The Food and Drug Administration (the "FDA" or "agency") recently released a draft guidance document ("Draft Guidance") in which the agency proposes to stop enforcing the regulatory requirements applicable to several types of devices and software that transfer, store, convert, format and display medical data. This Draft Guidance, if finalized, will apply to Medical Image Storage ("MIS") devices, Medical Image Communications ("MIC") devices and Medical Device Data Systems ("MDDS"). The elimination of FDA regulatory requirements for these devices could have significant positive impacts for manufacturers and users of these devices, particularly within the emergent areas of home health, personal health and telemedicine.
The FDA began addressing the regulation of electronic data communications and storage technologies in the 1990s. One early action was the establishment of regulations for technologies used to store, transmit, copy, view and process digital radiology images. Two of these types of devices, MIS and MIC, were classified as Class I, 510(k)-exempt devices subject only to general controls, such as establishment registration, device listing, adverse event reporting and the Quality System Regulation. In 2011, the FDA issued a rule down-classifying MDDS from the highest risk category of medical devices to the lowest risk category, i.e. Class I, 510(k)-exempt, subject only to general controls.
To be classified as a MDDS, a device must have the following characteristics:
- It is hardware or software intended to transfer, store, convert formats or display data that was originally generated by a medical device;
- It does not modify the data;
- It does not control the functions or parameters of any connected medical device;
- It is not intended to be used in connection with active patient monitoring; and
- It does not analyze patient data or make treatment recommendations.
A few examples of MDDS include:
- Software that collects output from a ventilator about a patient's CO2 level and transmits the information to a central patient data repository;
- Software that stores historical blood pressure information for later review by a healthcare provider;
- Software that converts digital data generated by a pulse oximeter into a digital format that can be printed;
- Software that displays a previously stored electrocardiogram for a particular patient; and
- A telemedicine cart that uses two-way audio/video technology to capture and transmit patient-specific data.
Since the MDDS rule took effect in 2011, the number of software programs and devices designed to facilitate home health, mobile health and telehealth have proliferated. Based on its experience with many of these products, in September of 2013, the FDA issued a guidance document setting forth a policy of regulatory enforcement discretion for many types of mobile health software applications. A short time later, in April of 2014, the FDA, in partnership with the Office of the National Coordinator for Health IT and the Federal Communications Commission, issued a report on health IT regulation, proposing to deregulate and/or exhibit enforcement discretion towards an even larger subset of potential medical devices, including many kinds of clinical decision support software (see Hall Render's article on this topic here).
The Draft Guidance
Based on its experience, both with MIS, MIC and MDDS devices and with medical software in general, the FDA now states that these devices present few risks, and therefore the agency will exhibit enforcement discretion towards them, just as it has recently done with other kinds of health IT. The FDA also recognizes the critical role these devices play in the larger health IT ecosystem - MDDS are often the foundation for intercommunication and interoperability between and among medical devices and other kinds of health IT. Additionally, because many of the health IT products for which the FDA has recently proposed exhibiting enforcement discretion contain medical device data transfer and storage functions, the agency found itself in a position where it had to either enforce the MDDS requirements, while waiving other requirements on such health IT products, or take the de-regulatory stance it chose in the Draft Guidance.
If the Draft Guidance is finalized, software that collects data from a glucometer or a weight scale, for example, and conveys or stores that data, will no longer need to comply with any FDA rules. The Draft Guidance goes so far as to indicate the agency will even exhibit enforcement discretion when these devices are intended for use in ways that exceed their Class I, 510(k)-exempt status. This discretion is proposed to specifically apply to MDDS intended for use in diabetes management or in assessment of cardiovascular disease risk, two growing areas for home and mobile health management. As such, the FDA has also proposed conforming changes to its Mobile Medical Applications guidance.
Although the FDA predicts that the Draft Guidance, if finalized, will encourage greater digital health innovation, its impact may not be so pronounced. App stores are full of digital health products, typically created by start-up companies that were launched without complying with MDDS and other FDA requirements. Based on the lack of warning letters and enforcement actions, the FDA has apparently been exhibiting enforcement discretion towards these products for many years. The only substantial actions by FDA against health IT vendors, despite knowledge of numerous patient injuries, even more near misses and scores of unsubstantiated health claims by health IT vendors, have come against Biosense Technologies and 23andMe.
Other health IT manufacturers, particularly those with established and diverse businesses, have taken a conservative approach to FDA regulation, as evidenced by the perhaps unnecessarily large numbers of companies registered with the FDA as manufacturers of MDDS devices. Such conservative companies may not feel emboldened by the draft nature of the Draft Guidance or the fact FDA has once again approached a critical issue through issuance of a guidance rather than a formal rule change. For example, it is yet to be seen whether this Draft Guidance will be satisfactory to Apple Inc. Due to the close proximity in time between the issuance of the Draft Guidance and Apple's meetings with the FDA about the regulatory status of the new Apple iOS8 HealthKit, Apple may have played a large role in pushing for this Draft Guidance.
Health Care Providers
Perhaps the largest beneficiary of this Draft Guidance, if finalized, may be the health care providers that either purchase or build their own MDDS devices. In a departure from the FDA's typical reluctance to regulate health care providers, the 2011 MDDS rule specified that even health care providers are subject to the MDDS rule. As a result, both health care providers and their third-party consultants have often actively worked to avoid being considered the "manufacturer" of MDDS devices created by new IT projects, to the point some projects have been delayed and others limited in scope. Freeing both the providers and the consultants from FDA regulation, if an MDDS is assembled, may result in the reemergence of new, innovative health IT projects within and among health care provider networks and will almost certainly increase the number of products and vendors available to health care providers. Additionally, knowing the limitation of FDA regulation may also help to facilitate contracting for these projects by clarifying and simplifying the parties' contractual and legal obligations, including those relating to contract warranties, adverse event reporting and indemnification.
Medical Device Tax Implications
One question that does not seem to be so easily resolved, however, relates to the excise tax imposed on all medical devices under the Patient Protection and Affordable Care Act ("ACA"). Although many commentators are suggesting the change in the FDA's regulatory stance towards MIS, MIC and MDDS means the Internal Revenue Service ("IRS") will no longer require the excise tax be collected for such products, that conclusion is far from supported by the law. The IRS's rule implementing the medical device tax defined a medical device as a product required to be "listed" with the FDA, so theoretically, if the FDA does not require health IT products to be listed, then based on the IRS's rule, the tax will not apply. However, a "taxable medical device" is defined in the ACA in accordance with section 201(h) of the federal Food Drug and Cosmetic Act, which discusses functionality and intended use of a device without reference to listing, meaning that according to the law the tax would still apply. Until the FDA promulgates a formal rule removing these products from its oversight, the IRS finally issues a long-promised guidance on the applicability of the tax to software or Congress passes legislation formally removing health IT from the FDA's jurisdiction, this question is likely to remain unresolved.
The Draft Guidance proposes a simple, common-sense approach to the future regulation of MIS, MIC and MDDS. Because the FDA was not required or under public pressure to revise the rules for these products, this Draft Guidance is a welcome indicator that the FDA has truly begun to think differently about the risk of health IT and has committed to changing the regulatory paradigm. After all, it was only a little over three years ago that the FDA considered MDDS devices to be Class III products of the highest risk.
However, because the FDA's action comes in the form of a draft guidance rather than a regulation, every potential manufacturer of these products will have to decide whether it is comfortable accepting the risk that the FDA could change its opinion at any time. 23andMe's recent high-profile problems with the FDA relating to the regulation of software and lab developed tests arguably stem from the agency's inability to set formal rules for those products, resulting in inconsistent treatment of different entities based on the agency's unclear perception of risk. As such, many software developers may still find it difficult to take on that risk. Conversely, many health care providers may now be willing to accept that risk, because even without enforcement discretion, the FDA has traditionally been reluctant to interfere with the operations of health care providers.
Health IT users and manufacturers need to be cognizant of the limited scope of the FDA's proposal. The FDA's proposed enforcement discretion does not extend to products that contain MDDS, MIC or MIS functions when they also contain other functions and intended uses that are regulated under separate FDA rules. Because MDDS is increasingly only one of many functions or modules included in software programs and devices, potential manufacturers and users of these products should continue to diligently scope the full functionality and intended use of potential health IT products, as the FDA's requirements for medical devices may continue to apply. Identifying the scope of FDA's oversight over devices and software having functions not yet addressed in the FDA's device classifications or the Mobile Medical Applications guidance will continue to be a challenge and require negotiation with the agency. Once the FDA regulatory status of a product is identified, however, the parties to transactions involving health IT will be better able to allocate and understand contractual and legal obligations.
The FDA is accepting comments on the Draft Guidance through August 25. You may access the Federal Register Notice here.