As hospitals become increasingly technologically savvy, they are looking to do more and more with their electronic health record systems. What many hospitals do not realize is that some of the functionality they are seeking crosses the line and renders the technology an FDA-regulated product. Hospitals therefore need to identify when that line is being crossed and review at the earliest stages how to minimize the regulatory burdens associated with becoming a regulated product.
Increasingly, hospitals are investing in in-house developed software and other digital health technologies. Some, for example, are seeking to capitalize on the vast amounts of patient data that reside in their electronic health record (EHR) systems by using software to analyze these data and develop predictive clinical algorithms. Others are branching into the development of in-house telemedicine systems and clinical decision support software. In recent years, FDA has issued a number of guidance documents to clarify its regulatory policy for various types of digital health software and systems. As hospitals become more involved in the development of these types of technologies, they will need to understand whether their activities or products would be subject to FDA regulation.
Is My Digital Health Technology Subject to FDA Regulation?
FDA has long held the position that health IT and other digital health technologies are subject to its medical device regulatory requirements if such products are intended for a medical purpose. In recent years, however, FDA has recognized the importance of innovation in this space and has taken steps to limit its oversight of low-risk digital health technologies. For example, the following types of digital health products are generally not actively regulated:
- Software and systems that perform administrative functions (e.g., billing, claims processing, practice and inventory management, and scheduling)
- Software and systems intended for health management (e.g., health information and data management, data capture and encounter documentation, electronic access to clinical results, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and management)
- Products and systems intended to facilitate communications between patients and healthcare providers
- Software and systems intended for use solely in the display, transfer, storage, or communication of medical device data or medical image data (e.g., X-ray or MRI images)
However, digital health technologies with the following uses may be FDA regulated:
- Systems intended for active patient monitoring or for use with patient monitoring devices (e.g., ECG, nurse call, or fetal monitoring devices)
- Systems that analyze, enhance, or modify medical image data (e.g., computer-aided detection software or PACS systems)
- Software intended for complex, patient-specific analyses to support clinical decision-making (e.g., radiation treatment planning software, ECG analytical software, and software for analyzing dermatological images)
- Software or systems that control or alter the functions of a medical device
What FDA Requirements Apply to My Digital Health Product?
If a hospital determines that its digital health product is subject to active FDA regulation, it will need to assess which requirements apply. The regulatory requirements will vary depending on the classification of the device. FDA classifies medical devices into one of three classification levels based on risk, with Class I representing the lowest level of risk and Class III representing the highest risk devices. All medical devices (Class I, II, and III) must comply with FDA’s “general controls” for devices, which includes registration and listing for device manufacturing, design, and importation facilities; good manufacturing practices; device labeling requirements; and reporting of certain adverse events, device malfunctions, and product recalls.
In addition, devices classified as Class II or III require premarket review by FDA. Class III devices require a premarket approval application (PMA), which is the most burdensome type of premarket submission for medical devices and has the longest review time. Class II devices generally require a 510(k) premarket notification, which is much less burdensome and has a shorter review time than a PMA.
Many digital health products, however, represent novel technologies that have not yet been classified by FDA. In such cases, applicants may be able to convince FDA that a lower level of review is acceptable if the applicant is able to provide appropriate risk/benefit data to support that the lower review level will not adversely affect safety or effectiveness. For instance, questions on the transparency of clinical software algorithms often arise that may be a key factor for device classification. Planning ahead to discuss such issues with FDA may result in significant saving in costs and time associated with product development.
What Other Requirements May Apply?
A hospital that goes beyond simply developing a regulated digital health product and begins marketing it as well will need to comply with other legal and regulatory requirements that apply to devices. These include, for example, state regulatory requirements, the federal Sunshine Act, privacy and security requirements, and FCC oversight.
Given the costs associated with each of these regulatory hurdles and that some of these burdens can be minimized with proper planning, hospitals should evaluate these potential obligations at the earliest stages of development for a new software product or other digital health technology.