AG Opinion on Software Medical Devices

On 28 June 2017, Advocate General Sanchez-Bordona (AG) presented his opinion in case C-329/16 Syndicat national de l’industrie des technologies médicales and Philips France following a request for preliminary ruling from the Conseil d’État (France) to the Court of Justice of the European Union (CJEU) concerning the laws governing the classification of software medical devices.

The AG’s opinion is not binding on the CJEU, but it provides useful guidance on the application of the EU medical devices Directive 93/42/EEC (the MDD) to software programs.  Importantly, it confirms the position set out in the Commission’s MEDDEV 2.1/6 guidance that software which merely stores and archives data is not a medical device; the software must perform an action on data (i.e., it must interpret and/or change the data).

EU national courts use the preliminary ruling procedure if they are in doubt about the interpretation or validity of an EU law. In such cases, they may ask the CJEU for advice. The Advocate Generals provide the CJEU with public and impartial opinions to assist the Court in its decision making. The Advocate Generals’ opinions are advisory and non-binding, but they are nonetheless influential.  In the majority of cases the CJEU follows the Advocate General.


Philips France (Philips) manufactures and places on the EU market a software program called Intellispace Critical Care and Anesthesia (ICCA), which is used by physicians to provide information necessary for the proper administration of medicines for the purposes of resuscitation and anaesthesia.  The software highlights possible contraindications, interactions with other medicines and excessive dosing.  Philips classified the ICCA as a medical device under the MDD and the product bears a CE mark confirming that the software complies with the applicable requirements of the MDD.

Under French law, software programs intended to support medical prescriptions are subject to national certification requirements.  The French Government’s position is that the ICCA must comply with this national certification requirement. Further, it does not consider the ICCA to be a medical device within the meaning of Article 1(2)(a) of the MDD because the function of assisting with prescriptions does not fall under any of the defined purposes within the definition of a medical device.

Philips claimed that the national certification requirement should not apply as it amounted to a restriction on import, contrary to EU law, and that the French Government was in breach of Article 4(1) of the MDD, which provides that Member States must not restrict the placing on the market or the putting into service of medical devices bearing the CE mark within their territory.

The French Conseil d’État referred to the CJEU a request for a preliminary ruling on the question of whether software equivalent to the ICCA satisfies the definition of a medical device under the MDD.

AG Opinion

The AG opinion suggests that Philips had correctly classified the ICCA as a medical device.  It highlights that since the ICCA bears a CE mark and is freely marketed in 17 EU Member States, it benefits from a presumption of conformity with the MDD.  It was a matter for the French Government to rebut this presumption, and it had failed to do so.

In reaching his conclusion, the AG highlighted a number of points, including:

  • In order to qualify as a medical device, software must have a function beyond collection and archiving of data (i.e., it must have more than a purely administrative function). Rather, it must modify or interpret the data.  The ICCA software includes an engine that allows healthcare professionals to calculate the prescription of medications and the duration of treatments.  In light of such functions, the AG considers it difficult to maintain that the ICCA does not have a diagnostic or therapeutic purpose within the scope of the definition of a medical device. The ICCA is not a software program that is limited to administrative functions, but rather software that helps determine the proper prescription for the patient.  It is therefore a medical device as it has the aim of “preventing, controlling, treating or alleviating a disease”.
  • The fact that the ICCA does not act by itself in or on the human body does not preclude it from classification as a medical device. Contributing to the principal action of correcting the human body through the taking of medicinal products is sufficient.

The above conclusion endorses the position set out in the Commission MEDDEV 2.1/6 guidance on qualification and classification of standalone software, which states:

…if the software does not perform an action on data, or performs an action limited to storage, archival, communication, ‘simple search’ or lossless compression (i.e. using a compression procedure that allows the exact reconstruction of the original data) it is not a medical device.

FDA Initiates Software Precertification Pilot Program

On Friday, July 28, FDA announced a new Software Pre-certification (Pre-Cert) Pilot Program in a Federal Register notice.  The Pre-Cert program is one of three main action items discussed in the agency’s recently-released Digital Health Innovation Action Plan.  CDRH also held a webinar on August 1 to provide an overview of the program and answer stakeholder questions.

In an accompanying FDA Voice blog post, Commissioner Gottlieb acknowledged that “FDA’s traditional approach to medical devices is not well suited” to digital health products.  The agency is looking to develop a new regulatory framework that “accommodates the distinctive nature of digital health technology, its clinical promise, the unique user interface, and industry’s compressed commercial cycle of new product introductions.”

The Pre-Cert pilot program is the agency’s first step in developing the Pre-Cert program that the agency initially announced last month.  The Pre-Cert program will replace the agency’s current product-by-product premarket review process with a process to pre-certify software developers who demonstrate sufficient quality performance.  Pre-certified developers would be able to market their software devices with no, or streamlined, premarket review.  The program is intended to allow manufactures of software devices to get to market faster and have greater flexibility to iterate product design based on real world experience.

To move the Pre-Cert program from concept to implementation, the agency is initiating a pilot program.  The goal of the pilot is to leverage input from the participating companies to help the agency establish the appropriate criteria for pre-certification and appropriate review process for pre-certified companies.  Thus, participating companies will have a remarkable opportunity to shape the program and the agency’s regulatory approach to digital health products.

The Pre-Cert program’s developer-based approach represents a significant shift from the agency’s longstanding, fundamental approach to regulating medical products on a product or category basis regardless of the manufacturer.  We expect that there will be significant interest in the pilot, although FDA will only select nine companies to participate.  FDA also strongly encourages companies who do not participate in the pilot to submit feedback through the public docket.

Continue Reading

FDA Releases Details and Timelines in Its Digital Health Innovation Action Plan

On July 27, FDA published its Digital Health Innovation Action Plan. The plan provides details and timelines for the agency’s Digital Health Innovation Plan, announced by FDA Commissioner Scott Gottlieb last month.

The action plan describes the agency’s “next steps” over the coming year to “encourage digital health innovation by redesigning [FDA’s] policies and processes and modernizing [the agency’s] tools so that they match the needs of digital health technology, and provid[e] clarity on those policies and processes so that manufacturers and developers know what they need to do.” The action plan includes three action items: (1) issuing new guidance regarding the regulation of digital health, (2) developing new regulatory approaches to oversight of digital health, and (3) building expertise on digital health within the agency.

Issuing New Guidance

The Digital Health Innovation Action Plan presents FDA’s intent to issue new guidance implementing the 21st Century Cures Act and to expand on the agency’s prior guidance regarding digital health. FDA plans to issue the following guidance documents:

  1. 21st Century Cures Act Implementation: FDA intends to issue new draft guidance that would explain the effect of the software provisions of the 21st Century Cures Act on existing FDA policy. The new draft guidance would interpret how Cures affects:
  • Mobile Medical Applications. The new guidance would update FDA’s February 2015, final guidance on Mobile Medical Applications.
  • Medical Device Data Systems (MDDS), Medical Image Storage Devices, and Medical Image Communications Devices. The new guidance is expected to harmonize FDA’s February 2015 final guidance, announcing an enforcement discretion policy for these devices, and section 3060 of the 21st Century Cures Act, exempting many of the same software products from the definition of a device. Hopefully, the new guidance will address discrepancies between existing guidance and the 21st Century Cures Act (the new statutory provisions, of course, now govern). For example, the existing guidance states that FDA exercises enforcement discretion for MDDS that are not intended to be used in connection with active patient monitoring, whereas the statutory provision includes no similar explicit limitation.
  • Low-Risk General Wellness Products. Under FDA’s July 2016, final guidance, General Wellness: Policy for Low Risk Devices, FDA exercises enforcement discretion for general wellness products (both software and non-software products). The 21st Century Cures Act exempts from the definition of a device software functions intended to maintain or encourage a healthy lifestyle that are unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition. The new guidance is expected to address whether FDA will read the 21st Century Cures Act provision to be broader or narrower than the scope of FDA’s enforcement discretion for general wellness devices.
  • Laboratory Workflow. The 21st Century Cures Act exempted from the definition of a device a software function intended for administrative support of a health care facility, including laboratory workflow, which the new guidance will address.
  1. Clinical Decision Support Software: The 21st Century Cures Act exempted from the definition of a device, software functions intended to support or provide recommendations to a healthcare professional, so long as the software enables the healthcare professional to independent review the recommendation and the software is not intended to “acquire, process, or analyze a medical image or a signal from an intro diagnostic device or a pattern or signal from a signal acquisition system.” FDA has not addressed such clinical decision support software in prior guidance, and the meaning of many key terms in this provision will benefit from FDA guidance, including what it means for a health care professional to “independently review” the basis for clinical decision support recommendations. FDA intends to issue a much-needed new draft guidance for public comment during Q1 2018 describing the scope of this provision.
  2. Multifunctionality: FDA intends to issue draft guidance by Q1 2018 on how FDA will address products with multiple software functions (a pivotal statutory term in section 3060 of the 21st Century Cures Act). The 21st Century Cures Act exempted from the device definition specific health software functions, but FDA still may assess the “impact” of a non-device function(s) on a regulated device function(s). Many digital health solutions, of course, will include a function(s) that meets the device definition and a function(s) that does not meet the device definition. The new FDA guidance presumably will address not only how FDA will undertake the “impact” assessment of a non-device function(s) on a regulated device function(s), but also provide additional insights on how developers should subdivide digital health solutions into specific “functions” for the purpose of charting a regulatory path forward on particular functions.
  3. Deciding When to Submit a 510(k) for a Software Change to an Existing Device: In August 2016, FDA released a draft guidance intended to help manufacturers determine whether a modification requires premarket submission and clearance of a new 510(k). FDA intends to issue the final guidance before the end of 2017.
  4. International Medical Device Regulators Forum approach to clinically evaluating software as a medical device (SaMD): In October 2016, FDA issued as draft guidance the IMDRF proposed document on the clinical evaluation of SaMD. FDA intends to issue final guidance once the IMDRF votes on the final document in September 2017.

Reimagining Digital Health Oversight

FDA intends to develop a precertification (“Pre-Cert”) program, under which CDRH could pre-certify “eligible digital health developers who demonstrate a culture of quality and organizational excellence based on objective criteria.” Pre-certified developers could qualify to be able to market their lower-risk devices without additional FDA review or with a more streamlined premarket review.

As an initial step, the agency is launching a Pre-Cert Pilot Program for nine participating companies to help the agency assess the appropriate criteria and structure for the Pre-Cert Program.

For more details on the Pre-Cert Program and pilot program, see our blog post.

Building Agency Expertise

FDA plans to grow the agency’s digital health expertise by hiring new staff for the Digital Health Program within CDRH. FDA will launch an Entrepreneurs in Residence program this fall to allow the agency to obtain input from those with experience in software development.


Europe Consults on Digital Health

Digital health solution providers, and users of digital health services, should take note of three recently launched EU public consultations in the digital health space, and may wish to make submissions to help shape the future of digital health initiatives in the EU.  The earliest deadline for submissions is 16 August 2017.

EU Commission Transformation of Health Care in the Digital Single Market Consultation

On 20 July 2017, the European Commission launched a consultation on the “Transformation of Health and Care in the Digital Single Market”.  This Consultation covers three broad areas:

  • Cross-border access to and management of personal health data.
  • A joint-European exploitation of resources (including digital infrastructure), to advance health research, disease prevention, treatment and personalised medicine.
  • Promoting the uptake of digital innovation to support citizen feedback and interaction between patients and health care providers.

Submissions to the Consultation close on 12 October 2017.

Consultation results will feed into a European Commission policy document known as a “Communication”, which is expected to be announced by the end of the year.

EU Commission Communication on Digital Transformation of health and care in the context of the Digital Single Market Roadmap

On 19 July 2017, the European Commission published a roadmap outlining the European Commission’s intentions for Communication.  The roadmap aims to:

  • Enable citizens’ secure access to electronic health records and e-prescriptions and the possibility to share them across borders when traveling, working or living in another Member State.
  • Advance research, disease prevention and personalised health and care in key areas by enabling access to data sets and medical expertise across borders.
  • Promote widespread uptake of digital tools to facilitate patient feedback and better interaction/cooperation between citizens and healthcare providers, leading to better health care services and empowered citizens.

From the roadmap, it does not look like any legislation is anticipated (e.g. there is no reference to an “e-health Directive” that would provide for a pan-EU basis for secondary use of patient data).  The roadmap is also silent on the European Commission’s wider free flow of data legislative intentions.  The Commission is accepting feedback on the roadmap until 16 August 2017.

EU Presidency Digital Health Society Consultation

Finally, we note that the Estonian Presidency of the Council of the European Union has also launched a brief Digital Health Society consultation.  This consultation includes questions relating to whether citizens are sufficiently informed of the benefits of the sharing of data for health care services or research, ensuring there is adequate precaution to guarantee the privacy, confidentiality, and security of data, and interoperability challenges.  This consultation is open until 30 August 2017.

Getting involved

Interested parties, including digital health solution providers, operators and users of digital health tools, public authorities, hospitals, insurers and researchers and research institutions should consider making submissions to these consultations help shape digital health policy in the EU on wide-ranging matters including data privacy, medical device and healthcare regulation, and consumer rights.

For further information please contact:

Daniel Pavin

Grant Castle

Brian Kelly

Sarah Cowlishaw

Joshua Gray

ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’. Continue Reading

European Cloud in Health Advisory Council Calls For Review of eHealth Rules and Ethics of Medical Data Re-Use

On May 11, 2017, the European Cloud in Health Advisory Council (ECHAC) – a group of healthcare organizations, technology companies and patient representatives  –  launched its second whitepaper focused on use of data to improve health outcomes and delivery of care.

ECHAC launched the whitepaper at an eHealth Week 2017 session attended by ECHAC participants and members of the European Parliament, European Commission and several national health ministries.

The whitepaper identifies the advances that technologies like cloud computing and artificial intelligence are driving in areas such as telemedicine, clinical decision support software, carer productivity, health service optimization and research.  The paper also highlights regulatory and policy “blockers” to the roll out of technology in the healthcare sector — including national rules that unduly restrict (or are perceived to restrict) processing or storage of patient data in the cloud.

The paper recommends that as EU Member States take measures to implement the new EU General Data Protection Regulation (“GDPR”), they consider whether there is an opportunity to update national laws that unnecessarily restrict cloud usage in the health sector, such as localization requirements for patient data and burdensome national certification regimes that do not map to international standards.  The paper also points, as a best practice, to those national health services that are pioneering a “cloud first” IT strategy (Ireland being a leading example).

The whitepaper also considers appropriate regulatory frameworks for “secondary” re-use of patient data (i.e. use of data to improve health, care and services through research and planning).  The whitepaper concludes that unlike use of data for primary purposes, where there is a broad consensus on the need for expanded data use, more dialogue is needed on the appropriate parameters for secondary uses.

Acknowledging the tremendous opportunities of health data re-use, but also the sensitivities, the whitepaper set out a “maturity model” that it proposes be used to begin a dialogue around the controls that should be in place for secondary re-use of patient data – for instance different opt-in/opt-out models.  The whitepaper also backed calls for research into schemes that could encourage consensual, altruistic “data donation.”

Bipartisan Bill To Test Telehealth Services for Medicare Beneficiaries

Last week, Senators Cory Gardner (R-CO) and Gary Peters (D-MI) introduced new legislation to test expanded Medicare coverage of telehealth services.  The Telehealth Innovation and Improvement Act requires the Department of Health and Human Services (HHS) to allow selected, eligible hospitals to offer telehealth services in cooperation with the Center for Medicare and Medicaid Innovation (CMMI), which develops and tests new service delivery models for cost, effectiveness, and improvement in quality of care.  Models that are successful under the CMMI’s criteria could be expanded and covered by the Medicare program.

The stated goal of the Senators introducing the Telehealth Innovation and Improvement Act is to improve access to healthcare for rural Medicare beneficiaries, who sometimes live far away from hospitals and medical centers.  The bill’s sponsors also believe the proposed legislation will lower health care costs and reduce emergency room visits, hospitalizations and readmissions.

Senators Gardner and Peters previously introduced similar telehealth legislation in 2015.  That bill was referred to the Senate Finance Committee, but it was never given a hearing or voted on.

Vote on HHS Secretary Nomination Expected as Early as this Week; Nomination Hearings Included Little Discussion of Health IT

The full Senate could vote as early as this week on the nomination of Rep. Tom Price (R-GA) to be Secretary of the U.S. Department of Health and Human Services (HHS). In January, two Senate Committees held hearings on Rep. Price’s nomination. These hearings focused largely on Rep. Price’s stance on repeal of the Affordable Care Act (ACA) and on reform of the Medicare and Medicaid programs. Senators asked few questions related to health information technology, and the limited discussion on this topic centered primarily on the burdens placed on providers by HHS initiatives to promote the “meaningful use” of electronic health records (EHRs). Continue Reading

Twenty-First Century Cures Act Includes HIPAA Provisions

On December 13, 2016, President Obama signed the 21st Century Cures Act (“Cures Act”), Pub. L. 114-255, which aims to expand medical research and expedite the approvals of drug therapies for patients.  The Cures Act also contains several provisions related to the HIPAA Privacy and Security Rules.  None of these provisions make substantive changes to the HIPAA regulations at this time; in several instances, they direct the Secretary of Health and Human Services (“HHS”) to study whether the HIPAA regulations should be revised or clarified to remove any potential barriers to optimal patient care and communication or to the availability of patient information for medical research.

Continue Reading

Incoming HHS Secretary Tom Price Brings Physician-Focused Perspective to Health IT

Tom Price, the Republican representative from Georgia, has been tapped by President-elect Trump as the new Secretary for the Department of Health and Human Services (HHS). Rep. Price is himself an orthopedic surgeon and comes from a family of doctors and, as a result, is focused closely on the ways in which government regulations burden the doctor-patient relationship. At an American Enterprise Institute event this past June, Rep. Price criticized the Affordable Care Act for allowing the government, rather than doctors and patients, to control the manner in which healthcare is offered.
Continue Reading