The Food and Drug Administration Safety and Innovation Act (“FDASIA”), signed into law in July 2012, requires the Secretary of Health and Human Services (“HHS”) to “post a report—within 18 months (or by January 2014)—that contains a proposed strategy and recommendations on a risk-based regulatory framework pertaining to health IT, including mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.” FDASIA § 618. The three entities tasked with developing this report are the Food and Drug Administration (“FDA”), Office of the National Coordinator for Health Information Technology (“ONC”), and the Federal Communications Commission (“FCC”). As required by FDASIA, a workgroup was formed to assist those entities in making recommendations with respect to the risk-based regulatory framework.
At the workgroup’s most recent meeting on September 4, 2013, its draft recommendations were accepted by the Health IT Policy Committee, which will pass on the information to FDA, ONC, and FCC for further action. The report of the workgroup recognizes that while there are risks associated with the failure to adequately regulate certain types of health IT, there would also be negative impacts to regulating it too extensively. The task of the workgroup, and FDA, ONC, and FCC, is to find a way to strike an appropriate balance.
The workgroup has stated that health IT must be assigned to one of two categories: “subject to risk-based regulatory framework” or “not subject to risk-based regulatory framework.” The methods for determining how to assign products to one group or another are not clear. While the workgroup has made progress in this area, there are still no bright-line rules for determining whether a health IT product should or should not be regulated.
The workgroup recommendations are clear that functionality of the product is a key feature in helping to determine whether a product should be subject to regulation. One note with respect to regulation: while ONC and FCC can and do impose certain regulatory requirements on varying types of health IT products, when discussing a “risk-based regulatory framework” we assume that the primary regulator is FDA, since the burdens associated with FDA regulation undoubtedly outweigh those of the other two entities combined.
The workgroup describes a number of factors to consider in determining the appropriate level of regulation, including the complexity of the software; intended users; purpose of the software; severity of potential injury from either appropriate or inappropriate use; likelihood of a risky situation arising; transparency of the software operation, data, and knowledge content sources; and the ability to mitigate a harmful condition. These factors seem to present a reasonable basis for assessing the level of regulation appropriate to a particular health IT product, and indicate that each product or narrow class of product must be assessed individually to determine the appropriate regulatory framework. These considerations show that even all products that fit into an overarching product type (e.g., clinical decision support software) should not be regulated the same way.
Perhaps most helpful, the workgroup includes specific recommendations for FDA, ONC, and FCC to consider in developing its risk-based approach. Of particular interest is the recommendation that health IT should generally not be subject to FDA premarket requirements, with a few exceptions: medical device accessories, high-risk clinical decision support, and higher risk software use cases. The recommendations ask that FDA clearly define accessories and high-risk clinical decision support, a task that, while important, may not be accomplished in a reasonable timeframe, given the difficulty of defining those categories of products. The recommendations also include a suggestion to develop post-market surveillance of health IT, which is consistent with FDA’s stated intent to improve its post-market device surveillance generally.
The workgroup recommendations appear to present a reasonable framework for FDA in assessing whether and which health IT products should be subject to what level of regulation. The question is now whether and how the agency will adopt those suggestions, and in what period of time. Even though a report is due to Congress by January of 2014, it will certainly take longer for FDA to develop and implement a workable approach to health IT regulation.