The American Hospital Association’s (AHA) response to the Food and Drug Administration’s (FDA) request for information on how the agency can improve regulatory flexibility and efficiency suggests that FDA allow health system pharmacies to distribute compounded products to other system facilities located more than one mile away.
Ashley Thompson, AHA senior vice president for public policy analysis and development, wrote that the trade group is concerned the one-mile radius rule in FDA’s draft guidance last year is not feasible for facilities with centralized sterile compounding.
The AHA also suggested the drug agency provide more oversight of medical device cybersecurity to “set clear measurable expectations for manufacturers before incidents and play a more active role during cybersecurity attacks.”
Rather than the one-mile rule FDA is proposing, AHA recommended that FDA allow hospitals and health systems to use “beyond-use date (BUD) timeframes” in the U.S. Pharmacopeia Chapters 797 and 800.
Thompson wrote that the current proposal is not workable for hospitals with centralized sterile compounding activities at a single location, which distribute the compounded products to other health facilities more than a mile away.
"We believe that limiting the distribution of non-patient-specific sterile compounded drugs in hospitals and health systems based on these BUDs addresses the FDA’s concerns regarding the risk and quality associated with compounded products," Thompson wrote.
U.S. Pharmacopeia Chapter 797 involves requirements concerning compounding personnel, training, facilities, storage, testing and monitoring. Chapter 800 deals with the safe handling of hazardous drugs.
The hospital group also commented on the need for FDA to take a more active role to oversee cybersecurity, noting that many device manufacturers were slow to provide information to AHA members during the WannaCry attack. The group noted that the device manufacturers' recommendations at the time had significant impacts on patient care.
"Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge," Thompson wrote. "They share responsibility for safeguarding confidentiality of patient data, maintaining data integrity and assuring the continued availability of the device itself."
AHA recommends FDA issue guidance to device makers outlining clear expectations on how to secure their products, and take a more active role during cybersecurity attacks.
Cybersecurity remains at the top of healthcare and technology companies' minds. The Center for Connected Medicine recently reported that nearly all respondents in its Top of Mind 2018 survey of technologies said they plan to spend more on preventing data breaches and cyberattacks next year. Cybersecurity also topped ECRI Institute’s list of health technology hazards for 2018.
In June, the Health Care Industry Cybersecurity Task Force declared that healthcare cybersecurity is in “critical condition.” The task force requested the federal government lead an effort to help organizations improve cybersecurity.
A bill currently in the Senate would require companies to promptly report data breaches. The Data Security and Breach Notification Act would hold company executives criminally accountable if the breaches are not reported promptly. Any employee who willfully conceals a breach could be sentenced to up to five years in prison.