Innovative hospitals and health care systems commonly adapt information technology to meet specific needs within their delivery systems. What is uncommon, however, is for the U.S. Food and Drug Administration (FDA) to regulate these hospital and health care delivery systems as medical device manufacturers. But this is about to change.
Also, as the Department of Health and Human Services presses forward to encourage our nation’s health care delivery system to achieve interoperability, more and more hospitals will be exporting health information data to other health delivery systems with technology that will likely be subject to the FDA’s final rule. Technologically innovative hospitals and health care systems should take note.
On February 15, 2011, the FDA issued its Final Rule to regulate products that qualify as Medical Device Data Systems (MDDS). The rule is lauded by the FDA as providing a less burdensome path to market for some software and hardware products used with medical devices by downgrading MDDS from Class III (high-risk) to Class I (low-risk), meaning that manufacturers do not have to go through the lengthy Premarket Approval (PMA) process before they can sell these devices. However, the reality is that the FDA historically has chosen not to enforce the PMA requirement for these technologies. As a result, the rule actually imposes new regulatory burdens on innovative hospitals and health care systems that previously were not subject to the FDA’s direct oversight.
What Is a Medical Device Data System?
The Final Rule defines MDDS as “a device that is intended to transfer, store, convert from one format to another according to preset specifications, or display medical device data.” MDDS may include software, electronic or electrical hardware such as a physical communications medium (including wireless hardware), modems, interfaces and a communications protocol. It is important to note that MDDS does not modify data, change the display of data or control the functions of another medical device. Further, the FDA makes clear that the intended use of MDDS does not include active patient monitoring.
The FDA states in the rule that MDDS only communicates medical device data, but the FDA declines to define “medical device data.” The FDA clarifies that data manually entered into a medical device are not considered medical device data. However, if manually entered data are then transmitted as electronic data from a medical device, they become medical device data. Therefore, any devices that subsequently transfer, store or convert the data (as defined above) are considered MDDS.
Who Is a Manufacturer?
Under the rule, any manufacturer in the IT, computer hardware and software industry will be subject to the rule if it labels its product specifically as MDDS. However, these entities could also be subject to regulation if they offer a product for general use, but advertise or conduct sales pitches to hospitals or other medical clients that would cause the FDA to consider the technology to be intended for MDDS use.
In addition, hospitals and other technology users must exercise caution, as they too could be subject to regulation as “manufacturers.” Under the rule, if a hospital purchases an IT product and modifies it for use as MDDS, then the hospital is a “manufacturer” and must comply with FDA regulations.
Hospital CEOs and their General Counsels should consider the following scenarios under the rule:
- If a hospital customizes an IT product to be used as MDDS, whether it stays within its own system or not, then it is a manufacturer.
- If a hospital buys software that is not labeled as MDDS but modifies it so that it performs an MDDS function, then the hospital is a manufacturer.
- If a hospital purchases a software product that is labeled as MDDS and modifies it such that it does not change the intended use of the product, then the hospital is not a manufacturer. If the modification exceeds the software’s intended use, then the hospital is a manufacturer.
- If a hospital purchases a software product off the shelf that is labeled as MDDS and does not modify the product at all, then the hospital is not a manufacturer.
Entities that are deemed manufacturers are subject to the FDA’s Class I general controls:
- Registration and Listing: Manufacturers must register annually with the FDA as device manufacturers and provide listing information for their MDDS products.1
- Quality System Regulations (QSRs): Manufacturers must design and implement a quality system according to the FDA’s QSRs.2 The QSRs contain requirements governing the design process, manufacturing process and record keeping, among other things.
- Adverse Event Reporting: Manufacturers are required to report to the FDA when a device it manufactures may have caused or contributed to a death or serious injury, or has malfunctioned and would be likely to cause or contribute to a death or serious injury if the malfunction were to reoccur.3
All hospitals should be well versed on the FDA’s adverse reporting requirements for devices, which would now apply to MDDS as well. Thus, even if a hospital is not the manufacturer of an MDDS it uses, it must still report to the manufacturer when a device-related serious injury occurs. It must also report to the FDA and the manufacturer when a device-related death occurs.4 Device user facilities must also submit annual reports of adverse events to the FDA.5
The new rule goes into effect April 18, 2011 and requires manufacturers to meet registration and listing requirements by May 16, 2011. Manufacturers have an additional year, until April 18, 2012, to implement a quality system that meets the requirements under the FDA’s QSRs.
Hospitals and health care systems would be wise to engage counsel to evaluate their development and use of medical technology to determine the extent to which they must comply with the FDA’s Final MDDS Rule.
View the Final Rule.