Exchange of information in an electronic environment (health IT) has provided and continues to provide opportunities to improve the quality, safety, cost and efficiency of health care and encourage patient involvement. Health IT covers an array of products, technologies and services, including EHRs and medical devices. If not designed, developed, implemented, maintained, or used properly, health IT can pose risks to patients. Given these potential risks, how closely should health IT be regulated?
Recently, the FDA, in consultation with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”) (referred to as “the Agencies”), released a non-binding report containing a proposed risk-based regulatory framework for regulating health IT, including medical mobile applications. This report was drafted in response to mandates from the Food and Drug Administration Safety and Innovation Act of 2012 (“FDASIA”) and with input from both regulators and external stakeholders. Some believe the report is overall unremarkable, largely reiterating previous agency statements and not providing clear guidance.
The FDASIA report can be downloaded here.
The FDASIA report outlines a risk based approach, focusing on three categories of health IT subject to regulatory oversight: 1) administrative health IT functions, 2) health management health IT functions, and 3) medical device health IT functions. Using this risk based approach, the Agencies determined that:
administrative health IT functionalities, such as billing and claims processing, practice and inventory management, and scheduling, pose limited or no risk to patient safety, and therefore warrant no additional oversight.
health management health IT functionalities, such as health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and matching, in general pose low patient safety risks. Consequently, if a product with health management health IT functionality meets the definition of a medical device, the FDA does not intend to focus its oversight on it.
medical device health IT functionality, such as computer aided detection software, remote display or notification of real-time alarms from bedside monitors, and robotic surgical planning and control, generally poses greater risks to patient safety, and thus will continue to be the focus of FDA’s oversight.
The Agencies identified the following four key priority areas and outlined potential next steps that can be taken to help more fully realize the benefits of health IT:
I. Promote the Use of Quality Management Principles;
II. Identify, Develop, and Adopt Standards and Best Practices;
III. Leverage Conformity Assessment Tools; and
IV. Create an Environment of Learning and Continual Improvement.
In addition, they recommended the creation of a Health IT Safety Center – a public-private entity which would convene stakeholders, including federal agencies, in order to focus on activities that “promote health IT as an integral part of patient safety with the ultimate goal of assisting in the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.”
The FDA, ONC, and FCC are seeking public comment on whether the focus areas identified in the report are the appropriate ones, and whether the proposed next steps will produce the intended results. The report is worth reading and worthy of stakeholder comment. Once the report is finalized the FDA is expected to issue more substantive guidance.