FDA Issues Draft Guidance Eliminating Regulatory Controls on Medical Device Data Systems, Imaging Storage Devices, and Imaging Communications Devices

by Ropes & Gray LLP

On June 20, 2014, the United States Food and Drug Administration (FDA) issued a draft guidance document announcing that the agency does not intend to enforce the general regulatory controls applicable to medical device data systems (MDDSs), medical image storage devices, and medical image communication devices, due to the low risks posed by such devices and their importance in promoting digital health. This draft guidance effectively exempts these devices from compliance with any FDA regulatory requirements. FDA will accept comments on the draft guidance through August 25, 2014. 

This surprising about-face suggests continued evolution in FDA’s approach to regulating medical software.

FDA Regulations Classifying Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices

In the 1990s, FDA began in earnest to address the rapidly developing electronic data communications and storage technologies widely used in healthcare delivery. One key action was the issuance of guidance and later regulations addressing technologies used to store, transmit, copy, view, and process digital radiology images. After examining the range of devices used to handle such images, FDA established five classifications of radiology imaging devices. Two of these device types – medical image storage devices and medical image communications devices – were classified as Class I, 510(k)-exempt devices subject only to “general controls” such as establishment registration, device listing, postmarket reporting of adverse events, and the Quality System Regulation (QSR). In the final rule, FDA emphasized that general controls, “particularly the good manufacturing practices requirements” of the QSR, were sufficient to provide reasonable assurance of the safety and effectiveness of the two Class I, 510(k)-exempt device types.1

More than ten years later, FDA adopted a similar approach with respect to devices that had become ubiquitous in the hospital environment: software and associated hardware used to store and transmit electronic data obtained from other medical devices. Through a rulemaking process initiated in 2008 and completed in 2011, FDA defined an MDDS as a device used for the electronic transfer, storage, conversion, or display of medical device data. The carefully circumscribed definition excluded devices that control or alter functions or parameters of any connected medical devices or that are intended to be used in connection with active patient monitoring. Examples of MDDSs include devices that collect and store data from glucose meters for future use or that transfer laboratory results for future use at a nursing station. The 2011 final rule established a new Class I, 510(k)-exempt classification, but did not exempt this device type from general regulatory controls. Manufacturers of such devices were required to register with FDA as medical device manufacturers and list their commercially distributed devices, but were given more than a year, until April 1, 2012, to comply with the QSR and adverse event reporting requirements. As with radiology imaging devices, FDA emphasized the importance of QSR compliance in assuring the safety and effectiveness of these devices.2 FDA reaffirmed its view of the regulatory controls applicable to MDDSs as recently as September 25, 2013, in the Mobile Medical Apps guidance (MMA Guidance), which contained several examples describing the application of device regulations to MDDSs.

2014 Draft Guidance

In the recently released draft guidance, FDA states that, after gaining additional experience with MDDSs since the 2011 classification regulation, it has determined that these devices pose low risk to the public and that it is unnecessary to enforce compliance with regulatory controls for this type of device. Similarly, FDA states that it is unnecessary to enforce regulatory controls that apply to medical image storage devices and medical image communications devices. For all of these device types, the draft guidance would release manufacturers from the burdens of complying with general controls, including the QSR requirements FDA previously emphasized. Together with the existing regulatory exemptions of these devices from compliance with 510(k) premarket notification requirements, these devices would effectively be completely unregulated. 

The draft guidance also proposes to adopt conforming changes to the MMA Guidance, modifying certain examples of regulated mobile apps and stating explicitly that FDA will exercise enforcement discretion with regard to mobile apps that meet the definition of a MDDS.

Implications of the Draft Guidance

The draft guidance represents a significant change in policy just three years after FDA completed a multi-year rulemaking process for MDDSs. It appears to reflect an evolving FDA view of the agency’s role in regulating low-risk digital health software, and is consistent with other recent FDA pronouncements generally favoring industry self-regulatory standards, public-private partnerships, and other non-regulatory mechanisms for assuring the safety and effectiveness of such products. Ropes & Gray previously commented on this development in our Alert on FDA’s final guidance on Mobile Medical Apps. This general approach was also evident in the April 2014 Health IT Report issued jointly by the FDA, Federal Communications Commission, and the HHS Office of the National Coordinator for Health Information Technology. 

Manufacturers of MDDSs that already invested in processes to comply with general controls may perceive this FDA policy change as unfairly favoring competitors that had not made such investments. Nonetheless, manufacturers that have come into compliance with the QSR may conclude that such compliance, although no longer required, will continue to benefit them by ensuring traceability of design, helping identify necessary product corrections and improvements, and controlling bug fixes and other product changes.

Companies that design, produce, or distribute medical software should carefully review their products’ technological characteristics, labeling, and promotional materials to determine whether they fall within the device classifications affected by FDA’s draft guidance.

1 63 Fed. Reg. 23385, 23385 (Apr. 29, 1998).

2 76 Fed. Reg. 8637, 8639 (Feb. 15, 2011).


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.