An investigational device exemption (IDE) is an approval that allows a medical device to be used in a clinical research study that involves human subjects or human specimens. The term “exemption” as it pertains to IDEs, means that the device is exempt from the laws that prohibit unapproved products to move in interstate commerce.

An approved IDE means that the IRB (and FDA for SR devices) has approved the sponsor’s study application and all regulatory requirements are met.

IDEs cover studies that:

Non-significant risk (NSR) devices are devices that do not pose a significant risk to the human subjects. Examples include most daily-wear contact lenses and lens solutions, ultrasonic dental scalers, and Foley catheters. An NSR device study requires only IRB approval prior to initiation of a clinical study.

The IRB is tasked with granting NSR determinations, when appropriate.

A significant risk (SR) device presents a potential for serious risk to the health, safety, or welfare of a subject. Significant risk devices may include implants, devices that support or sustain human life, and devices that are substantially important in diagnosing, curing, mitigating or treating disease or in preventing impairment to human health. Examples include sutures, cardiac pacemakers, hydrocephalus shunts, and orthopedic implants.

The FDA defines a medical device as:

Once a project is determined to be CUI it is managed under a security plan. The University of Arizona Export Control office worked closely with the IT-CUI team to develop “The Plan,” a joint Technology Control Plan and System Security Plan. This plan outlines the security measures researchers and staff must follow in order to protect the CUI data.

If both the 7000 and 7012 clauses are in an agreement we can go back to the prime contracting officer and ask if the University of Arizona’s portion on the work is fundamental in nature. If we receive confirmation in writing from the prime contracting officer that the university’s work in fundamental it nullifies the CUI clauses.

The University of Arizona’s Export Control team works closely with the Contracting Office to identify contracts with NIST requirements or clauses with publication restrictions (e.g., DFARS 252.204-7012 and 252.204-7000). Export Control is also alerted when there are similar safeguards/restriction clauses in contracts that are not sponsored by Department of Defense (NASA contracts often have similar clauses). 

Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.

This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS  252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.