On April 3, 2014, the Food and Drug Administration (“FDA”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”), released a congressionally mandated report recommending a new regulatory framework for health information technology (“health IT”). The report does not create new regulations or regulatory authority but does provide key structural recommendations that the agencies hope to implement regarding the future regulation of health IT. The report recommends a framework in which health IT would be grouped into three risk-based functional categories, with different levels of regulatory oversight corresponding to each category. This article describes the proposed categories and the degree of oversight recommended for each, and concludes with information about how to submit comments to FDA, ONC and FCC about the recommended new framework.

Background and Outline of the Report

In 2012, President Obama signed the FDA Safety and Innovation Act. Section 618 of that statute requires the FDA, ONC, and FCC to publish a report outlining a new strategy for regulating health IT technology. The FDA, ONC, and FCC have different regulatory responsibilities, but each play a role in the regulation of health IT. The FDA is responsible for assuring the safety and effectiveness of medical devices. ONC is an office within the Department of Health and Human Services ("HHS") tasked with adopting standards and certification criteria, administering certification programs for health IT, promoting electronic health information exchange, and coordinating health IT policies and programs of HHS with other federal agencies, among other roles. The FCC oversees the authorization of equipment using the radio frequency spectrum and is responsible for regulating the interference potential of equipment emitting radio frequency energy.

The new collaborative report, titled “FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework,” was published in response to the statutory mandate mentioned above. The report seeks to set out a framework to balance innovation with patient safety while avoiding regulatory duplication.

The report recognizes that health IT encompasses a vast array of technologies and services designed for use by multiple persons and entities within the healthcare industry. The most important regulatory concept in the report is a recommended framework in which health IT is categorized and regulated according to its functionality and the risk it poses to patients. The agencies recommend that health IT not be regulated according to the platform on which it exists or the product of which it may be a component. The recommended functional categories are: (1) administrative health IT functions, (2) health management IT functions and (3) medical device health IT functions.

Administrative Health IT Functions

This category is comprised of health IT (including but not limited to software) that performs billing and claims processing, practice and inventory management, scheduling, and similar administrative functions in the healthcare setting. It would also include technology that analyzes historical claims data to predict future utilization or cost-effectiveness, determination of benefit eligibility, population health management, quality reporting, and similar functions. The agencies conclude that such functionalities pose a limited risk to patient safety. For that reason, the report recommends no further government oversight or regulation with regard to this technology.

Health Management IT Functions

This category is comprised of health IT that enables health data exchange, data capture and documentation, access to clinical information and results, medication management, provider order entry, patient identification and other management functions in the healthcare setting. This IT is sometimes referred to as “clinical software.”

The agencies conclude that while such functionalities pose some generally low safety/security risks, their benefits far outweigh these risks. Furthermore, the agencies acknowledge that risks to patient safety/security associated with this technology is a property not only of the technology design but also of the larger system in which the technology is implemented, maintained, and used.

Accordingly, the report recommends that if technology within this category meets the definition of a “medical device” under the Federal Food, Drug, and Cosmetic Act, FDA does not intend to focus its regulatory oversight on this IT functionality. Instead, the agencies recommend that ONC create a public-private Health IT Safety Center that would convene health IT stakeholders to focus on a broader set of activities to promote health IT as an integral part of patient safety, including adoption and promotion of best practices, fostering interoperable products, and certification and accreditation.

Medical Device Health IT Functions

This category is comprised of medical device health IT, e.g., computer-aided detection software, remote display of alarms from bedside monitors, robotic surgical controls, and other health IT that perform as medical devices. The report finds that these products pose a greater risk to patient safety as compared to the other two categories discussed above. The report recommends that the FDA focus its resources on regulating this category of health IT, and provide greater clarity around the distinction between wellness and disease-related claims, medical device accessories, medical device clinical decision support software, medical device software modules, and mobile medical apps.

Moving Forward

While the report is not a formal notice of rulemaking inviting comments, by its terms it is a draft of the framework that FDA in particular will rely upon to regulate health IT going forward. Many questions are clearly left for further development and clarification, including how health IT that spans across the administrative, management, and/or medical device functions should be regulated, and whether and how health IT products and services can be pigeon-holed into the suggested categories.

The FDA, ONC, and FCC plan to schedule public meetings to gather feedback on the report and they will also make available a docket to enable the public to submit comments.

Please contact us if you have any questions regarding the report or any other health IT matters.