On April 3, 2014, the U.S. Food and Drug Administration (“FDA”), the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”) released their long-awaited final report on health information technology (“Health IT”), entitled Proposed Strategy and Recommendations for a Risk-Based Framework. According to the report, the degree of oversight for Health IT should be based on the risk presented by a product’s functionality, which for regulatory framework purposes was delineated by the agencies into three categories: Administrative, Health Management and Medical Device.

The category of Health IT with Health Management functionality typically includes software applications of medium risk.  Most confusion and debate about the proper regulation of Health IT has pertained to these applications, and for this reason such applications are the primary focus of the report’s proposed framework.  The agencies conclude that these applications generally have low levels of risk compared to the benefits they present.  Because of this risk profile, the ONC will take lead on oversight of these applications.  The FDA intends to defer to the ONC and not enforce its regulatory oversight functions, even if a product in this category meets the technical definition of a medical device.

Yet the agencies acknowledge that it may not always be easy to determine when Health IT with Health Management Functionality contains sufficient medical device functions to trigger the FDA’s oversight.  Therefore, the agencies have tasked the FDA with clarifying its intentions, particularly as they pertain to clinical decision support software (“CDS”) software, the distinction between wellness and disease-related medical device claims, medical device accessories, medical device software modules and mobile medical applications.

FDA Challenges

The FDA appears to be struggling to define the boundaries of its regulatory oversight as it pertains to medium-risk Health IT applications.  By announcing it will exhibit enforcement discretion towards medical devices that qualify as Health IT with Health Management functionality and therefore fall under ONC’s oversight, the FDA is taking a similar approach to that described for medium-risk mobile software products in its September 2013 final guidance document on the regulation of Mobile Medical Applications.

Unfortunately, in saying that it will exhibit enforcement discretion, the FDA creates a great deal of uncertainty for stakeholders.  Product developers are unsure of the full extent of rules that may apply to their operations. Investors in new products are unsure whether the FDA will ultimately slow or stop a product’s market strategy, or even control the company’s marketing and advertising statements.  Health care institutional and professional users are left with less clarity as to their FDA-related obligations, including adverse event reporting, their rights when developers recall products and their affirmative arguments in malpractice and other liability matters where the standard of care may involve a question of whether a particular software product was adequately tested and accepted within the medical community.  No one will be quite sure if and how the Medical Device Excise Tax will apply and whether failure to collect and pay the tax on software that may or may not qualify as a medical device will incur the ire of the Internal Revenue Service.

Additionally, as a recent Class I recall of McKesson Technologies’ anesthesia system indicates, the FDA may not be willing to hand over most of its Health IT and CDS oversight to ONC, at least when patient safety issues arise.  Even though McKesson’s software is clearly of the type that would fall within the FDASIA report’s medical device functionality category, according to the FDA’s risk classification process the software was only of moderate risk.  Yet the FDA imposed a Class I recall designation, which is reserved for only the most serious of potential risks.  It may be that the FDA intends to give developers of medium-risk Health IT software freedom from pre-market and quality systems requirements and only intervene when a non-theoretical risk to patients arises. However, a framework for after-the-fact intervention does not provide the necessary before-the-fact clarity that Health IT developers and users require to promote investments, innovation and patient safety.

The FDA is unlikely to provide clarity any time soon.  Jeffrey Shuren, M.D. and director of the FDA’s Center for Devices and Radiological Health, said at a press conference on the FDASIA report that the agency must wait until after a public meeting, and perhaps even after the close of public comments, before it provides additional clarification.  In its Fiscal Year 2014 plan for the development of guidance documents, the FDA listed a CDS guidance document as a non-priority item, which means the agency will only work on the document if it has time. As of the date of this article, the FDA barely fulfilled the more simple promise it made pursuant to its Mobile Medical Applications guidance to post to its website additional theoretical examples of the types of mobile applications for which it would exhibit enforcement discretion—the FDA finally, posted three new examples in March.

For these reasons, Congress may not be willing to wait for FDA to chart its own course.  Both House and Senate lawmakers have introduced legislation intended to clarify FDA’s authority over Health IT.  The Senate’s “Preventing Regulatory Overreach To Enhance Care Technology” (PROTECT) Act would shift clinical software oversight to the National Institute of Standards and Technology. On the House side, the “Sensible Oversight for Technology which Advances Regulatory Efficiency” (SOFTWARE) Act would exempt clinical and health software from FDA regulation.  Senator Deb Fischer (R-Neb.), co-sponsor of the PROTECT Act bill, issued a written statement taking issue with the FDA’s part in the proposed FDASIA strategy. “Instead of providing a concrete framework that supports innovation and safety, the report’s approach maintains the status quo under which the FDA retains unlimited discretion over regulation of low-risk health IT, including mobile wellness apps, scheduling software, and electronic health records,” Fischer wrote.

Soliciting Comments

The FDA, the ONC and FCC are accepting comments from the public on their proposed framework for Health IT oversight until July 7, 2014. Click here to read our companion article summarizing the questions on which the agencies are seeking comment and details on how to submit comments.