FDA Releases Report on Health IT Oversight

On April 3, 2014, the Food and Drug Administration (“FDA”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”), released a congressionally mandated report which proposes to clarify oversight of health information technology (“health IT”) based on a product’s function and the potential risk to patients who use it. The full draft report can be viewed here.

Similar to the FDA’s September 2013 guidance on how it would regulate mobile medical apps, this report proposes a strategy based on the premise that risk and corresponding controls should focus on health IT functionality– not the platform(s) on which such functionality resides.  As such, the FDA has identified three categories of health IT: (1) administrative health IT functions (2) health management health IT functions, and (3) medical device health IT functions.  The following table provides examples of the three categories and describes the FDA’s regulatory approach for each:

 

Health IT Category Examples (includes but not limited to) Level of Oversight
Administrative functionality Billing and claims processing, practice and inventory management,  scheduling, general purpose communications, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agency, quality measure reporting No additional oversight necessary
Health management functionality (sometimes referred to as “clinical software”) Health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, patient identification and matching Not focus of FDA oversight given proposed risk-based framework for health management  health IT
Medical device functionality Computer aided detection/diagnostic software, remote display or notification of real-time alarms from bedside monitors, robotic surgical planning and control Focus of FDA oversight

 

A significant portion of the FDA’s report focuses on the proposed framework for health management health IT functionalities.  Instead of recommending a new or additional area of FDA oversight, the report recommends a limited, narrowly-tailored approach that primarily relies on ONC-coordinated activities and private sector capabilities.  Four key priority areas for health management health IT include: (1) promote the use of quality management principles (2) identify, develop, and adopt standards and best practices (3) leverage conformity assessment tools and (4) create an environment of learning and continual improvement.

The framework also  includes a recommendation for ONC to create a public-private Health IT Safety Center, in collaboration with FDA, FCC, and Agency for Healthcare Research and Quality (“AHRQ”) and other health IT stakeholders. This Center would work on best practices and provide a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.

What do you think about the FDA’s health IT report?  The FDA is seeking public input on a number of specific questions related to the report’s recommendations– the report is open to public input/comment for 90 days.  For more information about the FDA report or health IT regulatory issues, please contact Jefferson Lin or David Schoolcraft.

 

 

PROTECT Act Seeks to Exclude Health IT Software from FDA Oversight

Last month, Senators Deb Fischer (R-Neb.) and Angus King (I-Maine) introduced proposed legislation, the PROTECT Act (Preventing Regulatory Overreach To Enhance Care Technology) of 2014 (full text available here), which seeks to remove the Food and Drug Administration’s (“FDA”) regulatory authority over certain health information technology (“health IT”) software.

Main Provisions of the PROTECT Act

Specifically, the bill proposes that “clinical software” and “health software” shall not be subject to regulation under the Federal Food, Drug, and Cosmetic Act (“FD&C Act”).  The bill defines “clinical software” as “clinical decision support software or other software (including any associated hardware and process dependencies)…that captures, analyzes, changes, or presents patient or population clinical data or information and may recommend courses of clinical action…and is intended to be marketed for use only by a health care provider in a health care setting.”

The term “health software” means “software (including any associated hardware and process dependencies) that is not clinical software and (a) that captures, analyzes, changes, or presents patient or population clinical data or information; (b) that supports administrative or operational aspects of health care and is not used in the direct delivery of patient care; or (c) whose primary purpose is to act as a platform for a secondary software, to run or act as a mechanism for connectivity, or to store data.”

Both “clinical software” and “health software” would not include software “(a) that is intended to interpret patient-specific device data and directly diagnose a patient or user without the intervention of a health care provider; (b) that conducts analysis of radiological or imaging data in order to provide patient-specific diagnostic and treatment advice to a health care provider; (c) whose primary purpose is integral to the function of a drug or device; or (d) that is a component of a device.”

The PROTECT Act also proposes that the National Institute of Standards and Technology (“NIST”) be the Federal agency that oversees technical standards used by clinical software.  In addition, the Act recommends that NIST, along with the Federal Communications Commission, the National Patient Safety Foundation, and the Office of the National Coordinator for Health Information Technology, collaborate with nongovernmental entities to develop certification processes and promote best practice standards for health IT.

PROTECT Act Supporters Cite FDA’s Overreach and Slow Process

Proponents of the bill argue that, given the FDA’s broad definition of “medical device”, the FDA’s authority to regulate health IT is too extensive and that the FDA’s slow safety review process hurts innovation.  Senator King explained to the Boston Globe, “While blood-glucose monitors, pacemakers, and other high-risk devices must remain under the current FDA regulations, low-risk software like wellness apps and electronic health records need not be subject to burdensome regulations.”

Although the FDA in September 2013 issued non-binding guidance on how the agency would regulate mobile medical applications, some in the health IT industry are uncomfortable with the uncertainty surrounding the FDA’s regulatory discretion.  Along with athenahealth, which issued a document called “In Defense of the PROTECT Act,” supporters of the bill include IBM, Verizon, McKesson, and Software & Information Industry Association.

Critics Raise Patient Safety Concerns

Critics contend that the PROTECT Act’s creation of a regulatory exception for health IT software undermines the FDA’s role in safeguarding the public’s health.  They warn that flaws with digital records systems can lead to dangerous, and even fatal, consequences.  A 2011 Institute of Medicine report found that “dosing errors, failure to detect life-threatening illnesses, and delaying treatment due to poor human-computer interactions or loss of data have led to serious injury and death.” A more recent study of medical malpractice claims confirms that electronic health record-related vulnerabilities such as faulty data entry, unexpected conversions, or incorrect files/fields can lead to medical errors.

PROTECT Act opponents argue that patient safety is an area that the FDA has experience with and should regulate, whereas NIST’s mission is to promote U.S. innovation and industrial competitiveness.  The mHealth Regulatory Coalition, along with other advocacy groups like the National Physicians Alliance, Public Citizen, and the Union of Concerned Scientists have voiced concerns about the PROTECT Act.

Conclusion

Those interested in the future policy and regulatory framework of health IT should keep an eye on this proposed legislation.  In the coming months, the Obama administration also plans to release recommendation on how health IT systems should be regulated for safety.  As the adoption of health IT and electronic health records systems expands and as health IT becomes more sophisticated, the proper role of the FDA in regulating the safety of health IT will continue to be a subject of intense debate.

For more information about the PROTECT Act, FDA regulation or health IT policy issues, please contact Jefferson Lin or David Schoolcraft.

FDA Releases Guidance For Medical Mobile Apps

The Food and Drug Administration (FDA) recently released guidance on how the agency intends to regulate mobile applications (“mobile apps”).  This more complete guidance follows the FDA’s May 21“It has come to our attention” letter to Biosense Technologies regarding a mobile app that can conduct urine analysis.  Given the growing expansion and applicability of mobile apps, this recent guidance contains non-binding recommendations aimed to provide clarity and predictability for manufacturers of mobile medical apps.

The FDA intends to focus its regulatory oversight to only those mobile apps that are medical devices (as defined in the FD&C Act) and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended.  Referred to as “mobile medical apps,” these include mobile apps that:

  • Connect to an existing medical device for purposes of controlling the device or displaying storing, analyzing, or transmitting patient-specific medical device data;
  • Transform the mobile platform into a regulated device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices; or
  • Become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis or treatment recommendations.

For other health-related mobile apps that pose a low risk to patients, the FDA intends to exercise “enforcement discretion,” meaning the agency does not intend to enforce requirements under the FD&C Act.  These include mobile apps that:

  • Provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment;
  • Provide patients with simple tools to organize and track their health information;
  • Provide easy access to information related to patients’ health conditions or treatments (beyond providing an electronic “copy” of a medical reference);
  • Help patients document, show or communicate to providers potential medical conditions;
  • Perform simple calculations routinely used in clinical practice; or
  • Enable individuals to interact with PHR or EHR systems.

Depending on the classification and the associated regulation for the mobile medical app, a manufacturer would be required to follow a set of regulatory controls. The guidance contains more specific examples of mobile medical app classification and some helpful FAQs.  Specifically, the guidance contains appendices including what the FDA does and does not consider as medical devices and a list of medical devices posing a risk of harming a patients if they malfunction.  For more information regarding FDA guidance on mobile apps specifically, please contact Jefferson Lin.