On December 8, 2017, the U.S. Food and Drug Administration (“FDA”) issued draft guidance titled “Clinical and Patient Decision Support Software” (“CDS Guidance”). According to FDA Commissioner Scott Gottlieb, M.D., the CDS Guidance is intended to clarify the types of clinical decision support software (“CDS”) that would no longer be defined as a medical device and, therefore, would not be regulated by the FDA.

Stakeholders in the digital health industry have long awaited clarification of the scope of the FDA’s regulatory oversight of CDS, specifically the differentiation between low-risk and high-risk CDS. The FDA had first announced its plan to develop guidance for CDS in 2011. Unfortunately, stakeholders seeking clarity may have to wait longer.

CDS Guidance Does Not Incorporate a Risk Framework

In 2014, the FDA was actively engaged with the International Medical Device Regulators Forum (“IMDRF”) in developing a risk framework, which can be summarized into two factors that drive risk:

  1. Significance of the information provided by the Software as a Medical Device (“SaMD”) to the health care decision—i.e., is the information critical to the decision-making, or more peripheral?
  2. State of the health care situation or condition—i.e., could the patient die, and how urgent is the condition?

Unfortunately, the FDA does not incorporate the IMDRF risk framework into the CDS Guidance. Rather, the FDA appears to merely restate the 21st Century Cures Act (“Cures Act”) framework that exempts software if a physician user can independently review the basis for the recommendation. The CDS Guidance suggests that software that does not provide a reasonable basis for reviewing a recommendation will always be regulated regardless of risk. For example, software that utilizes a complex machine learning algorithm to determine which patients have the common cold will be regulated because a physician is unable to mentally duplicate the algorithm.

The CDS Guidance does not answer basic questions when applied to current and future forms of CDS, which is and will be based on machine learning and other forms of complex algorithms that add to the knowledge of physicians. Unless the FDA intends to regulate all such software regardless of risk, the CDS Guidance does little to elaborate on the analysis used to differentiate the types of CDS to be regulated by the agency.

CDS Guidance Does Not Clearly Differentiate Between Regulated and Unregulated CDS

The CDS Guidance provides several examples of unregulated and regulated CDS; however, no explanation is given as to why a particular example triggers regulation or not. Most of the examples of unregulated software appear to make recommendations based on information that is already available to the user. Most of the examples of CDS and other software functions to be regulated as medical devices appear to utilize computer-based algorithms that analyze, manipulate, and/or extrapolate signals generated from medical devices.

Although the section on patient decision support software (“PDS”) states that the FDA intends to exempt certain software, the test largely relies on whether patients can understand the basis for the software. Considering that technological sophistication will vary across the patient population, this is not a clear standard. This would most likely set a very high bar for PDS and therefore subject most PDS to FDA regulation.


The draft CDS Guidance elaborates little more than what the Cures Act already set forth. This would leave an industry segment that is advancing at a rapid pace with much ambiguity as to the rules of the road. CDS producers and their investors, as well as consumer/patient advocates, may wish to press the FDA to make the final guidance much crisper. The public has until February 6, 2018, to comment.