The following blog article is drawn from the upcoming book
Cloud Computing Deskbook, which is set to be
released by Thomson Reuters West next summer. Cloud
Computing Deskbook covers the legal and regulatory aspects
of cloud computing, including those related to regulation by U.S.
Food and Drug Administration. Please contact the author with any
questions related to FDA regulation of cloud computing and software
Cloud computing involves the delivery of computing as a service
rather than a product. In a cloud computing solution, shared
resources, software, and information are provided much like a
utility, over a network to computers and other devices. Cloud
computing has been embraced by the medical industry, and is used as
a vital technology in electronic medical record systems and
telemedicine solutions, among other products.
The U.S. Food and Drug Administration ("FDA"), which
regulates the vast majority of medical products sold in the U.S.,
generally applies its existing regulatory scheme when facing new
technologies like cloud computing. This is typified by FDA's
approach to nanotechnology that was developed in the last
Cloud computing presents several challenges to FDA's
application of its existing regulatory scheme. For one, FDA, as a
regulatory agency, has responsibility over medical products shipped
in interstate commerce (specifically drugs, medical devices, and
biologics), but lacks authority over the services provided by
healthcare practitioners (i.e. "the practice of
medicine"). Cloud computing involves the delivery of computing
as a service rather than as a product, which complicates the
analysis of how a cloud computing solution would be regulated by
The second challenge for FDA is the increased complexity of
cloud computing software solutions. Medical device software has
traditionally been very conservative in that it is generally
installed on only one platform, with the hardware and operating
system parameters "locked down" to limit compatibility
issues. Further, communication is generally limited to interactions
between a device and the computer system. In a cloud computing
system, one or more cloud client software programs communicate with
the cloud server software, and all of these software programs may
be deployed on various hardware and operating systems. In fact, the
strength of the cloud model is this ability to interact with the
cloud server through a broad array of hardware and operating system
The third challenge to FDA's existing regulatory scheme is
in security. Medical information is scrupulously protected by the
Health Insurance Portability and Accountability Act of 1996
("HIPAA"), numerous state laws, and physician ethical
standards. As with financial information, medical information has
great value. In a cloud computing software solution, this highly
valuable and private medical information is often transmitted
wirelessly and through the Internet, exposing it to potential
theft. Further, the diffuse nature of cloud computing solutions and
the ability to consolidate medical information from thousands of
individuals in a single location poses significant liability risk
from the loss of a single laptop or USB drive.
FDA does not currently have any specific regulations applicable
to cloud computing. Further, FDA's regulations applicable to
computerized systems (21 C.F.R. Part 11) is currently being
enforced only in a very limited manner. Despite this, FDA's
existing regulatory scheme has been applied to products and
regulated processes that incorporate cloud computing services.
Recent guidance has addressed gaps in the existing regulatory
scheme, including FDA's draft guidance on mobile medical
Given the complexity with using cloud computing services in FDA
regulated medical products, it is critical to carefully consider
the regulatory impact of incorporating such services. Sheppard
Mullin has expertise in the legal and regulatory issues surrounding
cloud based services, including when using cloud computing in FDA
regulated products and activities. Sheppard Mullin's FDA
practice has experience providing companies with advice on cloud
computing issues, including counseling medical device software
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A recently publicized settlement with the Office of Civil Rights of the U.S. Department of Health and Human Services highlights that it is not only important to have a HIPAA-compliant form of business associate agreement, but also to train staff to identify and carefully analyze when a BAA is required.
North Memorial Health Care of Minnesota ("North Memorial"), a comprehensive not-for-profit health care system, has agreed to pay $1.55 million to settle charges that it potentially violated the HIPAA Privacy and Security Rules.
We've thought a lot about the various secondary entities
that plaintiffs sometimes sue in prescription medical product
liability litigation – such as sales reps, physicians,
hospitals, pharmacies, distributors, and a number of others.
The US Department of Labor (DOL) has provided guidance on health plan provisions that could trigger a violation of the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA), as amended by the Affordable Care Act.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).