FDA Alert

FDA Finalizes the FDASIA Health IT Report

April 15, 2014



On April 7, 2014, the Food and Drug Administration (FDA) released a report entitled “FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework” (the “Report”). The Report was mandated by section 618 of the Food and Drug Administration Safety and Innovation Act (FDASIA), which required the FDA consult with the Office of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC). These three agencies were tasked to work together to prepare a report containing “a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health IT [information technology], including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.” The Report emerged in substantial part from meetings of the FDASIA workgroup

The 32-page Report is open to public comment until July 7, 2014 via a public docket (FDA-2014-N-0339). Comments may be submitted through www.regulations.gov. The agencies seek public comments on whether the Report addresses the appropriate focus areas, and whether the proposed next steps are appropriate. The Report itself also poses questions for the public throughout, seeking input on specific recommendations. Additionally, on May 13-15 FDA will hold a public workshop to discuss the following topics raised in the Report: use of quality management principles, standards and best practices, conformity assessment tools, creating an environment of learning and continual improvement, and clinical decision support (CDS) software. 

As additional context, both British and European authorities have released policy documents on medical software regulation and mobile health regulation, respectively. 

Attached is the summary of the Report with a focus on provisions that affect two key areas: electronic health records (EHR) and CDS software.   

Summary of the Report 

• Division of Regulation by Functionality
• Framework for the Oversight of Health Management Health IT
• Clarity Regarding the Regulation of CDS
• Continued Agency Interactions 

Division by Functionality 

To guide any recommendations on regulation, the Report groups all health IT into three functionality-based groups: (1) administrative, (2) health management, and (3) medical device. 



Health Management

Medical Device

Examples of Functionalities

Admissions, billing and claims processing, practice and inventory management, scheduling, general purpose communications, analysis of historical claims data to predict utilization or cost effectiveness, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agencies and reporting on quality measures pose limited or no risk to patient safety.

Health information and data exchange, data capture and encounter documentation, electronic access to clinical results, some clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and matching.

Computer-aided detection, remote display or notification of real-time alarms from bedside monitors, radiation treatment planning; robotic surgical planning and control; electrocardiography analytical software.

Recommended Oversight

No additional oversight necessary.

Subject to the regulatory framework outlined in Report.  If product meets definition of device, FDA does not intend to focus its oversight on product.

The focus of FDA oversight.

For the medical device group, the Report recommends that FDA provide greater clarity regarding several aspects of medical device regulation involving health IT, including (1) the distinction between wellness and disease-related claims, (2) medical device accessories, (3) medical device CDS software, (4) medical device software modules, and (5) mobile medical apps.   

Framework for the Oversight of Health Management Health IT 

To address the regulation of health management IT, the Report identifies four priority areas for a risk-based framework and outlines potential next steps that could be taken to realize the benefits of Health IT functionality. These priority areas can be tailored using a risk-based approach, have relevance at all stages of the product cycle and to all stakeholders, and support both innovation and patient safety. The four priority areas are— 

  1. Promote the use of quality management principles, including a quality systems approach;
  2. Identify, develop, and adopt standards and best practices, including interoperability, usability, quality management/systems, risk management, and local implementation, customization, and maintenance of health IT;
  3. Leverage conformity assessment tools, such as product testing, certification (including expansion of ONC’s certification procedures beyond EHR), and accreditation; and
  4. Create an environment of learning and continual improvement, including transparent reporting, aggregation, and analysis of safety issues.

In addition to these priority areas, the Report recommends the creation of a Health IT Safety Center, a public-private entity to be created in collaboration with FDA, FCC, the Agency for Healthcare Research & Quality (AHRQ), and other federal agencies and health IT stakeholders. The Center would serve as a “convener of health IT stakeholders . . . with the ultimate goal of assisting in the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.” The Center would hold programs and activities that 

  1. establish a broad membership and leadership base,
  2. focus on high-value issues affecting innovation and protection of patient safety related to health IT,
  3. build upon the evidence-based foundation for health IT safety by analyzing relevant data,
  4. create or inform health IT safety priority goals and measures that align with broader patient safety goals and initiatives, and
  5. provide education on health IT safety, including best practices regarding risks, mitigation strategies, and other topics to improve the commitment and capabilities of participant organizations to improve their health IT safety efforts and evaluate the effects of that education.

The Report lists several questions to the public regarding this framework and its components, including regarding standards, quality management principles, stakeholder liability, role of the government versus an independent entity, appropriate tools, and other issues. 

Clarity Regarding the Regulation of CDS 

The Report recommended that some CDS be categorized as having health management functionality and therefore be regulated through the Report’s framework rather than by FDA as medical devices. The Report provided the following examples: 

Regulate CDS as Health Management IT

Regulate CDS as a Medical Devices

Evidence-based clinician order sets tailored for a particular condition, disease, or clinician preference;

Drug-drug interaction and drug-allergy contraindication alerts to avert adverse drug events;

Most drug dosing calculations;

Drug formulary guidelines;

Reminders for preventative care (e.g. mammography, colonoscopy, etc);

Facilitation of access to treatment guidelines and other reference material that can provide information relevant to particular patients;

Calculation of prediction rules and severity of illness assessments (e.g., APACHE score, AHRQ Pneumonia Severity Index, Charlson Index);

Duplicate testing alerts;

Suggestions for possible diagnoses based on patient-specific information retrieved from a patient’s EHR.

Computer aided detection/diagnostic software;

Remote display or notification of real-time alarms (physiological, technical, advisory) from bedside monitors;

Radiation treatment planning;

Robotic surgical planning and control;

Electrocardiography analytical software.

The Report seeks public input on this section as well, including regarding the types of CDS functionality that should be included in either group, the application of priority areas to CDS, additional safeguards for CDS, appropriateness of certification of CDS functionalities, and the role of the private sector versus government involvement. 

Continued Agency Interactions 

The Report proposed a mechanism to continue the interactions of federal agencies to continue working on health IT-related activities. The agencies committed to three specific actions to maintain such a mechanism:

(1) Establishing formal mechanisms, such as memorandums of understanding (MOUs) and an inter-agency committee, to continue to collaborate and interact;
(2) Coordinating with other federal agencies involved in health IT; and
(3) Providing ongoing opportunities for feedback, input, and dialogue among health IT stakeholders and the agencies.