Those who were hoping for a new regulatory framework for health information technology products were disappointed by an April 3 draft report released by the federal government. The report, developed by the Food and Drug Administration in coordination with the Office of the National Coordinator for Health IT and the Federal Communications Commission, unequivocally supports a risk-based regulatory framework for health IT products that is subject to FDA’s current regulatory framework.

"We are proposing for public comment a limited, narrowly tailored approach that relies primarily on ONC-coordinated activities and private sector capabilities and practices to ensure safe, high quality health IT," said Jeffrey Shuren, M.D., director of the FDA's Center for Devices and Radiological Health, at a media briefing on the draft report. "We do not believe that new, extensive regulations should be or needs to be the first approach used to reach these outcomes." 

Shuren emphasized that some health IT products can pose risks if they are not designed, developed, implemented, maintained and used properly. As Congress directed, he said the risk-based regulatory framework for health IT proposed by the agencies covers the full-range of IT products, dividing them into three categories--administrative health IT, health management heath IT, and medical device health IT--based on function and risk, focusing on what the product does, regardless of the platform on which it operates (i.e., mobile device, desktop, or cloud-based).

"The first category is administrative health IT--products that pose little or no risk to patient safety and do not need additional involvement from ONC or FCC or oversight by FDA," said Shuren. "These products include billing, claims, and scheduling software."

"The second category is health management heath IT, such as medical management software and most clinical decision support software," he said. "Efforts to ensure the safety of products in this category will be led by ONC and involves products that are sufficiently low risk such that even if some of the products may meet the statutory definition of a medical device, FDA does not intend to focus on them."

"The third category is medical device health IT, such as EKG software and computer-aided detection software used to identify possible tumors from radiological images," added Shuren. "These are the kind of medical device function FDA has traditionally regulated, in some cases for several decades, and would continue to regulate. Therefore, we're recommending that no new areas of FDA oversight are needed. Instead, the proposed strategy is focused primarily on health management heath IT, for which ONC would have primary responsibility."  

However, according to Senators Deb Fischer (R-Neb.) and Angus King (I-Maine), the report to Congress, mandated under the FDA Safety and Innovation Act, "assumes continued and undefined authority over regulation of low-risk health information technologies." In February, Fischer and King introduced the PROTECT Act bill in the Senate in a legislative effort to amend the Federal Food, Drug and Cosmetic Act and to ensure that clinical and health software would not be subject to regulation. 

“I’m glad to see that the FDA’s report, though four months late, agrees with the need for a more risk-based structure as outlined in the PROTECT Act,” said Fischer in a written statement. “However, instead of providing a concrete framework that supports innovation and safety, the report’s approach maintains the status quo under which the FDA retains unlimited discretion over regulation of low-risk health IT. As technologies converge, regulatory overlap is becoming more pronounced. That’s exactly why Congress must act and codify an appropriate, risk-based framework that provides certainty for health IT.”

The problem, Fischer argues, is that under current law the FDA can use the definition of a medical device to "assert broad regulatory authority over a wide array of low-risk health IT, including mobile wellness apps, scheduling software, and electronic health records." She said the PROTECT Act seeks to prioritize the FDA’s attention to technologies that pose the greatest health risk, while protecting low-risk health IT from unnecessary regulatory burdens. Among the organizations that support the PROTECT Act are athenahealth, Greenway Health, Health IT Now Coalition, IBM, McKesson, Netsmart Technologies, Software & Information Industry Association, and Verizon.

But, there are also a dozen or so health organizations that vehemently oppose the PROTECT Act. In a Feb. 14 letter to Senator Tom Harkin (D-Iowa), chairman of the Senate Committee on Health, Education, Labor and Pensions, the Patient, Consumer and Public Health Coalition said that its member groups were "extremely concerned" that this proposed legislation would deregulate a "broad swath of medical devices that rely on software" creating opportunities for "rampant 'gaming' to avoid regulation" for MRIs, CT scanners, and heart monitoring devices that would no longer be regulated by the FDA and would "put the health of millions of Americans at risk."

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access