How Confidential Are MDSAP Audit Reports?
Audit reports lay bare the good, the bad, and the ugly about a company’s current state of regulatory compliance. Questions have been raised about how Medical Device Single Audit Program (MDSAP) outcomes are shared among regulatory authorities.
In the good ol’ days (circa 2017), if the US FDA did an inspection report, any dirty laundry or proprietary information contained in that report usually stayed in an FDA filing cabinet (assuming you were not issued a warning letter). Likewise, reports from audits conducted by European Notified Bodies are not always readily accessible to FDA. Of course, the MDSAP is a cooperative agreement between FDA, Health Canada, Brazil ANVISA, Japan PMDA, and Australia TGA. One audit satisfies the requirements of all five regulators. But who sees what?
With that in mind, here are a few questions we get from clients about how MDSAP audit information is disseminated. These questions are just a sampling of the many MDSAP questions we have addressed.
Do our MDSAP audit reports get shared with non-MDSAP regulatory authorities?
Your MDSAP audit reports will be accessible (via a central repository) to the five participating regulators in the US, Canada, Australia, Brazil, and Japan, but they will not be made publicly available. Regulatory authorities not participating in the MDSAP will not have unfettered access to your MDSAP audit reports unless they have a confidentiality or mutual recognition agreement in place with a participating regulatory authority. For example, Poland’s medical device regulator signed a confidentiality agreement with Japan’s PMDA and MHLW in late 2017, giving Poland more access to MDSAP data.
Theoretically, any participating regulator can access your audit report, but it’s unlikely they’ll use such access on a routine basis unless something has prompted them to do so (e.g., your organization is involved in some type of regulatory activity in their market). Also, note that MDSAP audit reports could be included as part of medical device approval requests submitted to other countries whose regulators participate in the IMDRF, including those countries that are just Observers with IMDRF.
While this sharing of data is not particularly concerning for smaller entities due to less market penetration, multinational companies operating worldwide might find it a bit disconcerting to know that a nonparticipating regulatory authority could get access to their MDSAP audit reports. During a new market application, these regulatory authorities may already have ample information about your company or might conduct their own inspection based on your submission. Whether they would bother trying to get access to your MDSAP audit report is entirely another story, but keep in mind that it could happen – especially if your company may have issues in those other MDSAP markets.
Can someone access our MDSAP audit report through a US Freedom of Information Act request?
Many non-Americans don’t realize that the US government is quite open in sharing information and making it accessible online. In fact, the US Freedom of Information Act (FOIA) allows anyone to request information collected by FDA (and other entities). Competitors, short seller investors, media, consumer groups, and disgruntled consumers have all used FOIA to access company information that is otherwise not freely published. However, there are limits to what information will be shared, and FDA representatives have previously said that MDSAP audit reports will not be accessible via FOIA requests.
Next countries to hop on the MDSAP bandwagon
Other regulators would like to join the MDSAP party, but that’s unlikely to happen anytime soon. Europe is the most obvious nonparticipant, but they’re currently busy implementing the MDR and IVDR.
Over time, MDSAP is likely to save companies time and reduce redundant audits. While there are concerns among some companies about how all of their audit data will be accessed and shared, regulators do seem to take the issue seriously.
Want to learn more?
Oriel STAT A MATRIX has been helping medical device companies with QMS and regulatory compliance for more than 50 years. MDSAP is one of our specialties and we can assist you with everything from MDSAP internal auditor training to gap assessments.