Three federal regulators have released a long-awaited report proposing the framework for regulation of health information technology ("Health IT").  The U.S. Food and Drug Administration ("FDA"), the Office of the National Coordinator for Health Information Technology ("ONC") and the Federal Communications Commission ("FCC") are accepting comments on their proposed risk-based regulatory framework until July 7, 2014.

Hall Render is working with interested parties to advocate for sensible oversight of Health IT that both encourages innovation and protects the interests of Health IT users and the patients they serve.  If you are interested in joining us in developing and submitting comments to the agencies, contact information is provided at the end of this article.


For several years, there has been a debate about what kinds of Health IT should be regulated, how Health IT should be regulated and which federal agencies should do the regulating.  Concerned with the potential for excessive and duplicative regulations to interfere with innovation, in 2012 Congress passed the Food and Drug Administration Safety and Innovation Act ("FDASIA"), which required the FDA, the ONC and the FCC to work together to answer these questions and develop a cohesive approach toward Health IT.

Although both the FDA and the FTC released guidance documents in 2013 addressing various aspects of mobile medical applications, neither agency's guidance provided insight into how medium-risk Health IT and innovative new types of Health IT will be regulated.  For example, by failing to describe its regulatory approach to clinical decision support software ("CDS") and saying that it will exercise enforcement discretion over an undefined class of mobile medical applications that technically meet the definition of a medical device, the FDA in particular has previously done little to clarify the reach of its regulatory oversight.

New Report - Oversight Should Be Based on Risk

On April 3, 2014, the FDA, the FCC and the ONC released their final Health IT Report, entitled Proposed Strategy and Recommendations for a Risk-Based Framework. According to the report, the degree of oversight for Health IT should be based on the risk presented by a product's functionality, which for regulatory framework purposes was delineated by the agencies into three categories: Administrative, Health Management and Medical Device.

According to the agencies, Health IT with Administrative Functionality presents limited or no risk to patient safety.  Therefore, none of the agencies intend to exercise oversight on these products beyond that which is already in place.  Examples of Health IT with Administrative Functionality include software that facilitates admissions, billing and claims processing, practice and inventory management, scheduling, general purpose communications, analysis of historical claims data to predict future utilization or cost-effectiveness, determination of insurance eligibility, population health management and reporting of communicable diseases and quality measures.

Conversely, Health IT with Medical Device Functionality has the potential to pose greater risk to patients if it does not perform as intended.  Because these products present higher risks, and generally have already been subject to active oversight by the FDA, the FDA will remain the primary regulator of these products, although the ONC and the FCC may have complementary roles in areas such as interoperable data exchange between a medical device and an electronic health record and the use of wireless spectrum for wireless medical devices.  Examples of Health IT with Medical Device Functionality include computer-aided diagnostics and detection software, remote display or real-time alarms from bedside monitors and robotic surgery planning and control tools.

The category Health IT with Health Management Functionality contains applications that are typically medium-risk.  Most confusion and debate about the proper regulation of Health IT has pertained to these applications, and for this reason these applications are the primary focus of the framework described in the report.  The agencies conclude that these applications generally have low levels of risk, at least compared to the benefits they present.  Because of this risk profile, the ONC will take lead on oversight of these applications.  The FDA intends to defer to the ONC and not enforce its regulatory oversight functions, even if a product in this category meets the technical definition of a medical device.

Examples of Health IT with Health Management Functionality include health information and data exchange and management, data capture and encounter documentation, electronic access to clinical results, medication management, electronic communication and coordination among providers and patients, provider order entry, knowledge (clinical evidence) management and patient identification and matching.  Importantly, this category also includes most CDS, which for the purposes of the report is defined as a functionality that provides health care providers and patients with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and health care and specifically includes:

  • Evidence-based clinician order sets tailored for a particular condition, disease or clinician preference;
  • Drug-drug interaction and drug-allergy contraindication alerts to avert adverse drug events;
  •  Most drug dosing calculations;
  • Drug formulary guidelines;
  • Reminders for preventative care (e.g., mammography, colonoscopy, immunizations, etc.);
  • Facilitation of access to treatment guidelines and other reference material that can provide information relevant to particular patients;
  • Calculation of prediction rules and severity of illness assessments (e.g., APACHE score, AHRQ Pneumonia Severity Index, Charlson Index, etc.);
  • Duplicate testing alerts; and
  • Suggestions for possible diagnoses based on patient-specific information retrieved from a patient's EHR.

For these types of products, the agencies identify four key priority areas for a risk-based framework and outline potential next steps for each, including the use of quality management principles, use of standards, conformity assessment,and continual improvement and monitoring.  In addition to these four key priority areas, the agencies propose the creation of a Health IT Safety Center. This public-private entity would be run by the ONC, in collaboration with the FDA, the FCC, the Agency for Healthcare Research and Quality ("AHRQ") and other federal agencies and Health IT stakeholders.  The entity would be charged with promoting patient safety, as well as assisting in the creation of a sustainable, integrated Gealth IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.  As early as next year, the Health IT Safety Center, which was included in the president's 2015 budget proposal, is expected to start data collection and analysis of Health IT-related adverse events, including those tied to the use of electronic health records.

The agencies acknowledge that it may not always be easy to determine when a Health IT application with Health Management Functionality contains sufficient medical device functions to trigger the FDA's oversight.  The agencies have specifically charged the FDA with clarifying its intentions in these regards, particularly as it pertains to CDS software, the distinction between wellness and disease-related medical device claims, medical device accessories, medical device software modules and mobile medical applications.  Click here to read a companion article on the challenges that the FDA is currently facing in providing this clarity.

Practical Takeaways

The Health IT Report provides few concrete suggestions, but it does for the first time describe what a multi-agency framework for Health IT oversight could look like.  Although the Report proposes conformity assessments and compliance with standards as the basis for the framework, the agencies have not specified whether such should be required for higher risk products or whether all such best practices will be voluntary only.  To the extent the FDA intends to exhibit enforcement discretion or otherwise defer to the ONC, the report fails to describe how developers and users of Health IT may obtain assurances that their products of interest are not subject to the FDA's intended oversight.  The agencies do recommend that health care professionals report more malfunctions of and adverse events involving Health IT so that all users are better able to distinguish high quality products and organizations from those that fail to meet basic performance standards or requirements. 

The agencies are seeking input on the value and role of such quality, standards and conformity assessment tools throughout the different stages of the Health IT product lifecycle.  Click here to view our summary of the questions on which the agencies are seeking comment and details on how to submit comments.