Last week, the U.S. Food & Drug Administration (“FDA” or the “Agency”) issued a second discussion paper on the use of artificial intelligence (“AI”) and machine learning (“ML”) with respect to drug and biological products, this time focusing on the use of AI/ML in the drug and biologic development process, “Using Artificial Intelligence & Machine Learning in the Development of Drug & Biological Products” (“Second Discussion Paper”).[1] The Second Discussion Paper was issued by the Center for Drug Evaluation and Research (“CDER”), Center for Biologics Evaluation and Research (“CBER”), and Center for Devices and Radiological Health (“CDRH”), and from a scope perspective, the Second Discussion Paper discusses the use of AI/ML in drug and biologic development, as well as devices intended to be used in combination with drugs or biologics (including, but not limited to, combination products, companion devices, and complementary devices).

In the Second Discussion Paper and associated press release, FDA recognizes the significance of AI/ML in drug[2] development, citing the more than 100 drug and biological product applications—submitted in 2021 alone—that included AI/ML components, and the areas of drug development where AI/ML efforts are already active, including clinical trial design, use of digital health technologies (“DHTs”), and real-world data (“RWD”) analytics. The Second Discussion Paper does not endorse any specific approaches for the use of AI/ML in drug development, but rather seeks feedback from stakeholders that can help inform the Agency’s future regulatory activities.

This client alert provides a high-level overview of the Second Discussion Paper, as well as areas for potential engagement with the Agency on the use of AI/ML in drug development. Comments on the Second Discussion Paper must be submitted to FDA by August 9, 2023.

Current and Potential Uses of AI/ML in Drug Development

In the Second Discussion Paper, FDA highlights the many ways AI/ML is currently or could potentially be used in the drug development process, including:

  • Drug Discovery: FDA notes that early drug discovery is one of the areas in which sponsors have significant interest in utilizing AI/ML. In particular, FDA discusses the ways in which AI/ML has or can be used in the drug identification, selection, and prioritization process, as well as in the compound screening and design process.
  • Nonclinical Research: FDA discusses the ways in which AI/ML could be leveraged to support nonclinical research. FDA notes, for example, that a recurrent neural network, an ML algorithm, may be used to complement traditional pharmacokinetic / pharmacodynamic models in areas of highly complex data analysis.
  • Clinical Research: FDA observes that one of the “most significant applications of AI/ML” is in efforts to streamline and advance clinical research. For instance, FDA discusses AI/ML’s ability to analyze vast amounts of data and the potential to inform the design and efficiency of non-traditional trials, such as decentralized clinical trials. FDA specifically notes AI/ML’s use in a number of areas related to the conduct of clinical research, including recruitment, dose/dosing regimen optimization, adherence, retention, and site selection.
  • Clinical Trial Data Collection, Management, and Analysis, and Clinical Endpoint Assessment: FDA discusses the ways in which AI/ML could be used to collect, manage, and analyze clinical trial data, including the potential role of DHTs to enable the use of AI/ML in clinical trials, the use of AI/ML to enhance data integration and perform data quality assessments, and the use of AI/ML to analyze complex RWD or to build digital twins of patients to analyze how a patient may have progressed on a placebo versus an investigational treatment. FDA also notes the potential use of AI/ML to detect a possible safety signal, or to assess outcomes captured from diverse sources (e.g., DHTs, social media) during a clinical trial.
  • Postmarketing Safety Surveillance: FDA notes the ways in which post-approval pharmacovigilance can be supported by AI/ML, for instance by case processing (e.g., detecting information from source documents to help identify adverse events for individual case safety report (“ICSR”) submission), case evaluation (e.g., assessing the possibility of a causal relationship between the drug and the adverse event), and case submission (e.g., automating reporting rules for submission of ICSRs).
  • Advanced Pharmaceutical Manufacturing: As noted above, CDER previously issued a discussion paper in March 2023 focused on AI/ML in drug manufacturing. Now, in the Second Discussion Paper, FDA elaborates on the ways in which advanced analytics leveraging AI/ML has already been deployed or has potential to support pharmaceutical manufacturing efforts, including enhancing process controls, increasing equipment reliability, monitoring early warnings that a manufacturing process is not in a state of control, detecting recurring problems, and preventing batch losses. FDA specifically notes the potential for AI/ML, in concert with other advanced manufacturing technologies (such as process analytical technology (“PAT”) and continuous manufacturing) to enhance and modernize pharmaceutical manufacturing, and alleviate supply chain and shortage issues. FDA identifies four specific areas in which AI/ML could be applied throughout the entire product manufacturing lifecycle: (1) optimization of process design (e.g., use of digital twins in process design optimization); (2) advanced process control implementation; (3) smart monitoring and maintenance; and (4) trending activities (such as trending of deviations, root causes, and CAPA effectiveness).

Considerations for the Use of AI/ML in Drug Development and Opportunities for Engagement with FDA

FDA acknowledges the potential for AI/ML to accelerate the drug development process and make clinical trials safer and more efficient. The Second Discussion Paper also acknowledges the need for the Agency to assess whether the use of AI/ML in these contexts introduces unique risks and harms, including the potential for limited explainability due to the complexity or proprietary nature of an AI/ML system, questions about reliability, and the potential for bias.

Accordingly, FDA notes a focus on “developing standards for trustworthy AI that address specific characteristics in areas such as explainability, reliability, privacy, safety, security, and bias mitigation.” To help address these issues, FDA intends to consider the applicability of certain overarching standards and practices for the general application of AI/ML, and to seek feedback from stakeholders to help identify specific good practices with respect to AI/ML in the context of drug development.

Overarching Standards and Practices for the Use of AI/ML

FDA intends to explore the potential utility and applicability of overarching standards and practices for the use of AI/ML that are not specific to the drug development context. These include AI/ML principles outlined in federal executive orders, the AI Plan developed by the National Institute for Standards and Technology, and AI/ML standards established by standards organizations. The Second Discussion Paper also acknowledges the potential usefulness of the Agency’s frameworks for software as a medical device (“SaMD”), such as an April 2019 discussion paper that proposed a regulatory framework for modifications to AI-based SaMD, a January 2021 AI “Action Plan” for SaMD, and October 2021 guiding principles to inform the development of Good Machine Learning Practice for AI/ML-based medical devices. It seems likely that the Agency will leverage some principles from these sources in developing AI/ML standards for drug development and the development of devices intended to be used with drugs.

Opportunity for Engagement: Request for Feedback

Although the above-referenced, overarching standards may serve as a useful starting point, FDA seeks feedback from stakeholders that highlights additional or unique considerations for AI/ML deployed in the drug development context. Specifically, FDA solicits feedback on three key areas: (1) human-led governance, accountability, and transparency; (2) quality, reliability, and representativeness of data; and (3) model development, performance, monitoring, and validation. The Agency outlines specific questions within each of these areas in the Second Discussion Paper.

  • With respect to human-led governance, accountability, and transparency, FDA emphasizes the value of governance and accountability in developing trustworthy AI. The Agency seeks feedback about specific use cases in drug development that have the greatest need for regulatory clarity, what transparency means in the use of AI/ML in drug development, the barriers and facilitators of transparency in these contexts, and good practices for providing risk-based, meaningful human involvement.
  • With respect to quality, reliability, and representativeness of data, FDA acknowledges that ensuring “data quality, reliability, and that the data are fit for use (i.e., relevant for the specific intended use and population) can be critical,” and highlights data-related issues such as bias, completeness and accuracy of data, privacy and security, record trails, relevance, replicability, reproducibility, and representativeness. FDA solicits feedback on key practices utilized by stakeholders to help address these issues.
  • Finally, with respect to model development, performance, monitoring, and validation, FDA highlights the importance of evaluating AI/ML models over time to consider the model risk and credibility. For example, FDA acknowledges that there may be overall advantages to selecting a more traditional and parsimonious (i.e., fewer parameters) model over complex models where the models perform similarly. Additionally, the Second Discussion Paper states it may be important to examine corrective actions and real-world performance, conduct postmarket surveillance, verify the software code and calculations, and evaluate the applicability of validation assessments to the context of use. FDA solicits feedback on examples of tools, processes, approaches, and best practices being used by stakeholders to monitor and develop AI/ML models.

Submitting feedback on these questions is an important opportunity to help develop the standards that govern the use of AI/ML in drug development. The comment period closes on August 9, 2023.

Other Opportunities for Engagement

FDA also is coordinating a number of mechanisms for stakeholders to engage with the Agency on AI/ML in drug development, such as a workshop with stakeholders, public meetings, and further Critical Path Innovation, ISTAND Pilot Program, Emerging Technology Program, and Real-World Evidence Program meetings. FDA views these efforts and collaborations as providing “a foundation for a future framework or guidance.” Stakeholders should watch closely for these opportunities.

[1] For a summary and analysis of FDA’s first discussion paper, which focused on the use of AI in drug manufacturing, please see our prior blog post, “FDA Seeks Comments on Agency Actions to Advance Use of AI and Digital Health Technologies in Drug Development.” The first discussion paper, “Artificial Intelligence in Drug Manufacturing,” was issued by the Center for Drug Evaluation and Research (CDER), and is available at

[2] For purposes of the Second Discussion Paper, FDA states that all references to “drug” or “drugs” include both human drugs and biological products.

On March 15, 2023, the U.S. Food and Drug Administration (FDA or the Agency) issued a draft guidance entitled Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers (2023 Draft Guidance). The 2023 Draft Guidance revises the draft guidance for industry the Agency issued in June 2017 entitled Use of Electronic Records and Electronic Signatures in Clinical Investigations under 21 CFR Part 11—Questions and Answers (2017 Draft Guidance). If finalized, the 2023 Draft Guidance will also supersede the May 2007 FDA guidance for industry entitled Computerized Systems Used in Clinical Investigations.

At a high level, the 2023 Draft Guidance clarifies that 21 CFR part 11 (Part 11) applies to new information technology (IT) services that create, modify, maintain, archive, retrieve, or transmit electronic records.  It also imposes on sponsors the responsibility to ensure that the electronic records they submit through IT vendors conform to FDA’s regulatory requirements.  In addition, the 2023 Draft Guidance introduces recommendations for implementing time-stamped audit trails to verify data.

Compared to the 2017 Draft Guidance, the 2023 Draft Guidance features revised recommendations regarding the risk-based approach for validation of electronic systems[1] and provides new definitions of key terms related to digital and electronic research infrastructure.  It also applies to a broader range of regulated studies.[2]

Comments on the 2023 Draft Guidance must be submitted by May 15, 2023.


Over the last few decades, recordkeeping practices in clinical investigations that were traditionally paper-based have transformed into digital enterprises.  As part of this transformation, sponsors have had to grapple with the regulatory standards and requirements that apply to these digitized processes and records—in particular, the requirements under Part 11, which apply to digital records that are created, modified, maintained, archived, retrieved, or transmitted under any records requirement set forth in FDA regulations.

FDA has addressed the scope and applicability of Part 11 in several guidances over the years, including in the context of clinical trials.[3]  Most recently, in the 2017 Draft Guidance, FDA affirmed a narrow and practical interpretation of Part 11 and encouraged a risk-based approach to the validation of electronic systems, implementation of electronic audit trails, and archiving of electronic records.

As technology has continued to evolve, and as sponsors have begun using and managing electronic systems in novel ways in the conduct of clinical investigations, questions about Part 11’s scope and applicability have continued to surface.  The COVID-19 pandemic brought these issues to the forefront for many sponsors and investigators, as they were forced to rely heavily on digital technologies and remote processes to conduct clinical investigations.  Recognizing that FDA’s ability to assess the authenticity, integrity, and reliability of data submitted in support of marketing applications and other submissions hinges on the industry’s alignment on electronic records, electronic systems, and electronic signatures, the Agency issued the 2023 Draft Guidance.

Major Provisions of the 2023 Draft Guidance

The 2023 Draft Guidance is formatted similarly to the 2017 Draft Guidance, and it includes twenty-eight questions and answers.  FDA has grouped these questions and answers into five sections: (A) electronic records, (B) electronic systems owned or controlled by sponsors or other regulated entities, (C) information technology service providers and services, (D) digital health technologies, and (E) electronic signatures.  FDA continues to take a narrow and practical interpretation of Part 11, but it has augmented its risk-based approach to validation through additional considerations and recommendations.

Section A: Electronic Records

Section A covers electronic records used in clinical investigations that fall under the scope of Part 11 requirements.  In the 2023 Draft Guidance, FDA clarifies that Part 11 applies to electronically formatted records from clinical investigations with non-U.S. sites.  The 2023 Draft Guidance also notes that Part 11 applies to electronic records from real-world data sources submitted to FDA as part of a marketing application, even if FDA regulations do not specifically identify such records.[4]

Like the 2017 Draft Guidance, the 2023 Draft Guidance requires that sponsors retain only certified copiesof electronic records.  But the 2023 Draft Guidance defines this term with greater specificity than the 2017 Draft Guidance: a certified copy is a copy of an original paper or electronic record that has been verified by a dated signature or a validated process to have the same information, “including data that describe the context, content, and structure,” as the original.[5]  Unlike the 2017 Draft Guidance, the 2023 Draft Guidance does not deem copies that lack important metadata to be incomplete; instead, it merely stresses the importance of metadata for establishing the authenticity or integrity of certain record types.

Section B: Electronic Systems Owned or Controlled by Sponsors or Other Regulated Entities

Section B of the 2023 Draft Guidance describes recommendations for electronic systems that are owned or controlled by sponsors or other regulated entities and are used to produce required records in clinical investigations.  Such systems include electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master files (eTMFs), electronic clinical data and trial management systems (eCDMS, eCTMS), interactive response technology (IRT) systems, and electronic IRB management systems.

The 2023 Draft Guidance expands upon the 2017 Draft Guidance’s risk-based approach to validation of electronic systems used in clinical investigations.  The 2023 Draft Guidance outlines three considerations when applying this risk-based approach based on the nature of the electronic system: (1) the purpose and significance of the record and the criticality of the data, i.e., how the record and data will be used to support the regulatory decision and/or ensure patient safety; (2) the intended use of the electronic system, e.g., whether the electronic system is used to process records that are essential to the clinical investigation; and (3) whether the electronic system is a commercial off-the-shelf (COTS) system or a new, custom-made system.

In conjunction with the third consideration, the 2023 Draft Guidance clarifies that the extent of validation for COTS office utility software should be guided by both the organization’s internal business practices and the intended use of the software in the clinical investigation.  As a general matter, FDA does not anticipate that validation will be necessary for COTS office utility software used as intended by the manufacturer.  Conversely, validation of new custom-made electronic systems should include a review of the vendor’s SOPs, the system and software development life cycle model, validation documentation, change control procedures, and change control tracking logs.  In addition, regulated entities should perform user acceptance testing.  

Although FDA states that it does not intend to review sponsors’ audit reports of IT service providers’ systems, products, and services, it also states that such documentation should be retained as part of the clinical investigation records and made available for inspection by FDA.  The 2023 Draft Guidance broadly defines IT service providers to mean a vendor who provides data hosting and/or computing services—e.g., software as a service, platform as a service, and infrastructure as a service—to sponsors and other regulated entities.

With respect to inspections of sponsors, the 2023 Draft Guidance diverges from and elaborates on the 2017 Draft Guidance.  Whereas the 2017 Draft Guidance outlined only three pieces of information that FDA would review during inspections of sponsors’ electronic systems to determine Part 11 compliance, the 2023 Draft Guidance spends over a full page detailing the precise documentation FDA intends to review.  Such documentation includes audit trail information and interoperable data standards; procedures for data collection, handling, and management; systems for restricting access to electronic systems; change control procedures; vendor contracts; corrective and preventive actions; internal and external audits of electronic systems and of vendors that are performed or provided by the sponsor or independent consultants; and roles and responsibilities of sponsors, clinical sites, and other parties with respect to the use of electronic systems in the clinical investigation.

With respect to inspections of other regulated entities, such as CROs or investigators, the 2023 Draft Guidance encourages such entities to retain electronic systems information demonstrating that those systems comply with the requirements of Part 11.  Such information includes policies and procedures related to the system account setup and management, access controls and user access privileges, system user manuals, and system training materials and records.  During clinical site inspections, FDA will review records related to staff training on the use of electronic systems; procedures and controls in place for system access, data creation, data modification, and data maintenance; and the use of electronic systems at the clinical investigator site to generate, collect, transmit, and archive data.

Section C: Information Technology Service Providers and Services

Section C explores considerations for determining the suitability of information technology service providers and services.  While the 2017 Draft Guidance posited that sponsors and other regulated entities would broadly use mobile technology during the course of clinical investigations, the 2023 Draft Guidance enumerates three types of IT services routinely provided for sponsors: data hosting, cloud computing software, and platform and infrastructure services.

The 2023 Draft Guidance recommends sponsors enter into written service level agreements with IT service providers that describe, at a minimum, the scope of the work and IT service being provided, the parties’ roles and responsibilities with respect to quality and risk management, and details regarding data access.  In addition, the 2023 Draft Guidance clarifies that sponsors are responsible for any duties and functions related to the clinical investigation not specifically transferred to a service provider via a transfer of regulatory obligation (TORO).

Compared to the 2017 Draft Guidance, the 2023 Draft Guidance offers greater clarity regarding the circumstances under which FDA would choose to inspect IT service providers.  For instance, the Agency notes it can request to conduct focused investigations of IT service providers irrespective of whether a TORO is established.  Such an investigation could be triggered by a specific regulatory concern, such as a concern regarding the integrity of trial data.  The Agency also clarifies that sponsors should have access to all study-related records maintained by IT service providers, since FDA may review those records during a sponsor inspection.

Section D: Digital Health Technologies[6]

Section D discusses the use of digital health technologies (DHTs) for remote data acquisition from participants in clinical investigations evaluating medical products.  DHTs encompass a broader range of technologies than the mobile technologies discussed in the 2017 Draft Guidance.  Mobile technologies included mobile platforms, mobile applications, wearable biosensors, other remote sensors, and portable and implantable electronic devices, while DHTs incorporate all computing platforms, connectivity, software, and sensors for health care and related uses.

In the 2023 Draft Guidance, FDA recommends that data originators transmit data captured from DHTs and any relevant associated metadata into a durable electronic data repository, such as a clinical investigation site database, a vendor database, or an EDC system.  Transmission should occur as soon as possible after data generation, and the audit trail should include the date and time of such transmission.

Unlike the 2017 Draft Guidance, the 2023 Draft Guidance affirms that FDA may verify the data sponsors submit in support of applications or submissions against the electronic source data during inspections.  FDA recommends that sponsors allow for the inspection, review, and copying of such records in human readable form.

Section E: Electronic Signatures

Section E examines methods for creating valid electronic signatures in connection with clinical investigations.  The 2023 Draft Guidance’s discussion of electronic signatures largely echoes the 2017 Draft Guidance.  However, the 2023 Draft Guidance acknowledges that a statement of testament suffices in situations where electronic signatures cannot be placed in a specified signature block.  It also clarifies that FDA considers signatures drawn with a finger or an electronic stylus on a mobile platform or other electronic system to be a handwritten electronic signature, and that these types of signatures are valid only if placed on the electronic document exactly as they would appear on a printed document.  

*    *    *

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Food, Drug, and Device practice:

Wade Ackerman+1 424 332
Scott Cunningham+1 415 591
Paula Katz+1 202 662
Julia Post+1 202 662
Christina Kuhn+1 202 662
Emily Statham+1 202 662

[1] The 2023 Draft Guidance does not provide comprehensive detail on how to perform a risk assessment. However, the Agency notes there are many risk assessment methodologies from a variety of industries that can be applied, including the ICH guidance for industry entitled Q9(R1) Quality Risk Management (June 2022) and the International Organization for Standardization’s (ISO’s) standard ISO 31010:2019 Risk management – Risk assessment techniques.

[2] The 2023 Draft Guidance was issued by a broader range of Centers at FDA than prior guidance on this topic. Whereas the 2017 Draft Guidance was issued by the Center for Drug Evaluation and Research (CDER), the Center for Biologics Evaluation and Research (CBER), and the Center for Devices and Radiological Health (CDRH), the 2023 Draft Guidance was also issued by the Centers for Food Safety and Applied Nutrition (CFSAN), Tobacco Products (CTP), Veterinary Medicine (CVM), Office of Regulatory Affairs (ORA), and Office of Clinical Policy (OCLiP).

[3] See, e.g., FDA, Use of Electronic Health Record Data in Clinical Investigations (2018); FDA, Use of Electronic Records and Electronic Signatures in Clinical Investigations under 21 CFR Part 11 — Questions and Answers (2017); FDA, Electronic Source Data in Clinical Investigations (2013); FDA, Computerized Systems Used in Clinical Investigations (2007); FDA, Part 11, Electronic Records; Electronic Signatures — Scope and Application (2003).

[4] See, e.g., FDA 2023 Draft Guidance 4 n. 20 (2023); FDA, Use of Electronic Health Record Data in Clinical Investigations: Guidance for Industry (2018); FDA, Electronic Source Data in Clinical Investigations: Guidance for Industry (2013).

[5] The 2017 Draft Guidance described a certified copy as being a verified copy that has “all of the same attributes and information as the original.”

[6] In the 2023 Draft Guidance, FDA cross-references its January 2022 draft guidance for industry, investigators, and other stakeholders entitled Digital Health Technologies for Remote Data Acquisition in Clinical Investigations (2022 Draft DHT Guidance). The 2023 Draft Guidance reflects many of the DHT principles contained in the 2022 Draft DHT Guidance.

On March 23, 2023, FDA released a Framework for the use of digital health technologies in drug and biological product development (the “DHT Framework”).  This DHT Framework is on the heels of a Discussion Paper the Agency released earlier this month on the use of artificial intelligence (AI) in drug manufacturing to seek public input on issues of critical focus (the “AI Discussion Paper”).  While both actions are significant, the AI Discussion Paper is one of CDER’s few policy statements related to the deployment of AI around regulated activities (though the Center did establish an AI steering committee in 2020).  CDRH, on the other hand, has issued several policy documents around AI-based software potentially regulated as “software as a medical device” (SaMD), including through an April 2019 discussion paper that proposed a regulatory framework for modifications to AI-based SaMD, an AI “Action Plan” for SaMD in January 2021, and guiding principles to inform the development of Good Machine Learning Practice for AI-based medical devices in October 2021.  CDER has requested public comment on the recent DHT Discussion Paper and AI Framework by May 1 and 23, respectively.

I. The AI Discussion Paper

The AI Discussion Paper recognizes the potential value that AI offers in the pharmaceutical industry, including optimizing process design and control, smart monitoring and maintenance of equipment, and trend monitoring of consumer complaints to drive continuous improvement.  In order to advance the use of AI for such purposes, the Agency seeks public feedback on specific issues as the Agency considers “the application of its risk-based regulatory framework to the use of AI technologies in drug manufacturing.”  The paper indicates that it is not exhaustive of all considerations that may be important in developing an AI policy and regulatory framework, for example, difficulties that could result from potential ambiguity on how to apply existing Current Good Manufacturing Practice (CGMP) regulations to AI. Rather, the scope of the paper is focused on five critical areas identified as follows:

  1. Cloud applications may affect oversight of pharmaceutical manufacturing data and records.  The AI Discussion Paper notes that use of a third-party AI platform or service may lead to challenges in ensuring that the third-party creates and updates AI software with appropriate safeguards for data safety and security.  Additionally, FDA posits that ongoing interactions between cloud applications and process controls could complicate the ability to establish data traceability and create potential cybersecurity vulnerabilities.  The AI Discussion Paper does not opine on or ask specific questions regarding the level of diligence a drug sponsor should reasonably perform with third-party vendors. 
  2. The Internet of Things (IoT) may increase the amount of data generated during pharmaceutical manufacturing, affecting existing data management practices.  On the one hand, AI solutions provide tremendous value by allowing drug manufacturers to capture a broader array of data than is typically available through non-AI methods.  But FDA acknowledges that if the raw data collected during the manufacturing process increases in both frequency and types of data recorded, there may be a need to balance data integrity and retention with the logistics of data management.  For example, applicants could need further clarity from regulators on which data need to be stored and/or reviewed and how loss of these data would impact future quality decisions.  FDA also flagged the potential challenges in storing the data in a structured manner that enables retrieval and analysis.
  3. Applicants may need clarity from FDA about whether and how the application of AI in pharmaceutical manufacturing is subject to regulatory oversight, especially as AI could be used in various manufacturing operations that are the focus of FDA oversight, such as monitoring and maintaining equipment, identifying areas for continuous improvement, scheduling and supply chain logistics, and characterizing raw materials.
  4. Applicants may need standards for developing and validating AI models used for process control and to support release testing.  FDA has published guidance and spoken on the verification, validation, and usability of digital health technologies for remote data acquisition in clinical investigations, but the AI Discussion Paper recognizes the limited availability of industry standards and FDA guidance for the development and validation of AI models that impact product quality, particularly in the drug manufacturing sphere.  This lack of guidance may create challenges in establishing the credibility of a model for a specific use, especially as AI methods for drug manufacturing become more complex.  For example, the AI Discussion Paper notes that applicants may need clarity regarding how the potential to transfer learning from one AI model to another can be factored into model development and validation.  This area for discussion suggests that FDA guidance on this issue may be forthcoming, but the AI Discussion Paper does not delve into details of the content of any future guidance or any positions the Agency may take (e.g., how the Agency would recommend allocating implementation responsibilities across AI developers and deployers).
  5. Continuously learning AI systems that adapt to real-time data may challenge regulatory assessment and oversight.  On the device side, Congress recently amended the FDCA to create a more streamlined and efficient process for software-based medical device submissions that could undergo a number of foreseeable AI-informed modifications throughout the total product lifecycle by allowing for the submission of “predetermined change control plans,” and the Agency has issued a draft guidance on this topic.  This area for consideration in the AI Discussion Paper signals that the Agency is now thinking of these issues on the drug side as well, recognizing that applicants may need clarity on the approach for FDA’s examination of continuously updated AI control models during a site inspection and for establishing product comparability after changes to manufacturing conditions introduced by the AI model.

Leveraging the above areas for consideration, the AI Discussion Paper asks the following questions:

  1. What types of AI applications do you envision being used in pharmaceutical manufacturing?
  2. Are there additional aspects of the current regulatory framework (e.g., aspects not listed in the “areas for consideration”) that may affect the implementation of AI in drug manufacturing and should be considered by FDA?
  3. Would guidance in the area of AI in drug manufacturing be beneficial?  If so, what aspects of AI technology should be considered?
  4. What are the necessary elements for a manufacturer to implement AI-based models in a CGMP environment?
  5. What are common practices for validating and maintaining self-learning AI models and what steps need to be considered to establish best practices?
  6. What are the necessary mechanisms for managing the data used to generate AI models in pharmaceutical manufacturing?
  7. Are there other aspects of implementing models (including AI-based models) for pharmaceutical manufacturing where further guidance would be helpful?
  8. Are there aspects of the application of AI in pharmaceutical manufacturing not covered in this document that FDA should consider?

II. The DHT Framework

In connection with the commitments FDA made as part of user fee reauthorizations, FDA established a framework to guide the use of data derived from digital health technologies (DHTs) in regulatory decision-making for drug and biological products.  The Agency has emphasized the importance of DHTs in drug development and made advancing the use of DHTs a front burner issue, also releasing draft guidance in December 2021 encouraging drug sponsors to make use of voluntary qualification programs to allow for reliance on DHTs in multiple clinical investigations for different premarket submissions.  The DHT Framework focuses on both internal programs to support DHT-related activities within FDA, and external programs to engage industry and other stakeholders.  Specifically, with respect to internal programs:

  1. DHT Steering Committee.  FDA has established a DHT Steering Committee to oversee implementation of Agency commitments related to evaluating DHT-based measurements in regulatory submissions.  We recommend monitoring this Committee’s activities and watching for developments, as the Committee may make policy recommendations that impact the use and evaluation of DHT-based measurements in drug and biological product development.
  2. Technical Expertise and Training.  FDA stated it will develop training within the drugs and biological products programs to enhance internal knowledge regarding the use of DHTs in drug development.  This will be an area to watch, as the Agency may issue guidance on topics such as verification and validation of DHTs, technical and performance specifications associated with using a study participant’s own DHTs or general-purpose computing platforms in clinical investigations, how to incorporate upgrades and updates of DHTs in drug development, and incorporating DHTs using AI algorithms into drug development.
  3. Consistency of Evaluations Across Review Divisions.  The DHT Steering Committee will help to facilitate consistent approaches to the review and evaluation of submissions that use a single DHT measurement for studies of different diseases and different drugs.  This program suggests that the Agency is open to the possibility of using a single measurement for multiple purposes, which could increase efficiency and streamline submission processes.
  4. Statistical Considerations in the Analysis of DHT-Derived Data.  FDA plans to address novel considerations for endpoints derived from DHT data and technical data specifications to facilitate submission of readily analyzable DHT-derived data supporting drug development.  Sponsors should watch for Agency recommendations here, as adhering to FDA’s suggestions may facilitate the Agency’s acceptance of DHT-derived data used in submissions.
  5. IT Capabilities.  FDA plans to enhance its IT capabilities to support the review of DHT-generated data, including by establishing cloud technology to review, aggregate, store, and process large volumes of data and implementing standards to reduce the handling necessary to make DHT data analyzable.  Sponsors should consider adhering to any future data standards for DHT-generated datasets as a best practice and ensure that they have systems in place to effectively use and interact with any new cloud technologies.

With respect to external programs and engagement:

  1. FDA Meetings With Sponsors.  The DHT Framework notes how engagements between sponsors and FDA – including the DHT Steering Committee – may occur at different stages of drug development.  If deciding to use DHTs in the drug development process, sponsors should be prepared to discuss the regulatory status of DHTs, development of trial endpoints, selection of DHTs for clinical investigations, and verification and validation of DHTs.
  2. Drug Development Tool Qualification Program.  As noted above and in our previous blog, FDA has qualification programs that are intended to support the development of DHTs for use in assessing medical products.  Sponsors should consider whether to pursue qualification of DHTs as drug development tools for a specific context of use, as the DHT Framework highlights that the a qualified DHT may be relied upon in multiple clinical investigations to support premarket submissions for drugs where the context of use is the same.
  3. Guidance.  FDA plans to issue draft guidances that reflect FDA’s current thinking on DHT topics, including on decentralized clinical trials for drugs, biological products, and devices; and regulatory considerations for prescription drug use-related software.  The DHT Framework notes FDA plans to publish such draft guidances in 2023, and may publish additional draft guidances in identified areas of need informed by stakeholder engagement in 2024.  Sponsors should watch for the publication of these draft guidances and consider whether to provide public comment to the Agency to inform final guidance.
  4. Public Meetings.  FDA plans to host a series of five public meetings or workshops to gather input on issues related to the use of DHTs in regulatory decision-making related to drug and biological product development, including priorities for the development of DHTs to support clinical investigations, approaches to DHT verification and validation, DHT data processing and analysis, regulatory acceptance of safety monitoring tools that use AI-/ML-based algorithms for pharmacovigilance purposes, and emerging challenges.  Sponsors should consider attending these public meetings and workshops to monitor Agency thinking on these key topics and ensure they have a seat at the table.
  5. Demonstration Projects.  The DHT Framework states that FDA will identify at least three demonstration projects to inform methodologies for efficient DHT evaluation in drug development, which may include validation methods for DHTs, endpoint development, analytic approaches to missing data, and use of DHTs in decentralized clinical trials.  These projects may inform policy development, so monitoring the projects and project feedback will be important.
  6. External Organizations.  In addition to collaborating with sponsors and hosting public meetings, FDA also plans to engage with external organizations and participate in forums organized by professional bodies.  Sponsors should monitor FDA participation in such meetings and take note of any positions the Agency takes, as these meetings could inform actions the Agency takes to meet the objectives outlined in the DHT Framework.

Companies in this space should strongly consider submitting comments on the AI Discussion Paper and DHT Framework, as industry feedback could inform the Agency’s thinking on future guidance documents or frameworks on AI/use of DHTs in drug manufacturing going forward.  Indeed, at a February 17, 2023 workshop, FDA officials noted that the questions outlined in the AI Discussion Paper are “very important for [the Agency] as [they] think in terms of providing regulatory clarity for the use of AI in drug development,” with a goal of adopting “a flexible, risk-based regulatory framework that promotes innovation but also protects patient safety.”

To avoid a real and imminent risk of shortages of devices on the EU market, the European Commission recently adopted Regulation (EU) 2023/607, extending the transitional provisions in Regulation (EU) 2017/745 (the “MDR”) and removing the sell-off period in the MDR and Regulation (EU) 2017/746 (the “IVDR”).  The Commission has published a Q&A on the practical aspects of the latest changes (the “Q&A”).  Below we set out the top 10 questions to think about when assessing how the changes to the MDR and IVDR may impact you and your medical devices.

As explained in our prior post, the Commission’s changes aim to address concerns regarding Notified Body capacity and the significant number of medical devices yet to transition to compliance with the MDR.

  1. What are the key changes?

The Commission has extended the transition period granted by the MDR for certain devices CE marked under the prior Medical Devices Directive 93/42/EEC (the “MDD”) and Active Implantable Medical Devices Directive 90/385/EEC (“AIMDD”).  It does not change the existing transition periods in the IVDR.  However, it removes the “sell-off” period from both the MDR and IVDR, meaning that legacy devices and IVDs already placed on the market can continue to be made available or put into service without being withdrawn.

In essence, the changes extend the period companies have to obtain MDR-compliant certificates and also provides more time for Notified Bodies to clear the backlog in their conformity assessments.  However, given that the transition period does not apply to new  medical devices the lack of Notified Body capacity may still lead to delays in bringing new products to market.

  1. Is my device covered by the transition periods?

The revised transition periods apply to legacy devices that meet certain criteria.  However, they do not apply to (i) Class I devices that are not up-classified under the MDR, (ii) new devices nor (iii) devices intended to substitute an MDD device where the manufacturer has made significant changes with regard to the design or intended purpose of the MDD device. 

  1. My device is a legacy device in Class IIa / Class IIb / Class III under the MDD.  What are the new transition periods?
  • Devices with Notified Body certificates valid on 20 March 2023

If a device has a Notified Body certificate of conformity that was granted on or after 25 May 2017, and which was still valid (and not withdrawn) on 20 March 2023, provided the manufacturer satisfies the requirements set out in question 5 below, the certificate shall remain valid after its expiry date until:

(a) “31 December 2027, for all class III devices, and for class IIb implantable devices except sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips and connectors;

(b) 31 December 2028, for class IIb devices other than those covered by point (a) of this paragraph, for class IIa devices, and for class I devices placed on the market in sterile condition or having a measuring function.” (emphasis added)

  • Devices with Notified Body certificates that expired before 20 March 2023

If a device has a Notified Body certificate that was granted on or after 25 May 2017, which was valid on 26 May 2021 but expired before 20 March 2023, it can also benefit from the extended transition periods above but only if:

(a) before the date of expiry of the certificate, the manufacturer signed an agreement with a Notified Body in accordance with section 4.3 of Annex VII MDR covering the device with the expired certificate or the device intended to substitute it; or

(b) the Competent Authority of a Member State has granted a derogation under Article 59 MDR or has required the manufacturer, in accordance with Article 97(1) MDR, to carry out the applicable conformity assessment procedure within a specified period of time.[1]

In addition, the manufacturer must satisfy the requirements in question 5 below.

  1. My device is Class I under the MDD/AIMDD but has been up-classified under the MDR.  Do I have additional time to comply with the MDR?

Devices that are self-assessed under MDD/AIMDD but require a Notified Body certificate under the MDR (“up-classified devices”) (including software medical devices) can also benefit from the transition periods provided the manufacturer drew up a declaration of conformity for the relevant device before 26 May 2021.  In such cases, the manufacturer can continue to place the device on the market until 31 December 2028, provided it satisfies the requirements set out in question 5 below.

  1. What conditions do I have to comply with to benefit from the transition period?

Eligible legacy devices will only benefit from the transition period if they comply with all the conditions set out in new Article 120(3c) MDR.  This requires:

(a) the devices must continue to comply with MDD, as applicable;

(b) there are no significant changes to design or intended purpose;

(c) the devices do not present an unacceptable risk to health and safety of patients, users or other persons, or to protection of public health;

(d) by 26 May 2024 the manufacturer must have a quality management system (“QMS”) in place; and

(e) by 26 May 2024 the manufacturer must have submitted an application and entered into a written agreement with a Notified Body.

  1. What are the new rules that apply to Class III custom-made implantable devices?

Under the MDR, the conformity assessment of Class III custom-made implantable devices requires the involvement of a Notified Body.  In light of this, the Commission has proposed an extension to the transition period for such devices.  Class III custom-made implantable devices can be placed on the market/put into service until 26 May 2026 so long as:

  • by 26 May 2024 the relevant manufacturer lodges a formal application with a Notified Body; and
  • by 26 September 2024 the manufacturer and Notified Body sign a written agreement.
  1. How do I evidence my device benefits from the extended transition period?

If you meet the relevant conditions, the extension of the transition period will be applied automatically by law.  During the transition period, Notified Bodies cannot

issue new MDD/AIMDD certificates.  However, they can provide written confirmation correcting or complementing information on an existing certificate.  As such, you can ask your Notified Body to update existing certificates to include the new expiry date. 

To demonstrate validity of the MDD/AIMDD certificate to third parties, you could also consider:

  • Providing a self-declaration confirming that the conditions for the extension are fulfilled and stating the end date of the transition period.  The self-declaration should clearly identify the devices covered by the extension and certificates concerned.
  • Obtaining a ‘confirmation letter’ from your Notified Body confirming receipt of the application for conformity assessment and the conclusion of a written agreement.
  1. What does removal of the “sell-off” period mean?

There is no longer a “sell-off” period in either the MDR or the IVDR.  This means that devices and IVDs placed on the market before the entry into force of the MDR or IVDR, as applicable, or during the transition period can continue to be made available/put into use without any limitation on time (subject to their shelf-life/expiry date).

  1. Do I still need to comply with the MDR post-marketing requirements?

Yes.  Manufacturers of devices benefitting from the revised transition periods still need to comply with the MDR’s requirements on post-market surveillance, market surveillance, vigilance, registration of economic operators and of devices.

  1. Does the transition period apply in the United Kingdom?

Changes to the MDR and IVDR automatically apply in Northern Ireland under the Northern Ireland Protocol.  Devices placed on the market in Northern Ireland can therefore benefit from the extension to the transition period.

The MDR and IVDR do not apply in Great Britain (England, Scotland and Wales).  However, the UK Medicines and Healthcare products Regulatory Agency (“MHRA”) confirmed certificates extended in compliance with EU rules “will also be recognized as valid for placing CE marked devices on the GB market.”  This is in line with the MHRA’s plans set out in the 2023 Spring Budget.  In this, the Chancellor stated the UK would move towards a system for rapid sign-off of technologies when approved by trusted regulators, including the EU.  See our blog discussing the Spring Budget here

[1] The Q&A states that “Even if the national derogation is limited in time or the manufacturer has been required to carry out the conformity assessment procedure within a given period of time, the device benefits from the full transitional period until 31 December 2027 or 31 December 2028, as applicable, provided the conditions set out in Article 120(3c) MDR are fulfilled. The certificate is deemed to be valid until the end of the applicable transitional period, unless it is withdrawn.”

Last week, Jeremy Hunt, Chancellor of the Exchequer, published his Spring Budget for the UK.  It identified life sciences and digital technologies as “high growth sectors,” which the UK Government wishes to prioritize.  Among other things, the Budget outlined the Government’s plans to simplify medicines and technology approvals, plus changes to the regulation and support of digital technologies and artificial intelligence (“AI”).  Essentially, the Government wants “the UK to be the best place in Europe for companies to locate, invest and grow” and has announced plans to “strengthen [our] technology and life science sectors.”  The Government intends to support those working in these sectors through regulatory changes, as well as better infrastructure and additional funding.  This blog post summarizes some of the key announcements.

Quick and simple medicines and technologies approvals

First, the Government’s ambition is for the UK to have the “quickest, simplest, regulatory approval in the world.”  Mr Hunt envisions achieving this through two key changes to UK medicines and technology regulations:

  1. Reliance on foreign approvals.  
    • The UK Medicines and Healthcare products Regulatory Agency (“MHRA”) will implement “rapid, often near automatic sign-off” for medicines and technologies approved by other trusted regulators, such as the United States, Europe and Japan.  
    • Going forwards, developers of medicines may be able to prioritize their regulatory approvals in the United States, EU or Japan, rather than preparing a standalone marketing authorization application (“MA”) for the UK.  The UK currently has reliance procedures in place for medicines that are centrally authorized by the European Commission or authorized in the EU through decentralized and mutual recognition procedures.  The new Government policy will significantly expand the scope of the MHRA’s reliance procedures so that it includes other foreign regulators, potentially increasing the speed to market for pharmaceutical products.
    • These new policies will also extend to “technologies.”  Given the MHRA has little involvement in the pre-market approval of medical devices, it is unclear to what extent this term includes medical devices.  However, we assume there would be scope for the UK to automatically recognize a regulatory approval of a medical device in the United States (such as a 510(k)) or an EU CE-mark for the purpose of obtaining a UKCA mark.  It might also give software medical devices benefiting from innovations in regulation, such as the U.S. FDA’s Software Pre-Cert Pilot Program, rapid access to the UK market. 
    • In any event, the intended upshot of these proposals is that global developers of medicines and technologies will be able to avoid UK-specific regulatory procedures, associated costs and concerns about navigating unique regulatory requirements for the UK market.  
    • Absent mutual recognition of UK approvals by other regulators, of course, a potential downside of more expansive reliance by UK is that this could limit the MHRA’s opportunities to be a truly innovative regulator.  Mindful of this risk, the Chancellor announced some rapid review initiatives. 
  1. Accelerated approval process.
    • From 2024, the MHRA will also implement a “swift approval process” for the most impactful new medicines and technologies, such as “cancer vaccines and AI therapeutics for mental health.”  In respect of medicines, we note that the MHRA currently offers a 150-day assessment route for high-quality national MA applications and the option for applications to be fast tracked if there is compelling evidence of benefit in a public health emergency or if there is a shortage of supply of an essential medicine.  We will need to wait for further detail before we know whether the MHRA will be able to accelerate these timelines even further and what the specific product criteria will be for this accelerated assessment route.

The Government announced £10 million extra funding for the MHRA over the next two years to implement the above ambitions.

The UK also announced its intent to do more to promote innovation and the digital economy.  It highlights Patrick Vallance’s Pro-Innovation Regulation of Technologies Review: Digital Technologies Report, noting that the Government accepts all nine of Sir Patrick Vallance’s recommendations.  Notably, for those in the life sciences sector, these include the implementation of: (1) regulatory sandboxes (to allow innovators and entrepreneurs to experiment without the heavy burden of regulation and the risk of fines); (2) a clear policy position on the relationship between intellectual property law and generative AI (to provide confidence to innovators and investors); and (3) greater industry access to public data.

The Budget also highlights a number of specific ways it will support AI and digital technologies:

  • Investment in infrastructure.  “AI needs computing horsepower.” As such, the Chancellor committed to investing around £900 million to build an exascale supercomputer and to establish a new AI Research Resource.  This should provide significant computer power for the UK AI community and allow researchers to work on areas such as new drug discovery.
  • Quantum Strategy.  The UK launched its Quantum Strategy, which includes a research and innovation programme and £2.5 billion of Government investment over 10 years.
  • Funding innovation accelerator programmes.  The Government will provide £100 million funding for the Innovation Accelerators programme (which covers 26 transformative R&D projects).
  • Critical areas of AI.  The Government will award £1 million every year for 10 years to researchers that drive progress in critical areas of AI.  There is currently no detail of what these areas are nor what is considered as “driving progress.”
  • Taskforce on foundational models.  The Government acknowledges the importance of foundation models and will establish a taskforce to advance UK sovereign capability to ensure the UK is at the cutting edge of the technology.
  • Metaverse.  The Government plans to lead the way on regulation of AI and the future of web technology.

The Government’s announcements are a positive step in the right direction.  However, as always, the devil will be in the detail.  The Covington Life Sciences team is following these developments and will provide further updates in due course.

Innovative digital solutions intended to address health issues typically experienced by women have been an area of increased focus.  Ranging from reproductive-related mobile applications to AI-enabled breast cancer screening devices, digital solutions for women+ health show promise to serve an enormous market with medical needs that have often failed to get the level of attention that women deserve.  Experts estimate that the women+ health market could skyrocket in worth in the coming years — potentially reaching $475 billion by 2027.[1]  And women’s health in general has gained attention at the federal level, with FDA’s Center for Devices and Radiological Health sharing a “Health of Women Program Strategic Plan”[2] in 2022 and the Biden Administration making women’s health a stated priority.  International governments also are increasingly focusing on women’s health issues.[3]  This post outlines five reasons digital solutions for women+ health should be a front-burner digital health focus in 2023.

  1. The growing women+ health sector is normalizing the conversation around women’s health, leading to much-needed innovation in key areas.  Research suggests that people sometimes shy away from discussing health topics historically labeled as “taboo” — such as reproductive health, pregnancy loss, female sexual health and pleasure, period health, infertility, postnatal depression, incontinence, pelvic floor dysfunction, breastfeeding, and menopause.  Even well-intentioned healthcare providers are sometimes insufficiently informed to create and offer effective solutions and support for women+.[4]  The recent attention to digital solutions for women+ health serves to change these dynamics  — challenging and dispelling existing taboos, stigmas, and practices surrounding women’s health.  Digital solutions for women+ health can also help address social stigma and legal hurdles for the delivery of care, for example with telemedicine consultations on sexual health, abortions and menopause.  Innovators in the women+ health space aim to put women’s needs and voices at the core of products and services, thus empowering women to prioritize and openly discuss their health and wellness.  Increased and improved knowledge of women’s health issues, as well as growing access to women’s health data through digital offerings, will accelerate innovation in this area.
  2. Digital solutions for women+ health are advancing health equity among gender and racial lines.  History has shown disparities in both health access and outcomes among gender and racial lines, particularly for women of color.  Indeed, a recent literature review found that females “remain broadly under-represented in the medical literature, sex and gender are poorly reported and inadequately analyzed in research, and misogynistic perceptions continue to permeate the narrative.”[5]  Additionally, a 2022 study demonstrated that while women make up 50.8% of the U.S. population, only 41.2% of clinical trial participants from 2016-2019 were female.[6]  This is particularly concerning considering that the percentage of women affected by the diseases and disorders at issue in the clinical studies ranged from 49-60%.  For example, 60% of people with psychiatric disorders are women, but just 42% of participants in trials for psychiatric drugs were female.  The explosive growth of digital solutions in the women+ health arena is already helping to drive attention to these gaps in medical research and will be critical to addressing these issues — facilitating clinical trial participation from a broader scope of women and the generation of women-forward data sets.[7] 
  3. The expanding range of digital solutions for women+ health is creating opportunities for better and more cost effective health outcomes.  A variety of digital solutions for women+ health are on the market already, including menstrual period and symptom trackers, digital therapeutics for sexual wellness, fitness apps for pregnant and postpartum women, pelvic floor trainers, wearable technology for menopause support, digital contraceptives that enable women+ to track fertility and predict ovulation windows, innovative breast pumps, AI-enabled breast cancer screening software, and more.  As an example, in 2018 FDA permitted marketing of the first direct-to-consumer app as a method of contraception to prevent pregnancies, with another app to follow in 2021.[8]  More recently in late 2022, FDA cleared a device that uses AI and machine learning to flag areas on mammograms that are suggestive of the presence of at least one suspicious finding to categorize exams and allow for prioritization.[9]  Professionals have stated they plan to use this technology to “address data bias regarding breast health and imaging.”[10]  Similar products are making their way to the international market.  With healthcare costs a constant area of focus, some digital health solutions may offer a less expensive and more accessible option, and the breadth of solutions makes clear that innovators are thinking about ways to both address historically unmet medical needs, while also delivering solutions in cost effective ways.
  4. The women+ health sector is innovating to address the need to protect women’s privacy.  In the aftermath of the Supreme Court’s Dobbs decision, the privacy of women’s health information has never been more important.  Many digital solutions for women+ health are on the cutting edge of deploying privacy-by-design strategies to minimize the collection and retention of identifiable health and location information.  Last summer, many period tracking and fertility solutions announced innovations to better protect women’s privacy.[11]  These innovations are consistent with trends in regulation and enforcement.  Even prior to Dobbs, the FTC[12] and state attorneys general[13] have focused some of their enforcement activity on digital solutions for women+ health.  However, the Dobbs decision has accelerated that interest, as illustrated by President Biden’s Executive Order Protecting Access to Reproductive Health Care Services, which directs federal agencies to take various steps to protect consumer privacy in response to “this health crisis.”[14]  The FTC[15] and HHS[16] subsequently issued guidance on what is required by the pre-existing regulatory frameworks and reaffirmed the particular sensitivity of reproductive health data, and HHS Secretary Xavier Becerra has indicated that this area is an “enforcement priority.”[17]  State legislatures have also taken an increased interest in the privacy of women’s reproductive health and have proposed legislation to protect health data.  For example, Washington’s state legislature introduced a bill that would prevent sharing of certain women’s health data — including reproductive health data — without a consumer’s consent.[18]
  5. Digital solutions for women+ health will lead to more sex-specific data.  The physiology of a woman’s body is different than that of a man’s.  For example, women have unique presentations for serious conditions such as stroke and diabetes, but to date medical research and therapies have typically failed to take into account sex.  Additionally, as noted above, women have been underrepresented in clinical trials.  Changing clinical trial recruitment to recruit a higher percentage of women is a long-term challenge.  But digital solutions for women+ health could help solve some of the imbalance by collecting valuable data and creating communities of users for recruitment.  For example, real world data sets, such as those coming from wearables, could be used to develop sex-specific insights, and those insights could be used for sex-based protocols that could customize digital care responses.

In short, as digital solutions for women+ health continue to expand, the opportunities to serve unmet needs for women’s health, improve medical research, and deliver better, cost efficient care increases.  Of course, the rise of these solutions also implicates a host of regulatory considerations, such as how companies will ensure privacy of women’s health data and whether certain digital solutions for women+ health will be considered medical devices subject to regulatory oversight in the U.S. and elsewhere.  As women+ health solutions continue to grow, we expect federal and international guidance to develop as well — including advancements on CDRH’s Health of Women Program Strategic Plan.  Navigating those developments will be key to realizing those opportunities.



[3] See, e.g.,

[4] Id.


[6]; see also




[10] Id.







[17] Id.


On December 19, 2022, the U.S. Department of Health and Human Services (“HHS”) through the Centers for Medicare & Medicaid Services (“CMS”) issued a proposed rule to adopt standards for certain electronic health transactions.  Specifically, the proposed rule would adopt standards for health care attachment transactions (e.g., medical charts, x-rays, provider notes) and electronic signatures to be used in conjunction with health care attachments, and modify the standard for referral certification and authorization transaction.  The proposed rule would apply to entities regulated by the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), and would implement certain requirements of the Administrative Simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act (“ACA”) that require the Secretary of HHS to adopt and update standards for electronic health transactions, code sets, unique identifiers, as well as the electronic exchange for health information.

Continue Reading HHS Proposes Rule to Improve Standards for Electronic Prior Authorizations and Other Transactions with Health Care Attachments

On December 7, 2022, the Federal Trade Commission (“FTC”), along with the U.S. Department of Health and Human Services (“HHS”) and the U.S. Food and Drug Administration (“FDA”), announced updates to the Mobile Health App Interactive Tool­—a questionnaire designed to help mobile health app developers identify federal laws and regulations that may apply to their products.

The tool is designed for mobile apps that access, collect, share, use, or maintain information related to a consumer’s health through features such as fitness tracking, medical record sharing, sleep monitoring, disease diagnostics, and more.

The tool guides developers through fifteen questions, including:

  • Does/will your app collect, share, use, or maintain health information?
  • Is your app for use by consumers?
  • Does your app include a device software function that is the focus of FDA’s oversight?

Based on the answer to each question, the tool directs the user to other relevant questions and highlights at each step the laws and regulations that may apply to the mobile app.  The tool covers, among other laws and regulations, the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), the Food, Drug, and Cosmetic Act (“FD&C Act”), the FTC Act, and the 21st Century Cures Act.

The tool was first released in 2016 and included ten questions to help developers determine whether their apps would be subject to HIPAA, the FD&C Act, the FTC Act, and/or the FTC’s Health Breach Notification Rule.  The latest update to the tool adds new questions to help mobile developers understand legal requirements for their apps under the Children’s Online Privacy Protection Rule (“COPPA Rule”) and the 21st Century Cures Act but does not refine the analysis for the laws covered in the original version.  The tool is not intended to offer legal advice and is provided for informational purposes only.

On December 2, 2022, the U.S. Department of Health and Human Services (“HHS”), through the Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”), issued a proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under 42 C.F.R. Part 2 (“Part 2”) with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).  

Section 3221 of the CARES Act amended several provisions of the statute underlying the Part 2 regulations to better align Part 2 with HIPAA.  For example, as amended, the statute permits an individual’s substance use disorder records regulated by Part 2 (“SUD Records”) to be used and disclosed in accordance with a single prior consent and allows HIPAA covered entities and their business associates to disclose SUD Records for treatment, payment, and health care operations in accordance with HIPAA when an individual has provided consent to the disclosure of his/her SUD Records.  Prior to the changes made by the CARES Act, the disclosure of SUD Records required a specific, written consent for each proposed disclosure, and it was permissible to disclose SUD Records without consent only in limited circumstances (e.g., medical emergency or court order).  As a result, entities subject to both HIPAA and Part 2 were required to follow different, more restrictive procedures for the disclosure of SUD Records than for the disclosure of other protected health information (“PHI”). 

The CARES Act required HHS to engage in rulemaking to implement various statutory changes.  Specifically, the proposed rule would modify Part 2 in accordance with the CARES Act by:

  • Generally allowing for the redisclosure of SUD Records in the same manner permitted by the HIPAA Privacy Rule (i.e., allowing for a single consent to suffice for Part 2 covered entities as it relates to further disclosures of SUD Records for treatment, payment, and health care operations), though the proposed rule requires any disclosures of SUD Records to non-HIPAA covered entities or business associates be pursuant to contractual or legally equivalent restrictions on the recipient’s use and disclosure of SUD Records in accordance with those permissible under Part 2;
  • Giving individuals a right to an accounting of and restriction on disclosures of SUD Records, in accordance with the rights individuals have under HIPAA with respect to their PHI;
  • Expanding the prohibition on the use and disclosures of SUD Records in civil, criminal, administrative, and legislative proceedings against patients unless patient consent or a court order is issued;
  • Applying the same civil and criminal penalties to violations of Part 2 as apply to violations of HIPAA (e.g., the imposition of civil monetary penalties);
  • Applying the same breach notification standards to breaches of SUD Records as apply to breaches of PHI in accordance with the HIPAA Breach Notification Rule;
  • Modifying the requirements for a Part 2 patient confidentiality notice to more closely align with the requirements and content of a HIPAA Notice of Privacy Practices (“NPP”); and
  • Aligning the requirements for a valid written consent under Part 2 with the requirements for a valid HIPAA authorization under the Privacy Rule.

The proposed rule would also modify the HIPAA Privacy Rule to require covered entities that receive and maintain SUD Records—and thus must comply with Part 2 requirements for these records—to modify their NPPs to reference patients’ rights with respect to SUD Rrecords.  For example, impacted covered entities would be required to disclose the uses and disclosures of SUD Records that are permitted or required without an authorization.

The CARES Act also contained certain antidiscrimination provisions related to SUD Records that HHS intends to implement as part of a separate rulemaking process.

Comments on the proposed rule are due by January 31, 2023.

On September 28, the governor of California signed into law AB 2089, which expands the scope of California’s Confidentiality of Medical Information Act (“CMIA”) to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services. 

Continue Reading California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information