On April 3, 2014, the Food and Drug Administration (FDA) released the FDASIA Health IT Report (Report). This Report fulfills Section 618 of the Food and Drug Administration Safety and Innovation Act (FDASIA), Public Law 112-144, which requires that the FDA, in consultation with the Office of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC) (collectively, the Agencies), develop and post a report providing a strategy and recommendations for a regulatory framework for health information technology (health IT).
The Report has been long-awaited by health IT stakeholders and federal legislators. Notably, the Report does not provide any new or additional areas of FDA oversight but rather prefaces a “limited, narrowly-tailored approach that primarily relies on ONC-coordinated activities and private sector capabilities.” The Report is consistent with FDA’s guidance on mobile medical applications, which was published last September.
The goal of the Report is to clarify how health IT will be regulated in a manner that will “promote innovation, protect patient safety, and avoid regulatory duplication.” It was produced by the Agencies and responded in part to the recommendations and findings of a committee composed of the Agencies’ staff and external stakeholders. The consensus of the committee was that there is a necessity for clarification of the Agencies’ oversight authority, some sort of system for industry surveillance and accountability, and continued collaboration between industry and government.
In addition to the clarification of regulatory oversight (described below), the Report introduces the creation of a Health IT Safety Center (Center). The Center will be created by ONC in collaboration with the FDA, FCC, and the Agency for Healthcare Research and Quality, and will convene stakeholders to promote health IT and create a sustainable health IT governance system. A central role of the Center will be to collect reports of serious health IT-related safety events from vendors, health IT developers, health care providers and health care organizations, and to analyze and aggregate safety information from these reports and disseminate findings.
Health IT Categories and Regulatory Framework Recommendations
The Agencies assess health IT based on functionality, rather than platform (e.g., mobile, cloud-based, operating system), breaking it down into: (1) administrative health IT functions; (2) health management health IT functions; and (3) medical device health IT functions.
There will be no additional oversight of “administrative” health IT functions, as these functions pose limited risk to patient safety, if any. These functions include, but are not limited to, software to facilitate admissions, billing and claims processing, practice and inventory management, scheduling, general purpose communications, analysis of historical claims data to predict future utilization or cost-effectiveness, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agencies, and reporting on quality measures.
The FDA does not intend to focus oversight on “health management” health IT functions, as the risks to patient safety are generally low compared to the benefits of these functions. These functions include, but are not limited to: health information and data management; data capture and encounter documentation; electronic access to clinical results; most clinical decision support technology; medication management; electronic communication and coordination; provider order entry; knowledge management; and patient identification and matching. Importantly, the Report states that health management health IT will not be subject to FDA oversight, even if it technically otherwise meets the definition of a device.
FDA will continue oversight of “medical device” health IT functionality.  These functions include, but are not limited, to computer aided detection/diagnostic software, radiation treatment planning, and robotic surgical planning and control software. This oversight remains limited to the medical device regulation that FDA has historically exercised; no additional FDA oversight is proposed in the Report.
The Report goes on to provide four recommendations for a risk-based framework for health IT, focused largely on health management health IT. This framework is not binding, does not create new requirements for industry, and does not create new rights for any person.
First, the Report recommends that companies establish quality management principles to ensure safe and effective products. The Report does not propose a centralized set of quality management principles but rather indicates that the Agencies will work with health IT stakeholders to identify the essential elements of a health IT quality framework. The Report highlights the need for flexibility in this framework given the broad spectrum of health management health IT products and services.
Second, the Report describes the necessity of developing industry standards and best practices. This should be accomplished through building on existing standards, with specific consideration of interoperability and information sharing; local implementation, customization and maintenance of health IT; and implementation of quality and risk management systems.
Third, the Report envisions industry leveraging voluntary conformity assessment tools—such as certification, accreditation, and product testing—to boost consumer confidence and provide transparency and accountability. At this time the Agencies are not proposing new or additional mandatory conformity assessments but rather are recommending that these tools should be used and applied in a risk-based manner. The Report recommends the further development of non-governmental, independent conformity assessment programs. Finally, the Report highlights that the future of responsible health IT will require continual learning and improvement. At the center of this learning strategy is the Health IT Safety Center mentioned above.
As noted, the Report indicates that most clinical decision support technologies (CDS) will be considered “health management” health IT. The following types of CDS are listed as falling within the category of health management health IT and thereby outside of the focus of FDA regulatory oversight: evidence-based clinician order sets tailored for a particular condition, disease or clinician preference; drug-drug interaction and drug-allergy contraindication alerts to avert adverse drug events; most drug dosing calculations; drug formulary guidelines; reminders for preventative care; facilitation of access to treatment guidelines and other reference material that can provide information relevant to particular patients; calculation of prediction rules and severity of illness assessments; duplicate testing alerts; and suggestions for possible diagnoses based on patient-specific information retrieved from a patient’s electronic health record.
CDS technologies that are medical devices and are viewed as presenting higher risks, and therefore will remain regulated by the FDA, include: computer aided detection/diagnostic software; remote display or notification of real-time alarms from bedside monitors; radiation treatment planning; robotic surgical planning and control; and electrocardiography analytical software. The FDA is expected to issue further guidance clarifying the types of medical device clinical decision support that will be considered health management health IT versus those that are considered higher risk and will be the focus of FDA oversight.
The execution of this framework will depend on voluntary industry action and collaboration between the Agencies and stakeholders. Accordingly, the Agencies have asked for submission of public comments on the Report by July 7, 2014.
The Report has a “wait and see” character, which reflects the recent attitude of the FDA and many in the industry towards regulation of health IT. The Report may also have an impact on pending legislation. Congress has been holding on legislation that would govern health IT until publication of this Report.
Pending legislation includes the bipartisan “Sensible Oversight for Technology which Advances Regulatory Efficiency” (SOFTWARE) Act, introduced in October 2013, which amends the Federal Food, Drug, and Cosmetic Act. The SOFTWARE Act limits the FDA’s authority and defines three classes of health-related software: “clinical software,” “health software,” and “medical software,” with only medical software subject to regulation. Also pending is the “Preventing Regulatory Overreach to Enhance Care Technology” (PROTECT) Act, which would similarly limit FDA’s regulatory authority over clinical and health software, but which would authorize the National Institute of Standards and Technology to oversee technical standards for clinical software.
One regulatory agency conspicuously absent from discussion in the Report is the Federal Trade Commission. The FTC has authority under Section 5 of the FTC Act to regulate unfair or deceptive acts or practices. The FTC has used this authority in the past to regulate the health claims of health product manufacturers.  The FTC has shown a particular interest in the privacy and security of health IT, particularly health IT that falls outside of traditional regulation. The FTC will be holding a privacy workshop on “Consumer Generated and Controlled Health Data” on May 7, 2014.