The long awaited FDASIA Health IT Report proposes a strategy for calibrating regulatory oversight to risk and clarifying the regulatory obligations of Health IT providers. On April 7, 2014, three agencies—the U.S. Food and Drug Administration (FDA), the Federal Communications Commission (FCC), and the U.S. Department of Health and Human Services (HHS) (the Agencies)—discharged their duty under Section 618 of the Food and Drug Administration Safety and Innovation Act (FDASIA) by adopting a report proposing a strategy and recommendations for a risk-based Health IT regulatory framework. For purposes of the FDASIA Report, Health IT includes a wide range of technologies used to maintain, access, and exchange health information, including mobile health applications.
The Agencies have different, but complementary, authority related to the promotion and oversight of health IT in the U.S. The FDASIA Report outlines how they intend to collaborate to give effect to a set of core principles governing Health IT: promoting innovation, protecting patient safety, and avoiding regulatory duplication.
The proposed strategy identifies three categories of health IT functions which are to be subject to an ascending level of regulatory oversight based on the increased potential health and safety risk posed by each class functions:
- Administrative functions. The report states that administrative health IT functions such as billing, claims processing, practice management, and inventory management pose limited or no risk to patient safety and do not need additional oversight.
- Health management functions. Health management functionalities such as health information and data exchange, data capture, medication management, and most clinical decision support software pose risks that are generally low compared to the potential benefits. FDA does not intend to focus regulatory oversight on health IT performing these functions, even if the technology in question meets the definition of a medical device, provided new, non-regulatory mechanisms to ensure patient safety proposed in the report (and discussed below) are put in place and function as planned.
- Medical device functions. FDA will continue to focus on Health IT performing medical device functions because these products generally pose the greatest risk to patient safety. FDA oversight is necessary to assure the safety and effectiveness of these products.
The report also proposes the creation of a Health IT Safety Center, which would be a public-private entity created by HHS in collaboration with FDA, FCC, and the Agency for Healthcare Research and Quality (AHQR). The report envisions that by working with industry, including on standard setting, the Health IT Safety Center could avoid the need for FDA regulatory oversight of low risk health IT functions, such as health management functions.
Finally, the FDASIA Health IT Working Group recommended that FDA provide greater clarity regarding the health IT regulatory environment by more clearly delineating how particular aspects of its medical device regulation apply to health IT, including:
- The distinction between wellness and disease related claims;
- Medical device accessories;
- Medical device clinical decision support software;
- Medical device software modules; and
- Mobile medical apps.
The Agencies are soliciting public comment on whether the areas of focus as outlined in the report are appropriate, and propose to hold a public meeting within 90 days of publication to further engage stakeholders. Both activities are oriented to gathering a record to assist the Agencies in implementing a final regulatory framework for health IT.