Regulatory Focus™ > News Articles > FDA, ONC Issue Long-Awaited Health IT Framework

FDA, ONC Issue Long-Awaited Health IT Framework

Posted 03 April 2014 | By Alexander Gaffney, RAC

The US Food and Drug Administration (FDA) has released for consultation a new proposed framework on how to regulate health information technology (IT), including mobile medical device applications ("apps") according to risk.


Mobile medical applications can best be understood as programs run on a mobile device such as a smartphone or tablet that allow a user to access a medical technology wherever and whenever they wish. For example, a smartphone application that uses a camera's phone to determine if a skin growth is likely cancerous would be considered a mobile medical application, as would a huge array of other already-cleared applications.

Members of the medical device industry have long been wary of excessive or duplicative federal intervention in the mobile medical application space. Two issues seem to come to the forefront time and again:

Which agencies should regulate medical apps-the US Food and Drug Administration (FDA), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), or just FDA?

Which aspects of a mobile medical application should be regulated? Are all healthcare applications technically medical devices requiring premarket approval or premarket notification? And what of the mobile device that runs the application?

Those questions were answered in part in 2014, with both FDA and FTC releasing guidance documents regarding various aspects of mobile medical applications. FDA, for its part, said that it plans to exercise "enforcement discretion" regarding mobile medical applications, only going after those that would clearly be a medical device, while leaving all others to FTC.

Legislative Efforts

But legislators have been insistent that government regulators from various agencies work together.

In 2012, the Food and Drug Administration Safety and Innovation Act (FDASIA) was passed into law, and with it a requirement that FDA, Office of the National Coordinator for Health Information Technology (ONC) and FCC all work together to develop a cohesive approach toward health IT.

Section 618 of FDASIA called for the group to specifically consider mobile medical applications, how to best promote innovation in health IT, patient safety and regulatory simplicity.

The overarching goal of the initiative was to simplify health IT regulations such that companies understand which agency's-FDA or FCC-requirements they will be expected to meet and how they can expect to meet them when they want to bring a new product to market.

FDA, FCC and ONC all said they were looking to consider three things:

  1. types of risk that may be posed by health IT that impact patient safety, the likelihood that these risks will be realized, and the impact of these considerations on a risk-based approach
  2. factors or approaches that could be included in a risk-based regulatory approach for health IT that also promote innovation and protect patient safety
  3. approaches to avoid duplicative or overlapping regulatory requirements

ONC Draft Report

Then, in September 2013, ONC's HIT Committee released a set of draft recommendations that were meant to guide the development of the framework to be developed and finalized later by FDA, ONC and FCC.

The extensive report made three general observations:

  1. FDA can use its current regulatory framework to "clarify ambiguities" by establishing clear policies for how it would exempt lowest-risk HIT products and most Class I medical devices, exempting most HIT from good manufacturing practice regulations under 21 CFR 820, expedite guidance on mobile medical applications and other HIT, and educate the public on requirements.
  2. Agencies-FDA, FCC and ONC in particular-should do their best to work together to delineate authority and eliminate duplicity. Review processes should, to the extent possible, be coordinated.
  3. New frameworks should be considered, particularly for adverse event reporting, data gathering and industry self-regulation. ONC said models like the National Highway Traffic Safety Administration and the Aviation Safety Reporting System might be useful for reporting adverse events to ensure more timely reporting and better safety and performance data.

In addition, the ONC report says that FDA needs to address four "main" issues now facing mobile health technologies:

  1. There is no clear distinction between general wellness and disease-related claims, particularly with respect to weight-related claims and obesity.
  2. Because many mobile devices come with accessories, FDA needs to define levels of risk for these accessories and determine which are worth regulating and which are worthy of enforcement discretion.
  3. Clinical support decision software needs to have a clear regulatory paradigm, as the agency "has never been clear on the contours of its regulation for this broad category of general health and medical software" despite many such devices being of low risk to patients.
  4. Some software is modular, and is intended to be used with other products. ONC said FDA needs to determine which modules are devices and which are simply general modules able to be incorporated into health-related software.

Further, the report called for FDA to regulate certain devices while avoiding regulation of others:

Potentially Should be Regulated Most Likely Shouldn't be Regulated

EHRs (installed and SaaS)

Hospital information systems-of-systems

Decision support algorithms

Visualization tools for anatomic, tissue images, medical imaging and waveforms

Health information exchange software

Electronic/robotic patient care assistants

Templating software tools for digital image surgical planning

Claims processing software

Health benefit eligibility software

Practice management / Scheduling / Inventory management software

General purpose communication applications (e.g., email, paging) used by health professionals

Software using historical claims data to predict future utilization/cost of care

Cost effectiveness analytic software

Electronic guideline distribution software

Disease registries

Final FDA, ONC HIT Report

On 3 April 2014, FDA, FCC and ONC released their final FDASIA Health IT Report, Proposed Strategy and Recommendations for a Risk-Based Framework.

Immediately, the report says it focused its energies on three categories of health IT:

  1. administrative health IT functions
  2. health management health IT functions
  3. medical device health IT functions

The first, it notes, poses "limited or no risk to patient safety, and thus do not require additional oversight. The second, such as data capture or clinical decision-making software, represent a "generally low" level of risk compared to the benefits available. Accordingly, the report says health management software-even if it meets the definition of medical device-will not be subject to regulation.

That leaves the third category, medical device health IT functions, such as computer-aided detection software, real-time alarms from bedside monitors and robotic surgery planning tools, all of which are already subject to FDA oversight.

Work to be Done by FDA

The FDASIA report calls on FDA to "provide greater clarity related to several aspects of medical device regulation involving health IT," including:

  • the distinction between wellness and disease-related claims
  • medical device accessories
  • medical device clinical decision support software
  • medical device software modules
  • mobile medical apps

But the report concedes that there are ways for FDA to refine its regulation of medical device health IT products under a proposed risk-based framework. That framework, the report says, should be based on four "key priority areas":

  1. Promote the Use of Quality Management  Principles
  2. Identify, Develop, and Adopt Standards and  Best Practices
  3. Leverage Conformity Assessment Tools
  4. Create an Environment of Learning and Continual Improvement

These four areas are important in that they can be tailored according to risk, are relevant at all aspects of the product lifecycle, and support innovation and patient safety, the report explains.

Ultimately, the report provides few concrete suggestions, but rather establishes a framework for future work by FDA to be done, and establishes "next steps" for health IT regulation.

New Group to be Created: Health IT Safety Center (HITSC)

However, the report also calls for the creation of a Health IT Safety Center, which would be run by ONC as a public-private entity with input from FDA, FCC and the Agency for Healthcare Research and Quality (AHRQ). The center would be charged with promoting patient safety, as well as "assisting in the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts," FDA wrote.

Comments on the report are currently being accepted, although a due date was not provided.

FDASIA Health IT Report


© 2021 Regulatory Affairs Professionals Society.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.