You can only offer healthcare technology if you are committed to compliance. At least, that's the opinion of Rob Peters, CFO at Minddistrict, who has a leading role in ensuring the organisation's compliance. ‘Patient data has to be protected. That's what it's all about. And patients and organisations should be able to rely on that.’
Rob Peters
To best protect the security of sensitive patient data, laws and regulations have been drawn up that suppliers must comply with. ‘This is not only important for Minddistrict, but also reassuring for everyone using our product.’
Rob and his team completed a number of major compliance projects in 2024: the transition to the new information security standard ISO 27001-2022; a compliance project around German legislation for DiGA (digital health applications); and a project to prepare the Minddistrict platform's organisation and technical file for the Medical Device Regulation (MDR).
What is the Medical Device Regulation?
The MDR is a regulatory framework that strengthens EU regulations for medical devices. The aim of the MDR is to make medical devices as safe as possible for clients and patients. ‘It consists of extensive legislation and regulations. And many of its requirements are placed on medical device suppliers. Rightly so, too.’
One difference between the previous regulation and MDR is the increased focus on software as a medical device. The requirements manufacturers must meet have been clarified and tightened.
Transition phase MDR
‘Currently, the quality management system called for in the MDR has been fully implemented within Minddistrict. We are in the transition phase between the old and new legislation. Our documents have been submitted, but it will take some time to complete the certification. The audit, from start to finish, has several stages. During 2025, we will be going through those.’
Although the transition period for Minddistrict lasts until 2028, it may be important to be MDR-certified before then, Rob explains. ‘Manufacturers may only take advantage of the transition period if they do not significantly change their product during that time. When you want to make major changes to your product, you do have to have the MDR certificate hanging on the wall already. In other words, if a manufacturer waits too long to update their quality management system and technical file - and have them audited, at some point they are going to get stuck with product development.’
But that's not the only consideration for Rob. ‘No, I don't think ‘oh, the deadline is still far away’. I want to demonstrate to our partners and users that we are not putting this extensive change in laws and regulations far ahead of us.’
Compliance and innovation at odds?
‘Information security and compliance are important preconditions for offering medical devices,’ Peters explains. ‘One of our visions is therefore ‘comply or explain’. So, we are either demonstrably compliant, or we can explain to customers and regulatory bodies how we deal with frameworks and how they are implemented at Minddistrict.’
‘We work according to the “comply or explain” vision’
Compliance is therefore not a ‘department of no’ within Minddistrict, Rob stresses. ‘You need compliance to offer a safe and solid product. That's why you need it to be able to innovate. Because you don't innovate to make a product that is then not safe enough to use.’
When further developing the product, the starting point is therefore always to think about why Minddistrict wants to get something done, he explains. ‘You launch the conversation for that, internally and externally. Why do you want to get something done with data exchange? Why do we want this new feature? Why is this so important and what does it add to our customers and patients?’
‘We are not the “Department of No”
The next step is to examine how the development fits within the framework of laws and regulations. ‘We check who is responsible and document how to explain the development to customers and patients. That way, almost anything is possible, as long as you arrange it right.’
That last part is particularly important. ‘You can believe that your organisation does not have to comply with certain regulations, but that doesn't mean you’re done, as far as I am concerned. You have to be able to explain for each framework how you have dealt with it, and why you think it is done correctly. That's where things often go wrong: documentation on frameworks that have not been visibly implemented is often missing.’
You can't do everything at once
Questions from healthcare organisations are becoming more substantive as the MDR deadline draws nearer, the compliance team has noticed. ‘That's a good development. I'm happy to give people a view behind the scenes. Because mutual transparency and honesty will get you the furthest.’
The same applies, even if the team does not yet have everything in order: ‘Sometimes we receive questions about aspects of a law or directive that we have not yet fully worked out. Then we are simply open about it: we can't do everything at once. I have noticed that this openness enhances the trust customers have in us: it creates a good working relationship with our customers. And this allows us to focus on the core themes: the use of digital care in practice and further scaling up.’
A substantial investment
Compliance involves hefty costs, but you can't avoid that as a digital health provider, Rob explains. ‘It requires quite an investment to be MDR-compliant. Besides your information security and privacy management system, you have to implement a whole quality management system throughout the organisation, among other things. This is then tested in multiple audits. Each step involves costs. Finally, an external party provides the organisation with a certificate.’
This does not only take time from the compliance team. ‘You really have to do it together. If only compliance implements laws and regulations, it doesn't work. To be demonstrably compliant, everyone has to be well-versed in the benefits and the procedures.’
Worth the effort
Is it still worth it, all that work to comply with more and more regulations? ‘Yes, digital health remains the future,’ Rob says without hesitation. ‘And by organising your compliance properly, you can remove uncertainty about laws and regulations from organisations. That creates space to fully implement ehealth for personalised treatment and efficient health care. Then you can finally fulfil the promise of digital health care.’
Want to know more?
Do you have any questions to Rob and the complianceteam? Feel free to contact us, and we'll make sure they receive them.
This isn't the first time we're publishing about compliance at Minddistrict. Earlier, compliance officer Cristina answered a series of questions on camera. You can watch the video here.