New legislation includes a broad regulatory exemption for medical software.

On December 7, the US Senate passed the 21st Century Cures Act and sent it to President Barack Obama, who has promised to sign it. This new legislation includes provisions that will affect how and whether certain health-related software products are regulated by the US Food and Drug Administration (FDA). The law codifies many current FDA policies that exempt certain low-risk software from active regulation (e.g., administrative support software, software intended to promote a healthy lifestyle, and medical device data systems). The new law also would exempt certain clinical decision support software, unless FDA finds that such software would be “reasonably likely to have serious adverse health consequences.” In addition, the law includes a new standard for classifying device accessories.

These new provisions will affect not only newly developed technologies but also many currently existing digital health products and device accessories. For example, it is unclear how FDA will handle any software products that were previously cleared or approved by FDA and may now be subject to an exemption. It is also unclear how the new device accessory standard will affect currently marketed accessories that FDA has historically regulated based on the classification of the parent device.

Broad Exemption for Clinical Decision Support and Other Software

The new legislation exempts from FDA regulation certain medical-related software, including software used for administrative support functions at a healthcare facility, software intended for maintaining or encouraging a healthy lifestyle, and electronic health record (EHR) software. The exemption also includes software for transferring, storing, converting formats, or displaying clinical lab test data and results (currently regulated as Class I laboratory information systems or LIS) or other medical device data (often referred to as medical device data systems or MDDS[1]).

In addition, the exemption covers clinical decision support (CDS) software with the following functions:

  • Displaying, analyzing, or printing medical information;
  • Supporting or providing recommendations to a healthcare professional about prevention, diagnosis, or treatment of a disease or condition; and
  • Enabling the healthcare professional to independently review the basis for such recommendations.

Although current FDA policies already exempt many of the above software categories from active FDA regulation,[2] the new law would codify these enforcement discretion policies, providing additional certainty for industry. We note, however, that the scope of the exemption in the 21st Century Cures Act is not co-extensive with FDA’s various enforcement discretion policies; thus, these enforcement discretion policies will continue to be relevant for digital health developers.

In addition, guidance from FDA will be needed to clarify the scope of the CDS exemption (e.g., what level of software functionality or transparency is sufficient to qualify as enabling a healthcare professional to review the basis of the CDS recommendations?). FDA guidance also will be needed to address CDS software outside the scope of this legislation, such as software intended for direct-to-consumer use and software that analyzes medical images or signals from in vitro diagnostic (IVD) devices.

Exemption Limitations

There are some limitations on the above exemptions. Specifically, the new law provides that software with EHR, LIS, MDDS, and CDS functions will be subject to FDA’s medical device oversight if FDA finds that such software would be “reasonably likely to have serious adverse health consequences” and FDA issues a final order to that effect in the Federal Register. In evaluating whether these software functions may have serious adverse health consequences, the law provides the following factors for FDA to consider:

  • The likelihood and severity of patient harm if the software were to not perform as intended
  • The extent to which the software function is intended to support the clinical judgment of a healthcare professional
  • Whether there is a reasonable opportunity for a healthcare professional to review the basis of the information or treatment recommendation provided by the software function
  • The intended user and user environment

This puts the burden on FDA to show that EHR, LIS, MDDS, and CDS software are “reasonably likely to have serious adverse health consequences” and also requires FDA to go through notice-and-comment procedures to issue a final order in the Federal Register before FDA can regulate a specific software function in this space.

Certain software functions are also explicitly excluded from the exemption, including software intended to acquire, process, or analyze a medical image or signal from an IVD device or a pattern or signal from a signal acquisition system and software used in the manufacture and transfusion of blood and blood components.

Biennial Reports

The legislation requires the US Department of Health and Human Services (HHS) to publish a report within two years after enactment and every two years thereafter that examines the available information on any risks or benefits associated with the software functions covered by the exemption and summarizes its findings on the effect of such software functions on patient safety. HSS is required to include input from stakeholders with relevant expertise, such as patient representatives, healthcare providers, start-up companies, health plans, IT vendors, and venture capital investors.

Device Accessories

The 21st Century Cures Act also includes provisions related to device accessories, stating that accessories shall be classified based on the accessory’s intended use, notwithstanding the classification of the parent device. Currently, device accessories take on the parent device’s classification by default, unless FDA separately classifies the accessory. FDA has not formally classified many device accessories; thus, the vast majority are classified at the same level as the parent device. The new legislation will put the burden on FDA to separately classify more device accessories. However, FDA may shift this burden to industry, requiring accessory manufacturers to submit de novo classification petitions prior to marketing, as suggested in its 2015 draft guidance document.