often are spread across various geographies and don’t adhere to the same formatting standard. Some companies still use home-brewed and inefficient spreadsheet tools. In other cases, mergers of multinational companies involve disparate legacy systems, resulting in confusing megasystems holding staggering amounts of data, which do not have appropriate change management and risk management processes and procedures in place.

Furthermore, emerging regulations and their implementation deadlines can create nightmare scenarios for companies already wrestling with data. Current FDA and U.S. Department of Justice (DOJ) compliance trends reinforce that a company’s ability to accurately and quickly gather, analyze, and manipulate data is the key to avoiding enforcement actions.

Three particular areas of risk highlight the importance of maintaining validated compliance-related data in appropriately designed and controlled systems:

• FDA’s Unique Device Identifier (UDI) Final Rule
• DOJ Foreign Corrupt Practices Act (FCPA) investigations
• FDA’s requirement that manufacturers submit new 510(k)s for already-cleared products that have been changed.

UDI Headaches

With the implementation of the UDI Final Rule, device manufacturers are not only required to include a unique identifier on their devices, they must also submit specified attribute information about each device to FDA’s Global Unique Device Identification Database (GUDID).

In order to comply with the rule’s requirements and deadlines, manufacturers must be able to identify and capture the required information in a timely manner from disparate data sources, and have processes in place to resolve any data disparities or gaps. Manufacturers formed as a result of mergers and acquisitions have to overcome a multitude of additional issues, such as merging current and legacy technology systems, and resolving conflicting data values and formats.

Consider this UDI compliance example: A multinational device firm has data stored in different formats, in different systems, around the globe. Further complicating the situation, data for the same devices, drawn from different databases, do not match. In such a case, an analysis of the company’s systems and sources must be conducted to validate the datasets, and then the resulting clean data can be utilized to populate the GUDID database.

This is an expensive, time-consuming project that will occur in fire-drill fashion. An alternative is to have analytical tools in place to assist in the compilation, analysis, and storage of these large datasets, ensuring that all data submissions to regulatory agencies are accurate and complete. Furthermore, to avoid enforcement action, device manufacturers must be proactive in implementing appropriate compliance controls to govern the submission and management of UDI information.

Corrupt Practices, Or Just Corrupted Data?

A number of life science companies recently have been the focus of FCPA investigations. While it generally is very difficult to guarantee complete compliance with FCPA, companies that have not integrated data analytics into their compliance programs face increased exposure to regulatory risk. Furthermore, companies must not only maintain accurate data, they must be in a position to quickly analyze the data to demonstrate compliance. 

Often, when a global medical device manufacturer comes under investigation for FCPA violations, product registrations in foreign markets must be audited and assessed. To do so, it often is necessary to merge a number of disparate data sets from the client to create a unique list of products, product families, and registrations, and then systematically verify the data sets against hard copy documents. Due to the sheer volume of the data sets and their unique formats, it is difficult for companies to proactively perform similar audits; therefore, potential compliance and FCPA violations are overlooked. A set of internal compliance controls and audits, devised using data analytics, will alert a company to any issues well before the government has cause to suspect abuses.

Data analytics is an essential tool to help ensure that companies are doing everything possible to minimize FCPA and compliance risk. Data analytics and trending should be leveraged on both a domestic and a global scale to support companies in their internal audit and risk assessment programs. 

Warning Letter Woes

FDA recently has issued a plethora of warning letters to medical device manufacturers for failure to maintain regulatory impact statements for product changes made to a device following its original clearance by FDA. In these warning letters, FDA states that some products are actually misbranded or adulterated, in that the product configuration being marketed does not match that authorized by FDA. These warning letters require remediation of this regulatory impact statement by a thorough review of the products’ design files.

In order to execute such a review of the design files, manufacturers must summarize all changes, by type, to an individual product since its regulatory approval. In some cases, this effort requires an analysis of thousands of changes, regardless of their overall significance to the product’s safety or efficacy. 

Because of the large number of changes typically recorded in design files, analytical tools are needed that enable a company’s legacy systems to be coalesced. Once the data has been coalesced, product changes can be summarized regardless of legacy source, including those from suppliers. Companies then can analyze technical changes by type and compare them with FDA guidance in order to support non-filing decisions to regulatory agencies.

Record Organized, Accessible Regulatory Data

It is abundantly clear that the days of utilizing small, unsophisticated computer- or spreadsheet-based systems to store regulatory data are over. Companies are becoming larger and their product lines are growing due to mergers and acquisitions that span global markets. In order to maintain control over huge datasets, minimize regulatory compliance risk, ensure proper change management, and produce accurate reports for regulatory agencies at a moment’s notice, life sciences companies should consider implementing and utilizing updated databases and advanced analytics tools.

About The Authors

Colleen Hittle, RAC, has over two decades of experience in the medical product regulatory environment, providing expert support to companies regulated by the U.S. Food and Drug Administration (“FDA”) and global regulatory bodies. Colleen is a Managing Director and leads the Regulatory Services group that provides support for companies developing and marketing products in the medical device, health information technology, combination product, and drug and biologics industries. Former president and CEO of Anson Group (acquired by Navigant in 2013), Colleen has served medical device, health information technology, combination product, and drug and biologics companies ranging from the smallest start-ups to Fortune 20 industry leaders.

Stephanie Lewko is an Associate Director in the Healthcare Life Sciences Disputes, Compliance and Investigations practice. She specializes in healthcare litigation support as well as compliance support through the collection and manipulation of large amounts of electronic data and complex data analyses. Her engagements have involved the creation of databases to track, manage, and report on various types of organizational and procedural information. Stephanie’s healthcare clients include pharmaceutical manufacturers, law firms, orthopedic companies, and health insurance providers. She has significant experience with litigation support and investigations dealing with issues such as out-of-network reimbursement, contract analysis, off-label marketing and reimbursement pricing.

Jim Williams has over a decade of experience providing software validation, healthcare compliance writing, expert witness support, and technical & regulatory writing support to organizations in heavily regulated areas, such as life sciences, healthcare, social services, and state government. Jim is a Managing Consultant at Navigant Consulting, Inc., where he provides software verification & validation (“V&V”) and technical and regulatory writing assistance to life science companies. Before joining Navigant, Jim collaborated with a Big Four consultancy, playing a critical role on numerous high-profile, large-scale software projects, including serving as co-lead tester on a complex, multi-year $1.4B project to modernize a state welfare computer system; acting as lead tester on a project to establish a system to measure vendors’ performance against federal guidelines; and serving as lead tester on a project that implemented a web service for state welfare client appeals, helping bring the state into compliance with federal regulations regarding appeals rights.