The FDA, along with the FCC and ONC has finally released the report to Congress required by the FDA Safety and Innovation Act (FDASIA) of 2012. This FDASIA report, called "Proposed Strategy and Recommendations for a Risk-Based Framework," reiterates previously articulated FDA positions on regulatory discretion and avoiding regulatory redundancy between the FDA, ONC, and FDA. It's based on the work done by the FDASIA work group that began meeting nearly a year ago. According to the FDASIA legislation, the agencies were required to submit the report 18 months after the law's passage -- or about five months ago.
"We are proposing a limited, narrowly tailored approach that relies primarily on ONC-coordinated activities and private sector capabilities and practices to ensure safe, high quality health IT," Jeffrey Shuren, the FDA's Director of the Center for Devices and Radiological Health said in a press call. "We do not believe that new, extensive regulation should be or needs to be the first approach used to reach these outcomes. Government oversight can and should protect the public, as well as promote innovation. That is smart regulation."
Specifically, the report breaks medical software down into three buckets: health administration software, health management software (which includes clinical decision support), and medical device software directly involved in the diagnosis or treatment of patients. The FDASIA report says that the first area does not fall under the FDA's jurisdiction and the second area technically does fall under the FDA's jurisdiction but the agency will choose not to regulate those devices, instead leaving oversight of them up to the ONC and the private sector. The FDA will focus only on the third category. If a device straddles the two categories -- like an EHR with built-in radiological image viewing -- the FDA will regulate the medical device components without needing to evaluate the complete system.
Additionally, the report contains plans to create the Health IT Safety Center, an additional entity that will help create standards and evaluate efficacy of new technologies.
"Working closely with our colleagues on this call, AHRQ, other agencies and stakeholders from across the world of healthcare, we recommend the creation of a Health IT Safety Center, which would be a public-private partnership with broad stakeholder engagement," Jodi Daniel, the ONC Director of Policy Planning said on the call. "The Safety Center was proposed in the president's 2015 budget and we expect that it will help improve the body of evidence available on health IT safety, identify best practices for improving patient safety, and provide a forum for the exchange of ideas and information focused on health IT safety."
If this recent report's chosen breakdown of categories sounds familiar, it's because two pending pieces of legislation -- the PROTECT Act in the Senate and the SOFTWARE Act in the House of Representatives -- recommend a similar breakdown. One difference is that these legislative efforts aim to strip the FDA of control over the second category entirely. The other is a difference in how the categories are defined.
"The draft federal legislation removes from FDA oversight some very high risk clinical decision support software such as an app that a consumer might use to self diagnose melanoma," Bradley Merrill Thompson, an FDA medical device regulation expert and lawyer with EpsteinBecker, told MobiHealthNews in an email. "The FDA approach, on the other hand, is much more nuanced where they are proposing to develop a detailed guidance document that would give much more refined explanations for which CDS the agency regulates and which they do not. ... The current draft of the federal legislation is very sweeping in its regulatory scope, whereas the FDA plans to use a scalpel to carefully define what gets regulated."
The FDASIA-mandated report, emphasizes upfront that the FDA would not extend its regulation, in an effort that seemed to be designed, at least in part, to deter legislators. However, in a statement released this morning, Senators Angus King (I-Maine) and Deb Fischer (R- Nebraska), sponsors of the PROTECT Act, made it clear that they feel the report is too little too late.
“I’m glad to see that the FDA’s report, though four months late, agrees with the need for a more risk-based structure as outlined in the PROTECT Act,” said Fischer in a statement. “However, instead of providing a concrete framework that supports innovation and safety, the report’s approach maintains the status quo under which the FDA retains unlimited discretion over regulation of low-risk health IT. As technologies converge, regulatory overlap is becoming more pronounced. That’s exactly why Congress must act and codify an appropriate, risk-based framework that provides certainty for health IT.”
Though Thompson asserts that scope is the primary difference between the FDASIA report and the legislative alternatives, King chose to emphasize the control issue in his statement.
"Given the important role health IT is going to play in the future of health care, I’m pleased the FDA has finally presented us with a risk-based regulatory framework for oversight that is similar to the PROTECT Act in many respects,” he said. “I am, however, disappointed that the report’s recommendations preserve the FDA’s authority to change these rules as they see fit, which only further underscores the need for legislative action that will help reassure entrepreneurs in the health IT sector.”
For all of the public squabbling, Thompson thinks the report shows more agreement than disagreement about what's needed in mobile health regulation.
"I think it shows that people in industry, on Capitol Hill, and in the agencies are largely in agreement," he said in an email. "Indeed, it seems that all three sectors are saying about 90 percent the same things. The bottom line is that HHS, and the three agencies, are proposing a very light touch to overseeing innovation in health IT, and that has to be good news for all of the HIT developers producing wonderful, important, cutting-edge new technologies."
Just as September's "final" guidance wasn't the end of the road for FDA, neither is this the end of the FDASIA-mandated report. Next, the FDA will open up the document for a 90-day comment period, followed by public meetings May 13th and 15th. Shuren said he hopes public comments will help the industry flesh out the details of specific regulatory concerns from the industry.
Many will be happy to see more details in future iterations of the report. Thompson expressed to MobiHealthNews that the report was disappointingly lacking in regulatory specifics.
"It is, after all, a report to Congress so it probably is unreasonable to expect much detail," he said in an email. "But I know that many in industry have been waiting for years to find out more specifically the distinction between wellness and disease, exactly what constitutes medical device accessories, exactly what constitutes clinical decision support software that FDA would regulate, and parsing medical device software modules for regulation. The report explicitly mentions all of those areas and says that they will be the subject of further clarity, and outside of the report obviously the agenda for 2014 for FDA includes those items. But I would like to have seen more in the report about where the agency plans to go with regard to those items."