New legislation introduced this week in the US Senate would seek to place limits on the ability of the US Food and Drug Administration (FDA) to regulate clinical and health software, including mobile phone applications.
The legislation, the Preventing Regulatory Overreach to Enhance Care Technology (PROTECT) Act of 2014, is meant to close off a gap between what FDA actively regulates and what it could regulate.
To understand how FDA regulates medical devices, and in particular software, it's useful to take a metaphorical step back into the regulations and recent regulatory history.
Under the Federal Food, Drug and Cosmetic Act (FD&C Act), medical devices are defined as:
"Any instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is either intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease or intended to affects the structure of any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body."
Under FDA's reading of this provision, since mobile apps and software are intended to be used in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease, they should thus be regulated as medical devices.
But not all regulation is created or enforced equally. FDA has long held that it only intends to regulate the applications themselves, and not the devices on which they run or the third-party stores from which they are sold, such as Apple's iTunes store.
FDA has also long held that it intends to regulate only those applications which make specific disease or curative claims, and will leave all other basic health applications to the regulatory purview of the Federal Trade Commission (FTC), which issued guidance on the subject in September 2012.
These assurances, as explicitly laid out in its September 2013 final guidance document, Mobile Medical Applications, make clear that there are a class of devices FDA does intend to regulate (Page 26), and a class of all other (i.e. lower-risk) devices it intends to exercise it "enforcement discretion" over (Page 23). In other words, it could regulate those devices, but unless they pose a risk to patients, FDA generally won't regulate them.
But while that's placated some legislators, others have since introduced legislation intended to codify FDA's exempt categories of medical devices into law. For example, in October 2013, Rep. Marsha Blackburn (R-TN) introduced the Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act to explicitly ban FDA from regulating certain products under a new definition of "medical software."
Under the act, FDA would be banned from using its "enforcement discretion" on clinical or general health software, and would instead be granted authority only over an explicit set of software. The law would, in effect, take FDA's current final guidance and turn it into binding statute, thereby removing FDA's ability to alter it at a later point in time.
The Protect Act
Now a new piece of legislation is largely seeking to do the same thing. The PROTECT Act, sponsored by Sen. Deb Fischer (R-NE) and Angus King (I-ME)-two legislators not traditionally involved in FDA regulatory issues-seeks a "new risk-based framework for the oversight of clinical and health software that improves on the framework of the FDA."
Section 3 of the legislation would enact two new definitions, one for "clinical software" and the other for "health software." They are as follows:
Clinical software: "Clinical decision support software or other software (including any associated hardware and process dependencies) intended for human or animal use that
(A) captures, analyzes, changes, or presents patient or population clinical data or information and may recommend courses of clinical action, but does not directly change the structure or any function of the body of man or other animals; and
(B) is intended to be marketed for use only by a health care provider in a health care setting."
Health Software: "Software (including any associated hardware and process dependencies) that is not clinical software and
(A) that captures, analyzes, changes, or presents patient or population clinical data or information;
(B) that supports administrative or operational aspects of health care and is not used in the direct delivery of patient care; or
(C) whose primary purpose is to act as a platform for a secondary software, to run or act as a mechanism for connectivity, or to store data.
Both categories of software would be exempt from regulation under the FD&C Act. "The term 'device' does not include clinical software or health software," the legislation states.
While the definitions are extensive, they largely capture the exemptions listed by FDA in its 2013 Mobile Medical Applications guidance.
Subject to Regulation
Some software, however, would be subject to regulation.
FDA would be permitted to regulate any software:
(A) that is intended to interpret patient-specific device data and directly diagnose a patient or user without the intervention of a health care provider;
(B) that conducts analysis of radiological or imaging data in order to provide patient-specific diagnostic and treatment advice to a health care provider;
(C) whose primary purpose is integral to the function of a drug or device; or
(D) that is a component of a device.
The law, introduced in the Senate, is seen as a companion piece of legislation to the SOFTWARE Act, which has yet to pass a vote the House Energy and Commerce Committee's Subcommittee on Health.