Amid continuing debate about the timing and shape of the Senate’s food safety bill (the House passed a version in July 2009), comes a new issue that affects companies in the food, drug, device and cosmetic industries.

Several months ago, FDA Deputy Chief Counsel for Litigation Eric Blumberg told industry representatives at the FDLI Annual Conference that the agency is prepared to dust off the three-decade-old “Park Doctrine” to augment FDA’s continuing efforts to ratchet up its enforcement profile. The doctrine stems from the United States Supreme Court’s decision in United States v. Park, 421 U.S. 658 (1975). In principle, it allows the government to pursue misdemeanor charges against a corporate officer for alleged violations of the Federal Food, Drug, and Cosmetic Act, regardless of whether the officer is aware of the existence of a violation, as long as the officer holds a position of responsibility so that that individual could have initiated preventive or corrective action and, for whatever reason, failed to do so.

Park represents a strict liability standard, so no warning letter is required. FDA need only request that the Department of Justice file charges based on FDA’s conclusion that an officer is guilty of misconduct, which is effectively defined as failing to know what FDA believes one should have known. In sum, what an executive does not know can be more than harmful.

The scale of punishment for misdemeanors ranges from one year in prison and/or a maximum fine of $100,000 for each count, ranging to much higher where injury or death are involved. Courts can impose mandatory prison sentences, and if FDA believes a substantial risk of injury or death is involved, judges can increase the length of prison sentences.

At a time when corporate resources are stretched, the entire spectrum of regulatory compliance issues has become every bit as critical for senior management and counsel as the other bet-the-company issues that confront each company on a day-to-day basis.

Mark Mansour is a partner in the firm, Bryan Cave, LLP

FDA: Genetic Testing Kits are Medical Devices

The FDA has sent letters to five manufacturers of genetic testing kits stating that the agency is considering the kits to be medical devices. As such, the agency has said that they need to receive approval from the agency before they can be marketed. The House Energy and Commerce Committee has announced that it too is looking into the tests.

FDA Requests Notifications of Intention to Participate in Meetings on PDUFA Reauthorization

The FDA has issued a notice requesting that public stakeholders notify the agency of their intent to participate in periodic consultation meetings on reauthorization of the Prescription Drug User Fee Act (PDUFA). After the statutory authority for PDUFA expires in September 2012, the FDA will consult stakeholders to develop recommendations for the next PDUFA program. Notifications of intention to participate must be submitted by June 25, 2010. The first stakeholder meeting will be held on July 1, 2010, from 9 a.m. to 11 a.m. More information is available here.

FDA Corrects Dental Device Final Rule

The FDA has issued a notice that it is correcting an error in its Final Rule on dental devices, published on August 4, 2009. More information is available here.

FDA Seeks Comments on Labeling Requirements, Premarket Approval, Drug Co-Development

The FDA is seeking comments on the standardized format and content requirements for the labeling of over-the-counter (OTC) drug products. Comments are due by August 2, 2010. More information is available here.  The FDA is seeking comments on requirements for premarket approval of medical devices. Comments are due by August 9, 2010. More information is available here. The FDA also seeks comments on methods to co-develop two or more distinct investigational drugs intended to be used in combination to treat a disease or condition. FDA is planning to develop guidance for industry and other affected parties on the co-development of two or more novel drugs intended to be used in combination (but not as not fixed-dose combinations) and is seeking public input to identify the affected parties’ information needs concerning such co-development. Comments are due by September 7, 2010. More information is available here.

Mark Mansour is a partner in the firm, Bryan Cave, LLP

In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control.  Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password?  And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.

With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service.  The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML.  This makes life much easier for all parties.  From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity  only  a web address and a password.  From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true.  Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.

Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems.  Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found.  And then we get to CATSWeb itself.

Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe.  First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted.  System access is automatically logged for easy review, including the IP address from where the traffic originated.

The rest we leave up to users.   I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible.  The “user access pendulum” we leave to the users of CATSWeb.  An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more.  This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.