On February 15, 2011, the Federal Food and Drug Administration (FDA) published a final rule that defines Medical Device Data Systems (MDDSs) and establishes the regulatory requirements applicable to MDDSs.i Historically there has been confusion about the regulatory status of these products (and certain other kinds of software); FDA’s rule clarifies the agency’s view of this subset of computer products.
The final rule makes clear that FDA considers MDDSs to be medical devices and expects manufacturers of these products (including, in certain circumstances, health care institutions or providers) to comply with certain requirements applicable to medical devices, including requirements for medical device listing and establishment registration, adverse event reporting (Medical Device Reporting), and current good manufacturing practices, including design development requirements—but not including premarket review or clearance requirements (i.e., 510(k) clearance). Products falling within FDA’s definition of MDDSs, and parties required to comply with the MDDS requirements announced in the rule, are described below.
The MDDS rule is significant because, to date, FDA has generally declined to apply any medical device requirements to the various types of health information technology now within the rule’s scope. ii While it technically reclassifies MDDSs from Class III (the device classification subject to the most stringent FDA regulation, including premarket approval (PMA approval)iii) to Class I (the least stringent classification), with an exemption from premarket review, many affected parties will likely perceive the rule as initiating, rather than lessening, FDA regulation of these products.
What Products Are MDDSs Subject to the Rule?
The final rule defines an MDDS as a “device that is intended to provide one or more of the following uses, without controlling or altering the functions or parameters of any connected medical devices:
- the electronic transfer of medical device data;
- the electronic storage of medical device data;
- the electronic conversion of medical device data from one format to another format in accordance with a preset specification; or
- the electronic display of medical device data.”iv
Importantly, the rule excludes from the MDDS definition any “devices intended to be used in connection with active patient monitoring.”v FDA explains that this restriction is intended to describe “[a]ny device that transmits, stores, converts, or displays medical device data that is intended to be relied upon in deciding to take immediate clinical action or that is to be used for continuous monitoring by a health care professional, user, or the patient.” vi The regulation states that an MDDS may include “software, electronic or electrical hardware such as a physical communications medium (including wireless hardware), modems, interfaces, and a communications protocol.”vii
“Medical device data” are not formally defined in the final rule, but FDA provides guidance on the meaning of this term. FDA states that it “considers medical device data to be any electronic data that is available directly from a medical device or that was obtained originally from a medical device.”viii The agency also clarifies that, “[D]ata that is manually entered into a medical device is not considered medical device data. However, if manually entered data is subsequently transmitted from a medical device as electronic data it will be considered medical device data.”ix
What Products Are Not MDDSs?
In the preamble to the MDDS rule, FDA provides insight about not only products that meet the definition of an MDDS, but also products that fall outside the definition. For example, FDA clarifies that an MDDS acts only as a mechanism through which medical device data can be transferred, stored, converted or displayed; the term does not encompass products that modify, interpret or add value to such data or the display of such data.x Accordingly, products are not MDDSs if they flag data (via email or otherwise) or analyze, prioritize, plot or graph data.xi Similarly, a product is not an MDDS if it controls, or adds to or modifies the intended uses or clinical functions of, medical devices that provide data to (or receive data through) the product.xii
FDA also states that computerized physician order entry systems (CPOE) that can order tests or medications do not meet the MDDS definition.xiii Notably, the agency’s MDDS rule discusses electronic health records (EHRs) as well.xiv The final rule states that software products that allow physicians to enter or store a patient’s health history in a computer file are not considered MDDSs. Additionally, as earlier noted, information that is manually entered is not considered to be medical device data within the scope of the final rule, unless such data are subsequently transmitted electronically. Accordingly, FDA believes that many or most EHR software would fall outside the MDDS classification; however, the agency also observes that some EHRs may include MDDS functions.xv The applicability of the MDDS rule to any EHR product must thus be individually considered.
Another set of products that should be closely considered is multi-purpose or modular software and other devices with diagnostic or therapeutic functionality, as well as MDDS functionality, that can be configured in a variety of ways. FDA states that in light of the multiplicity of potential configurations and varying effects on functionality and intended use, “[I]t is not possible for FDA to make generalized determinations on whether an MDDS or related software module would require premarket review…or whether the combination of multiple devices would result in a new device requiring premarket review….”xvi
It is important to note that even if software or computer products fall outside the MDDS definition, they may or may not still be considered medical devices subject to FDA regulation. Although FDA’s MDDS rule brings some clarity to understanding what products are or are not subject to FDA regulation as MDDSs, it does not resolve the ultimate regulatory status of many non-MDDS computer products whose status has historically been unclear (e.g., EHRs without MDDS functions).
Who Must Comply With MDDS Requirements?
The requirements that flow from the MDDS rule apply to all manufacturers of MDDSs. In addition to traditional manufacturing entities, the rule makes clear that health care facilities and users will be deemed to be MDDS manufacturers subject to FDA requirements if they: (1) develop their own software protocols or interfaces that have an intended use consistent with an MDDS, or modify or create a system from multiple components of devices and use it clinically for functions covered by the MDDS classification; (2) modify or reconfigure a commercially available MDDS outside the original manufacturer’s specifications, either for the user’s clinical practice or for commercial distribution; or (3) add to or modify any non-MDDS software or hardware to enable the transfer, storage, conversion according to preset specifications, or display of medical device data for use in clinical practice.xvii
What is Required of Parties Subject to MDDS Requirements?
As a result of the final rule, manufacturers of MDDSs (including health care facilities and MDDS users in the circumstances described above) are required to comply with FDA’s “general controls” for medical devices, including current good manufacturing practices and product design requirements codified in FDA’s Quality System Regulation (21 C.F.R. Part 820); FDA establishment registration and device listing requirements (21 C.F.R. Part 807); Medical Device Reporting (adverse event reporting) (21 C.F.R. Part 803); and corrections and removals (i.e., recalls) reporting and recordkeeping requirements (21 C.F.R. Part 806). Significantly, MDDS manufacturers are exempt from the general control of premarket notification (i.e., 510(k) clearance) unless certain limitations are exceeded.xviii FDA has emphasized that compliance with the QSR - and, in particular, the design control provisions of that regulation (21 C.F.R. Part 820.30), which require a device-specific risk analysis and related actions to ensure that specified design requirements are met - is “particularly important” to assure the safety, effectiveness, and accurate performance of MDDS devices in the absence of premarket review.xix FDA believes its decision to subject MDDSs to active regulation as Class I, premarket exempt devices (rather than devices subject to greater regulation) reflects the existing but relatively low level of risk presented by these products.xx
The final rule becomes effective 60 days after publication (April 16, 2011). FDA is allowing manufacturers 90 days from the date of publication (May 16, 2011) to register and list, and 12 months from the rule’s effective date (April 16, 2012) to establish QSR-compliant design and manufacturing processes.xxi After that time FDA will begin active regulation of MDDS manufacturers and utilize its existing enforcement authority and policies to enforce requirements applicable to MDDSs (e.g., inspections and issuance of inspectional observations (Form FDA-483s), Warning Letters, etc.).xxii