Mobilizing Health after the FDASIA Health IT Report

On April 3, 2014, the FDA, in collaboration with the Federal Communications Commission (FCC) and the Office of the National Coordinator for Health Information Technology (ONC), released the “FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework.” The Report responds to section 618 of the Food and Drug Administration Safety and Innovation Act (FDASIA), which required the development of a report to Congress “that contains a proposed strategy and recommendations on an appropriate risk-based regulatory framework pertaining to health information technology (IT), including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.”¹ Thirteen public comments have been received on the Report, with all comments due by July 7.² , ³

As described below, the Report outlines, in broad strokes, a framework that favors voluntary measures—led by the ONC and the private sector—over the development of new or expanded regulations for health IT. The broad overview provided by the Report raises more questions than answers: What is the definition of clinical decision support (CDS) that will be the subject of ONC versus FDA versus oversight? What type of safety surveillance will be required or recommended for health IT products? Does the ONC have the legal authority and resources to fulfill the broad scope of responsibilities outlined in the Report?

Ultimately, the Report provides a high-level roadmap, illustrating the major boundaries and landmarks, but the roads—and the rules of the road—remain largely undefined. The drafting of this specific, practical guidance is the critical next step for health IT stakeholders.

Key Takeaways

New or expanded regulations for health IT are not recommended at this time. The ONC and private sector would play leading roles in the proposed framework. The Report sets forth a “limited, narrowly tailored approach that primarily relies on ONC-coordinated activities and private sector capabilities.” The position of the national coordinator for health information technology was established by Executive Order in 2004 and legislatively mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The ONC is charged with performing duties “consistent with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information.”⁴   These duties include standards review for the electronic exchange and use of health information, coordination of health IT policy and programs within the Department of Health and Human Services (HHS), and service as a leading member on the HIT Policy Committee and the HIT Standards Committee.

The Report’s proposed expansion of ONC’s role from “coordinator” to “regulator” is under challenge. On June 3, the US House Energy and Commerce Committee sent a letter to ONC, questioning the Office’s statutory basis for “pursuing these enhanced regulatory activities” and the extent to which ONC was seeking a “broader shift in focus from coordinating and promoting efforts related to interoperability, privacy and security, and quality reporting criteria, to the regulation of data collection, functionality requirements, and other areas….”⁵ The Committee questioned ONC’s future role in establishing EHR certification requirements, the regulation of health IT safety, and the potential imposition of user fees to support ONC activities.

The Report recommends the establishment of a new public-private entity—the Health IT Safety Center. The Center’s purpose would be “to promote health IT as an integral part of patient safety with the ultimate goal of assisting in the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.” The Center would focus on developing best practices, technology standards, and validation and assessment tools. In the $75 million FY 2015 budget for ONC, $5 million is earmarked for the creation of this Center and the “collection and analysis of health IT-related adverse events, which will facilitate benchmark data on the types and frequencies of events.”⁶  These efforts will keep safety reporting at the forefront of the policy discussion, particularly since the Report does not propose the mandatory reporting for certain safety events that was embraced by the Institute of Medicine’s (IOM) report on health IT.⁷

The focus is on health IT “functionality,” not the specific platforms (e.g., mobile, cloud-based, installed) or the particular product names or descriptions used for the health IT. The Report identifies three categories of health IT functionality—administrative, health management, and medical device—and provides lists of examples for each of these categories. Notably, however, the Report does not propose definitions based on the common characteristics of each functionality. The articulation of clear definitions—that are not wholly dependent on examples that may become outdated—is essential for addressing the regulatory uncertainty that persists in this space. The Report also does not advise on how products that cut across multiple health IT functionalities (e.g., many EHR offerings) would be regulated. The proposed functionality categories are as follows:

(1) Administrative Health IT—The Report concludes that administrative functionalities pose limited or no risk to patient safety, and thus do not require additional oversight. Examples include billing and claims processing, practice and inventory management, scheduling, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agencies, and reporting on quality measures.

(2) Health Management Health IT—The Report concludes that health management functionalities generally pose low potential safety risks compared to their potential benefits, and therefore, this category should be addressed by taking a “holistic view of the health IT sociotechnical system.” ONC, not FDA, would have primary responsibility for this category, as discussed in more detail below. The health management category includes “most clinical decision support” (CDS) functionalities, health information and data exchange, data capture and encounter documentation, electronic access to clinical results, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and matching.

(3) Medical Device Health IT—The Report proposes that FDA would continue to focus its regulatory oversight on only health IT with medical device functionality. Examples include “higher risk” CDS, such as computer-aided detection software, remote display or notification of real-time alarms from bedside monitors, radiation treatment planning software, and robotic surgical planning and control software.

ONC, not FDA, would have primary responsibility for overseeing CDS functionalities. According to the Report, “most” CDS functionalities and products can be categorized as health management health IT, under the purview of ONC. For example, FDA does not intend to regulate CDS that generate “suggestions for possible diagnoses based on patient-specific information retrieved from a patient’s EHR.” The Report proposes that FDA would actively regulate only on the “small subset of CDS software that are medical device health IT functionality, present higher risks, and generally have been subject to active oversight by FDA.”

The Report provides examples of CDS without proposing definitions to determine, categorically, whether a particular product/functionality would fall under the oversight of ONC versus FDA. The Report also does not discuss what would be required of those CDS products that met the statutory definition of a medical device, but were not the focus of FDA’s regulatory oversight.

The Report proposes four general “priority areas” for health IT, with the private sector and non-government organizations playing pivotal roles in their development and implementation. These priority areas are intended to be tailored “using a risk-based approach” to the specific functionality at issue. The areas include the following: 

(1) “Promote the Use of Quality Management Principles”—The Report proposes the “judicious application” of quality management principles and processes to health IT. Rather than a formal regulatory approach to defining quality, the Report assigns this task, including the identification of the “essential elements of a health IT quality framework,” to a joint effort with health IT stakeholders.

(2) “Identify, Develop, and Adopt Standards and Best Practices”—The Report recommends the development of health IT standards and best practices, focusing on design and development (including usability), local implementation and customization issues, interoperability, quality management, and risk management. ONC has responsibility for advancing the development and implementation of health IT standards and best practices in conjunction with industry stakeholders.

(3) “Leverage Conformity Assessment Tools”—In lieu of a “formal regulatory approach,” the Report recommends that conformity assessment tools (e.g., product testing, certification and accreditation), should be applied in a risk-based manner “to distinguish high quality products, developers, vendors and organizations from those that fail to meet a specified level of quality, safety or performance.” The Report presents ONC’s certification efforts with EHR technology as a potential model for the certification of other types of health IT.

(4) “Create an Environment of Learning and Continual Improvement”—The Report does not recommend the mandatory reporting of adverse events. Instead, the Report states that health IT stakeholders “should report serious health IT-related safety events to a trusted source [e.g., Health IT Safety Center] that can aggregate and analyze information and disseminate findings.” The Report, however, does not discuss what would constitute a “serious health-IT related safety event” or the consequences for a failure to report such an event.  

The prevention of regulatory duplication remains an important challenge, particularly in areas of overlapping jurisdiction, such as products that cut across multiple health IT functionality categories. FDA, ONC, and FCC intend to establish a tri-Agency Memorandum of Understanding (MOU) to govern their continuing exchange of information and coordination. The entities also plan to provide periodic joint reports to the ONC Health IT Policy Committee. The proposed expansion of ONC’s oversight in this space will shape the continuing negotiation of these entities’ regulatory roles.

The Report will not stem the tide of congressional scrutiny and legislative proposals directed at health IT regulation. As discussed above, members of Congress have challenged ONC’s statutory authority to expand its role in the regulation of health IT. Other congressional activity focuses on FDA oversight and the prevention of over-regulation in health IT.

The sponsors of Senate bill S. 2007, aptly named the “Preventing Regulatory Overreach To Enhance Care Technology Act of 2014” (PROTECT Act), have commented that the Report does not go far enough and that congressional codification of a risk-based framework remains necessary.⁸  Introduced in early February of this year as a companion bill to the House’s SOFTWARE Act,⁹ the PROTECT Act would amend section 201(h) of the Federal Food, Drug, and Cosmetic Act to revise the term “device” to exclude a wide array of clinical and health software from FDA’s authority. The act instead would vest authority in the National Institute of Standards and Technology (NIST), a standards-setting federal entity that does not have the investigative and enforcement authority of FDA. The act would upend the FDA’s final guidance on mobile medical apps, which was published in September 2013.

In March 2014, a bipartisan group of six senators penned a letter to FDA Commissioner Margaret Hamburg “to ensure that the regulatory oversight . . . over mobile medical applications remains current with changing technologies.” The senators called for “more transparency” by FDA and cited the continuing “confusion over how a wider range of medical software might be appropriately regulated.” The letter posed questions regarding FDA’s coordination with ONC and FCC, the potential impact of new legislation establishing categories of medical software, how FDA determines the types of medical software updates that require FDA review, and FDA’s approach to regulating apps that present novel functions.

Although the Report strikes a de-regulatory tone, regulatory uncertainty will persist until more specific guidelines and standards are established. The Report’s framework provides ONC, FDA, and FCC with potentially broad discretion to render case-by-case determinations in the regulation of health IT products. The Report fosters regulatory flexibility, but regulatory clarity remains a work in progress.

Marian Lee is a partner with King & Spalding.

[1] FDASIA called for the development of the report by January 2014.