On April 3, 2014, the Food and Drug Administration (“FDA”) proposed a risk-based approach to determining the level of oversight that should apply to health information technology (“HIT”). The FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework divides HIT into three functional categories that pose varying levels of safety risks and require proportionate levels of oversight. The Report proposes no new FDA regulations or oversight; instead, it clarifies the manner in which FDA proposes to exercise its existing authorities. For example, the Report states that FDA will continue to focus oversight on medical device functionality and “does not intend to focus oversight” on health management HIT functionality, if that functionality is contained within a product that meets the definition of a medical device. Finally, the Report suggests priority areas in which next steps could be taken to more fully realize the benefits of “health management” HIT functionality.
The Food and Drug Administration Safety and Innovation Act (“FDASIA”) required the FDA, in consultation with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”) (“the Agencies”), to propose a “risk-based regulatory framework pertaining to [HIT], including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.” See Pub. L. No. 112-144, § 618.
The FDASIA Report identifies categories of HIT functions—rather than devices or platforms (i.e. mobile, cloud-based, installed)—based on their safety risks. Specifically, the Report identifies three HIT functional categories: (1) administrative (low risk), (2) health management functions (medium risk); and (3) medical device (higher risk). While the Report devotes minimal space to administrative and medical device functions, it proposes priority areas for next steps regarding health management functions.
These functions, such as billing and claims processing and inventory management, pose “limited or no risk to patient safety” and do not require additional oversight.
Medical Device Functions
In contrast, medical device functions, such as robotic surgical planning and control software, computer aided detection/diagnostic software, and certain clinical decision support software, pose greater risks to patient safety. The FDA currently focuses oversight efforts on these functions and will continue to do so.
The Report suggests greater clarity may be needed regarding four areas of medical device function regulation: (1) the distinction between wellness and disease-related medical device claims; (2) medical device accessories; (3) medical device clinic decision support (CDS) software; and (4) mobile medical apps. However, the Report provides detail only about the third area, and attempts to differentiate the CDS functions that the FDA will oversee from those falling under the less regulated health management category. The Report seems to anticipate future clarifications regarding areas (1), (2), and (4).
Health Management Functions:
Health management functions, such as health information exchange, most clinical decision support, and medication management, have safety risks that “are generally low compared to the potential benefits . . . .” The FDA “does not intend to focus oversight on” health management functionality, even if a product containing such functionality meets the definition of a medical device.
With respect to health management functions, the Report identifies priority areas for next steps and also proposes the creation of a new Health IT Safety Center. The four health management priority areas are:
I. Promoting the use of quality management principles;
II. Identifying, developing, and adopting standards and best practices;
III. Leveraging conformity assessment tools; and
IV. Creating an environment of learning and continual improvement.
Within each of these areas, the Agencies recommend a “limited, narrowly tailored,” “risk-based” approach that “primarily relies on ONC-coordinated activities and private sector capabilities.” In this area, ONC generally will encourage voluntary, private sector efforts.
Among the specific next steps identified are: that entities be identified to develop tests to validate interoperability and transparently test product conformance with standards, and that privately administered conformity assessment tools, such as certification, accreditation, and product testing, “should be used and applied in a risk-based manner to distinguish” high and low quality products and vendors.
The Agencies also propose that ONC create a public-private Health IT Safety Center to “focus on promot[ing] health IT as an integral part of patient safety” and to assist in creating “a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.”
The FDA is accepting public comments until July 7, 2014, on numerous aspects of the Report, including whether the identified focus areas and proposed next steps are the appropriate ones, and the Agency will hold a public workshop focused on the risk-based framework on May 13 through May 15, 2014.