On April 3, 2014, the U.S. Food and Drug Administration, in conjunction with the Office of the National Coordinator for Health Information Technology and the Federal Communications Commission, issued a draft report that describes the agencies’ “proposed strategy and recommendations on an appropriate, risk-based regulatory framework” for health information technology.  In this On the Subject, we provide a brief overview of the draft report and discuss its implications.

Health information technology (health IT) describes a broad array of tools that enable the transmission, receipt, storage and/or analysis of health information.  If designed, developed, implemented, used and maintained appropriately, health IT promises to facilitate the coordination of medical care, reduce health care costs and improve patient outcomes.  If implemented without sufficient safeguards, however, health IT may expose patients to risk.

The U.S. Food and Drug Administration (FDA) has long expressed an interest in—and, to a certain extent, actually regulated—health IT.  The Federal Food, Drug and Cosmetic Act gives the FDA the authority to regulate medical devices (i.e., “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article” that is “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease…”), which could potentially allow the FDA to assert jurisdiction over most, if not virtually all, types of health IT.  In statements during the past year, the FDA’s Center for Devices and Radiological Health (CDRH) has generally expressed a plan to apply a risk-based approach that would focus the agency’s regulatory oversight on higher risk health IT products.  The extent to which the agency will ultimately assert its jurisdiction over health IT, however, remains unclear. 

In response to concerns regarding the potential extent of FDA’s jurisdiction over health IT, members of Congress have proposed legislation (e.g., the SOFTWARE Act and the PROTECT Act) that would eliminate the FDA’s jurisdiction over health IT products determined within the legislation to be low risk.  The extent to which such legislation may be considered or approved by Congress is unclear at this time.

In the meantime, the Food and Drug Administration Safety and Innovation Act included a provision that requires the FDA, in conjunction with the Office of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC), to issue a report that describes the agencies’ “proposed strategy and recommendations on an appropriate, risk-based regulatory framework” for health IT. The agencies issued a draft of the report on April 3, 2014.

The draft report is unremarkable because it largely reiterates previous agency statements (e.g., last year’s FDA guidance on mobile medical applications). The report does, however, confirm that the FDA intends to take a reasoned, risk-based approach to the regulation of health IT.  Key recommendations from the report include:

  • FDA should take a “limited, narrowly-tailored approach” to the regulation of health IT.  The report proposes the creation of three health IT categories based on product functionality and potential risk:
    • FDA intends to focus its regulatory oversight on health IT with “medical device” functionality (e.g., computer-aided detection/diagnostic software, radiation treatment planning, robotic surgical planning and control software)
    • In contrast, health IT with “health management” functionality (e.g., health information and data management, data capture and encounter documentation, electronic access to clinical results, medication management, provider order entry, and most clinical decision support software) will not be the focus of regulatory oversight because the risks associated with such products are “generally low compared to the potential benefits”
    • No additional oversight is planned for health IT with “administrative” functionality (e.g., software intended to facilitate admissions, billing and claims processing, scheduling, general purpose communication or determination of health benefit eligibility) because it generally poses “limited or no risk to patient safety”
  • ONC-coordinated activities and private-sector capabilities should form the basis of health IT oversight.  The use of existing standards, best practices, certification and accreditation programs and industry-led testing, the development of quality standards and the selective use of tools such as voluntary listing, reporting and training will support both innovation and patient safety.
  • The agencies should create a public-private entity, the Health IT Safety Center, to coordinate health IT oversight.  The Health IT Service Center would serve as a trusted convener of health IT stakeholders, with the ultimate goal of “assisting in the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.”

The agencies intend to hold a public meeting on this subject in May 2014, and will accept comments on the draft report until July 7, 2014.


The draft report is encouraging for the medical industry in that it confirms the FDA’s plan to take a product-specific, risk-based approach to the regulation of health IT.  Health IT manufacturers and investors may be disappointed, however, by the report’s reiteration of previous agency statements and lack of specific, substantive details regarding future regulatory oversight.  Several critical questions remain unanswered, including:

  • What characteristics of clinical decision support software are likely to trigger regulatory oversight?
  • To what extent will items that combine multiple types of functionality (e.g., health management/medical device) be subject to regulatory oversight?
  • To what extent will electronic health records be subject to regulatory oversight?
  • To what extent will ONC activities impact overall health IT regulation?

For now, interested entities should consider submitting comments regarding the draft report and participating in the upcoming public meeting.  After the draft report is finalized, the FDA is expected to begin issuing substantive guidance, including guidance specific to clinical decision support software; therefore, interested entities should monitor communications from FDA.  Finally, in light of ongoing congressional interest in this issue, interested entities should stay apprised of legislative activity that, if enacted, would change the FDA’s authority to regulate health IT.