The digital health ecosystem has swelled to encompass a broad range of products over the years.
On one end of the spectrum is software-as-medical-devices (SaMD) and prescription digital therapeutics, product categories for which a comprehensive regulatory strategy and engagement with the FDA are mandatory. On the other are wellness apps and other low-risk digital tools that likely spend more time worrying about oversight from the Federal Trade Commission than the health regulator.
However, a growing number of companies are finding themselves in a gray area of enforcement discretion, a term the FDA uses for lower-risk products that meet the definition of a medical device, but do not require regulatory submission, review and authorization before heading to market.
"Enforcement discretion doesn't mean no regulation," Ankur Kaushal, VP of regulatory affairs and quality at Big Health, said yesterday in DTx West virtual panel. "It doesn't mean that the FDA is no longer in your life. The FDA is very much there. Regulations are still very much present.
"FDA is choosing to enforce them in a very hands-off manner, and so, instead of getting clearances and approvals, you're able to move forward by internally building evidence that you are complying."
Still, securing a 510(k) for a new product can be costly and time consuming (especially for early startups), so there's clear appeal in the idea that a product can sidestep active regulation and enter the market.
The problem is that enforcement discretion on the whole can be ambiguous when dealing with novel products that the agency may not have foreseen when putting together its initial guidelines years ago, the panelists said.
While the FDA has made some progress in recent months by publishing action plans specific to new technologies like artificial intelligence and machine learning, issues like the COVID-19 public health emergency and new policies regarding modifications to current products have driven home the need for more guidance from the regulator.
"The principles of enforcement discretion have been outlined for some time, but I think there has been a need for increasing regulatory clarity over the past couple of years," Marisa Cruz, EVP of regulatory and clinical affairs at Everlywell, and formerly a senior medical advisor for digital health at FDA's Center for Devices and Radiological Health (CDRH), said during the panel.
"There's many more companies that have been touched by this distinction between active regulation and enforcement discretion, and I think the agency has tried to support that broader reach of enforcement discretion policies with more active articulation of what enforcement discretion really means. ... It's still evolving, and I think it's still spotty as to the consistency of how these policies are applied, and how companies are interpreting ways to distinguish products that are the focus of regulation from those that are under enforcement discretion."
Even if clear playbooks are in short supply, companies that fall above or below the line of enforcement discretion will still be responsible and must maintain the burden of proof for their products, Kaushal noted. Decision-makers are best served by solidifying their ideal digital product, he said, and then letting the regulatory team hammer out what's necessary before heading to market.
"Do not let regulatory strategy drive business strategy," he said. "It should be the other way around. You should go for the best intended use that you can, and then allow your regulatory team to devise a strategy that meets it, and not get too focused on maintaining this enforcement discretion status and then losing out on perhaps a better intended use."
Once it's time for the regulatory team to step up, adhering to those rough guidances will require a delicate balance of interpretation, diligence and good science, the panelists said.
"I come at it from a clinical operations and research design perspective," Acacia Parks, chief science officer at Happify Health, said. "There are certain ways you have to interpret and document 'We're doing this,' and it's just your best guess of what it's okay to do. And you have to live with that – which is very different in my experience from going to FDA about a product you're hoping to get cleared and getting specific guidance about what you need to do."
"I think that's 100% right, [with] the North Star being safety," Lucia Savage, chief privacy and regulatory officer at Omada Health (and formerly the chief privacy officer at ONC), added. "There's some fundamental philosophical approaches here, and one is don't cut corners that are going to potentially harm patients. Document why you're doing something that you're doing and how it's connected to good science. Those are going to be fundamentals no matter what kind of digital [you're doing].
"We have a digital service at Omada and we use other people's devices. We don't manufacture any devices ourselves and we're not subject to CDRH oversight. We don't want to go there as a business, and until we do, my job is to keep us out of that. But that doesn't mean that we can stop documenting what's clinically appropriate," she said.
Documentation and other regulatory best practices can become particularly tricky once multiple products become involved – and especially when those products fall within different risk categories, as Parks noted is the case for Happify Health. In these scenarios, she said that every department – regulatory, clinical operations, business and so on – needs to "place a stake in the ground" when it comes to defining and conducting the product and its procedures.
"That's a really big area of conversation for us, just making sure that ... when we do it in a wellness space versus when we do it in enforcement discretion, how is that clearly different, and can we define and document those differences and have different procedures" she said. "Product differentiation: iI's important for everybody, but particularly if you're doing them side by side."
Of course, not all startups have the benefit of an experienced regulatory guru or other digital health veterans who can intuit the FDA's enforcement discretion guidances. Early-stage companies that haven't yet internalized these concepts of documentation and transparency should take an "engage early and engage often" approach with the FDA, Cruz said. These conversations can help newcomers adopt appropriate practices early in the product's life cycle, regardless of whether or not they'll eventually require a regulatory submission.
"The sense that you got it wrong, that the agency didn't know about it, that there were no conversations, can sometimes poorly position a startup company, whereas I think proactive engagement ('This is my plan. Do you agree with the concept? We'll keep you apprised as things change.') can be a foundation for a more productive relationship," she said.