The long-awaited joint report1 proposing an overarching framework for the regulation of health IT was issued on April 3, 2014, by the Food and Drug Administration (FDA), the Federal Communications Commission (FCC), and the HHS Office of the National Coordinator for Health Information Technology (ONC) (together, the Agencies). The report,FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework (draft Report), issued in draft to allow for public comment, fulfills the requirement set forth in Section 618 of the Food and Drug Administration Safety and Innovation Act (FDASIA) requiring the FDA, in consultation with the FCC and ONC, to propose a framework and strategy for the regulation of health IT that “promotes innovation, protects patient safety, and avoids regulatory duplication.” The draft Report highlights a three-tiered classification of health IT products, with FDA oversight focused predominantly on “medical device health IT functionality.”

The Proposed Framework

Though the draft Report provides only a very high-level view of the proposed framework, it proposes that health IT be classified into one of three categories: (1) administrative health IT functionality, (2) health management health IT functionality, and (3) medical device health IT functionality. Similar to the FDA’s framework for the regulation of medical devices, the regulatory framework proposed by the Agencies for health IT is a three-tiered, risk-based categorization scheme, where controls/regulation will be tailored to each risk category. Importantly, the draft Report emphasizes several times that risk and resulting regulatory requirements are determined by functionality, as opposed to platform. The draft Report does not provide specific definitions for the three categories, but instead provides examples of each type of functionality, which are outlined below.

Administrative Health IT Functions

Health IT products intended to facilitate certain administrative functions are noted by the draft Report as posing limited or no risk to patient safety, and as such, the draft Report recommends that no additional2oversight is necessary to protect patient safety and promote innovation. Examples of such administrative functionality include 

  • admissions;
  • billing and claims processing;
  • practice and inventory management;
  • scheduling;
  • general purpose communications;
  • analysis of historical claims data to predict future utilization or cost-effectiveness;
  • determination of health benefit eligibility;
  • population health management;
  • reporting of communicable diseases to public health agencies; and
  • reporting on quality measures.

Health Management Health IT Functions

Health IT health management functions include, but are not limited to

  • health information and data management;
  • data capture and encounter documentation;
  • electronic access to clinical results;
  • most clinical decision support, such as:
    • evidence-based clinician order sets tailored for a particular condition, disease, or clinician preference;
    • drug/drug interaction and drug/allergy contraindication alerts to avert adverse drug events;
    • most drug dosing calculations;
    • drug formulary guidelines;
    • reminders for preventative care (e.g., mammography, colonoscopy, immunizations, etc.);
    • facilitation of access to treatment guidelines and other reference material that can provide information relevant to particular patients;
    • calculation of prediction rules and severity of illness assessments (e.g., APACHE score, AHRQ Pneumonia Severity Index, Charlson Index);
    • duplicate testing alerts;
    • suggestions for possible diagnoses based on patient-specific information retrieved from a patient’s HER;
  • medication management (electronic medication administration records);
  • electronic communication and coordination (e.g., provider to patient, patient to provider, provider to provider, etc.);
  • provider order entry;
  • knowledge (clinical evidence) management; and
  • patient identification and matching.

The draft Report explains that such products present a low level of risk compared to potential benefits. Any such risk, the draft Report explains, should be addressed by looking at the entire health IT ecosystem rather than single, targeted solutions. The draft Report also notes that even where products in this category may meet the statutory definition of a medical device, the FDA does not intend “to focus its regulatory oversight” on such products. This is generally consistent with the “enforcement discretion” approach proposed by the agency late last year for certain types of Mobile Medical Applications. 

With respect to the clinical decision support functionalities, specifically, the draft Report notes that “most clinical decision support” should fall into the health management health IT category and that only clinical decision support products that “pose higher risks to patients” would be considered medical device health IT. As explained below, the Agencies recommend that for most clinical decision support, non-regulatory approaches can mitigate any safety risks. As was recommended by the FDASIA Workgroup, this draft Report recommends that the FDA work with federal and private stakeholders to clarify the types of clinical decision support that will be subject to the FDA’s oversight.

Medical Device Health IT Functions

Noting that health IT with medical device functionality (referencing Section 201(h) of the FD&C Act) is within the FDA’s regulatory purview, the draft Report lists the following examples of health IT that have medical device functionality:

  • computer aided detection/diagnostic software
  • remote display or notification of real-time alarms (physiological, technical, advisory) from bedside monitors
  • radiation treatment planning
  • robotic surgical planning and control
  • electrocardiography analytical software

The draft Report is clear that these do not represent the universe of products that would be or continue to be regulated by the FDA, but rather are only examples of the types of products the aency already regulates. Not surprisingly, these examples are very similar to the examples of actively regulated products offered by the FDA in the final Mobile Medical Applications Guidance issued late last year. 

Proposed Strategy and Recommendations

The draft Report describes four strategic areas that the Agencies believe are necessary for a risk-based framework for health management health IT: (1) promote the use of quality management principles; (2) identify, develop, and adopt standards and best practices; (3) leverage conformity assessment tools; and (4) create an environment of learning and continual improvement. In addition, the Agencies recommend the creation of a Health IT Safety Center, which would be a public-private entity focusing on the promotion of Health IT as integral to patient safety, with the ultimate goal of creating a sustainable, integrated Health IT learning system. The draft Report discusses the key principles underpinning each of the four key areas of focus, as well as the Health IT Safety Center. It also calls for stakeholder input on each of the key areas. In particular, the draft Report seeks feedback regarding whether the areas identified are the appropriate ones and whether the proposals set forth in the report are likely to “lead to an environment where patient safety is protected, innovation is promoted, and regulatory duplication is avoided,” as well as on how to foster private-sector participation in the key focus areas and Health IT Safety Center. 

Promote the Use of Quality Management Principles

The draft Report notes that quality management principles and processes have been adopted and implemented by companies to improve quality, efficiency, safety, and reliability. The Agencies believe that the application of these principles and processes by health IT stakeholders is necessary for the safe design, development, implementation, customization, integration, and use of health IT. The draft Report seeks input from health IT stakeholders to determine the essential elements of a health IT quality framework, as well as the best strategy for assuring stakeholder accountability for adoption of such quality management principles and whether there may be a role for a non-governmental program to assess such adoption.

Identify, Develop, and Adopt Standards and Best Practices

The draft Report explains that, in the view of the Agencies, identification, development, and adoption of standards and best practices is necessary to establish the minimum requirements necessary to achieve an acceptable level of performance for health IT. This strategy is based on the premise that both standards and best practices serve as guidelines for achieving quality products, while allowing health IT developers to vary product design, function, features, and developmental approach to suit their needs. The draft report identifies certain areas for use of standards (e.g., quality management) and seeks stakeholder input regarding whether these areas are appropriate.

Leverage Conformity Assessment Tools

The draft Report discusses the adoption of “conformity assessment tools,” e.g., product testing, certification, and accreditation, to be applied in a risk-based manner as a strategy to distinguish high-quality products from those that fail to meet minimum quality standards. The draft Report does not recommend additional mandatory conformity assessments, but suggests that these tools could be implemented by the private sector to develop non-governmental programs to perform conformity assessments to fill current gaps. The Agencies have posed a number of questions seeking feedback to clarify the value and role of conformity assessment tools in health IT, as well as to address the appropriateness of relying on non-governmental programs to perform such assessments. 

Create an Environment of Learning and Continual Improvement

The draft Report recommends that the public and private sector work together to develop an environment of “learning and continual improvement.” The draft Report indicates that such a system would encourage safety, transparency, learning, continual improvement, and accountability. While providing little detail as to what this might entail, the draft Report notes the Health Information Technology Patient Safety Action & Surveillance Plan (Health IT Safety Plan) issued by the ONC in 2013 and also references certain FDA programs that may be leveraged to facilitate the creation of this environment including

  • road map for creation of a National Medical Device Postmarket Surveillance System;

  • multi-stakeholder planning board to facilitate the creation of a sustainable, integrated, medical device postmarket surveillance system;
  • Unique Device Identification (UDI) System;
  • FDA Adverse Event Reporting System; and
  • semantic text mining and automated adverse event review techniques.

The Agencies recommend the creation of a public-private Health IT Safety Center, which could identify health IT governance structures and functions necessary to create a sustainable, integrated, health IT learning system that leverages and compliments ongoing efforts and avoids regulatory duplication. In addition, the draft Report recommends that serious health-IT-related safety events should be reported to a trusted source that can aggregate and analyze information and disseminate findings. The Agencies are seeking feedback regarding the governance structure and functions of the Health IT Safety Center, among other things.

Clinical Decision Support

One of the most anticipated parts of the draft Report has been further clarification of the FDA’s current thinking on clinical decision support (CDS) tools. When the FDA first issued the draft Mobile Medical Applications guidance in 2011, the draft guidance and related Federal Register notice raised a number of questions about CDS functionality and the role in healthcare. A subsequent workshop held by the Agency in late 2011 included dedicated segments designed to further explore these questions. However, the final Mobile Medical Applications guidance left the topic of CDS products to a future guidance document.

Since that time, there has been significant hope that the FDASIA Report would provide further insight into this topic. While the draft Report does clarify that certain types of CDS tools would not be subject to active FDA oversight at this time, the scope of what would be within the FDA’s purview remains somewhat unclear. While the FDA provides a limited set of examples of CDS functionality that would be regulated, it is clear that the examples do not represent the universe of what will be regulated. Like prior communications, the draft Report leaves final clarification of this topic to future work by the FDA. And while a draft Clinical Decision Support guidance document has reportedly been under development at the agency for several years, the questions raised by the FDA in the draft Report suggest that release of such a guidance document may still take a notable amount of time. Specifically, the FDA raises a number of specific CDS questions and requests comment. For example, what types of CDS functionality should be subject to FDA oversight and how would quality management principles be applied to CDS products? It remains to be seen whether the FDA will provide any further clarification on these topics in the near term.

Key Takeaways

  • It appears for now that the scope of the FDA’s regulatory role will remain generally consistent with what it has been over the past few years, with no significant expansion.
  • The largest percentage of health IT products (other than those performing administrative tasks) appears to fit into the “health management” category. Oversight of that category will likely fall largely to the ONC, rather than the FDA.
  • Where a product features functionality that falls into both the “health management” and “medical device” categories, the FDA plans to attempt to regulate only the medical device aspects of the product. How this will work in practice, with requirements such as the Quality System Regulation, is still unclear.
  • While providing some insight into the proposed framework for health IT, the draft Report proposals are rather high level and further detail may not be available until after the comment period closes and a final version of the report is issued. For example, it remains unclear exactly what quality management principles would be required of health management products. While the draft Report raises several questions about the application of such principles, the final recommendations could take a number of different forms, with varying degrees of impact on the business of companies operating in that space.
  • The draft Report provides a number of examples of functionalities that would fall into the various categories, but no concise definitions are provided for any of the categories. While some of the categorization is clear, a definition would greatly improve the ability to navigate any future uncertainty as technology continues to evolve.
  • It is unclear whether there would be a mechanism for seeking clarification on the appropriate classification of a product under the proposed framework. While the categorization of certain products may be clear, others may fall into a potential gray zone between health management and medical device functionality. Hopefully the final report will provide further clarification on this point, but in the event that any uncertainty remains, it may be helpful if some mechanism were available for companies to seek clarification.

The Agencies are planning a three-day public meeting to address the issues raised in the draft Report. The meeting is anticipated within 90 days and is reportedly scheduled for May 13 through 15 of this year. To facilitate public comment on the draft Report, a docket has been opened and comments will be accepted through July 7, 2014.