Should FDA FOIA (b)(6) your e-mail address?
“We thought that ‘Once is a fluke, twice is a coincidence [updated 01 JAN 2020] and three is a trend.’ “
– from the preamble to the Quality System Regulation (1996)
This article actually started 24 months ago [updated 01 JAN 2020], in JAN 2018, with FDA FOIA posting what I thought was an unusual warning letter. The letter was for a global healthcare company in NJ and sent to their Head of Quality. It’s not unusual for there to be a global company headquarters in NJ, we have quite a few. (OK, fewer than we used to – we no longer have Schering-Plough, WarnerLambert and going back a few years Squibb.) Nor is it unusual for one of those companies to get a warning letter. In this case, the warning letter was not unexpected, as the company had received a 10 page 483 six months before. (It was noted here.) FDA ORA FOIA posted it in AUG 2017 and it included a reference to that title. The unusual item was that the warning letter, delivered via UPS, included the direct e-mail address of the Head of Quality.
[Reference about US FDA FOIA and (b)(6) – skip if this is familiar.
As an agency of the US government, FDA is subject to the Freedom of Information Act which requires them to provide records upon request. These records are to be redacted to remove proprietary information, under (b)(4). This is very common and sometimes quite substantial - see pgs. 1 and 2 of the 483. The provision to remove personal information – (b)(6) – is used sparingly in the one or two (thousand?) warning letters I have read. The times I have seen it, save once, it has been used to justify the removal of a name in the cc: section of the letter.]
The fact that a physical letter would include a personal, albeit corporate, e-mail address was something I found curious. It certainly doesn't help with delivery. Let me add, the company CEO was cc’d on that letter. (His e-mail address was there as well.) I made a phone call to FDA that week and did get a prompt call back. I asked if it was an error, either to include the e-mails or that they weren’t redacted. The takeaway from my conversation was the letter came from the Divisional Office, it was must been properly reviewed and that FDA was looking to move more toward using e-mail communications. (This last item later correlated with the notification about CBER moving to secure e-mail, effective 01 OCT 2018.) After that phone call, I thought about posting this question for discussion but waited (ok, procrastinated) and kept looking for this 'fluke' to become a pattern/ 'coincidence.'
To mix my metaphors, “it was virtual crickets” – until warning letters were posted on a Tuesday in FEB 2019. Another global company got a warning letter earlier that month. The letter was in the same industry segment and from the same FDA divisional office (Stoneham MA). Once again, in a physical letter delivered by UPS, the e-mail address of the addressee (along with that of the cc’d CEO) was included. Now we had ‘a coincidence,’ along with the related data points. I wondered if this would become more common, or would there be another thirteen months until the next event?
The answer is it only took 10 months. (More correctly 9, I suppose.) In December 2019 another warning letter was posted with the same addressing combination. As you can see here, however, there were several variations. The company is in Texas this time (not NJ) and it comes Medical Device Division 3 West (not in MA). The company in question also neglected to reply to their 483, but that is just something to note. It's a letter worth reading. You will find it here, at the end of the comments.
Now that we seem to have "validated" this trend, this question remains. If the next e-mail posted is yours – or a senior colleague – will the number of spam messages spike? Will IT notice more spear fishing? Will anyone mention to FDA FOIA that they might consider redacting these? After all, it’s not correcting anything the District Office writes but simply trying to apply (b)(6). If this is actually rather common and I just don’t read enough warning letters, let me know. As always, your comments are welcome. [This update is to the original posting on 24 FEB 2019.]
?? Former FDA Investigator | Vice President | Quality Compliance
5 年Unfortunate sign of the time John English, HCCP
Global Quality Compliance
6 年If you look at Datascope's recent warning letter email addresses for FDA and Datascope's Managing Director and CEO are included. I think this is the way we're headed.
Enterprise Data Migration | Technical Architecture | Data Governance | Systems Integration | Program Management | Expertise in Regulated Industry (Pharma, Life Sciences, Highly-Controlled Environments)
6 年Hmmmm. Great question. Two things to chew on - first, an email address these days for a c-suite level office really isn't any different than a physical address was a few years ago - it's likely maintained by an administrative assistant who serves the same filtering role with the executive in question and likely also issues corporate communications on behalf of the same office. It's certainly possibly that there would be a spike in use of that address by others but it's also fair to say that it's probably easy to guess in the first place if one knows the naming convention being followed. Second, and what I find more curious, is the FOIA piece - in many firms, it's standard practice to stamp everything being copied or taken by an inspector with a statement effectively claiming that the contents are confidential and must be treated as such by the agency. In some cases this might extend to things like org charts, which starts to get close to the email question. It will be interesting to see if BD's counsel objects to the use of that email address on similar grounds. Thanks for posting, John...!