The U.S. Food and Drug Administration (FDA) continues advancing regulatory policies tailored to the digital health community. On September 26, 2019, the agency issued a series of guidance documents that interpret several of the medical software provisions in the 21st Century Cures Act (Cures Act), as well as a new draft guidance on clinical decision support software. These policy documents have been anticipated ever since FDA announced plans to issue them in its 2017 Digital Health Innovation Action Plan. Taken together, the guidance documents help formalize the de-regulation of certain medical technologies and propose a quicker path to market for a subset of medical software that informs clinical decisions.

Clinical Decision Support

The Clinical Decision Support Software (CDSS) Guidance Document is a re-proposed draft guidance with an atypical procedural history. Almost always, FDA guidance documents are issued in draft form for public comment once and finalized after the comments have been considered and revisions that the agency deems appropriate have been made. Here, following criticism that the agency received for the policies in the initial draft guidance, FDA issued a revised draft guidance that generally takes a lighter touch with respect to clinical decision support (CDS) regulatory policy.

As defined by the agency, CDS provides health care professionals (HCPs) and patients with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and health care. Examples include software that processes physiologic data to analyze and interpret genomic data such as identifying a patient's genetic variations for the purpose of determining a patient's risk for a particular disease; software that uses a patient's diagnosis to provide a healthcare provider with current practice treatment guidelines for common illnesses or conditions such as influenza and provides the source of the guidelines; and software that identifies patients who may exhibit signs of opioid addiction based on patient-specific data, family history, electronic health records data, prescription patterns, and geographical data. As discussed below, however, not all these functionalities would be actively regulated by FDA according to the latest draft guidance. Further, the proposed criteria for whether software would be regulated by FDA extends beyond what was specified in the Cures Act.

In 2016, the Cures Act established a framework for the FDA's regulation of CDS technology. The 2017 draft CDSS Guidance Document, in turn, closely tracked the relevant CDS legislative provisions. But after considering public feedback to the 2017 draft, a revised guidance was issued that goes a step further than the legislation and proposes additional considerations focused on risk. When describing how the agency interpreted the CDS provisions of the Cures Act, the FDA Principal Deputy Commissioner stated, "[w]e've taken the goals we were entrusted with by Congress under the Cures Act and are building on these provisions to make sure that we're adopting the full spirit of the intent to provide a practical oversight framework that is risk based." New considerations proposed by the draft guidance include whether the relevant condition is serious/critical or non-serious and whether the intended software user is a healthcare provider or patient/caregiver. An evaluation of these criteria, among others, determines in which of three proposed CDS categories the software would fall: CDS software that would be subject to FDA oversight, CDS software for which the agency intends not to enforce applicable regulatory requirements (known as enforcement discretion) due to the software's low risk to patients, or CDS software that does not meet the definition of a medical device. Though the relevant considerations can be extensive, a roadmap in the draft guidance helps distinguish the lines between the types of CDS software that would be regulated by FDA and those that would not (either by not being considered a medical device or qualifying for the agency's risk-based enforcement discretion policy). The decision points in the roadmap are further illustrated through many examples, including examples that reference machine learning, a concept not specifically mentioned in the previous draft.

The digital health industry has so far been generally supportive of the revisions made to the CDSS Guidance Document since its previous version. And although the CDSS Guidance Document remains to be finalized, not only does the regulatory momentum appear to be shifting in the industry's favor, this draft guidance also provides a rare second opportunity to weigh-in on impactful software policy and be heard by the agency.

Guidances Impacted by 21st Century Cures

Simultaneous with the release of the draft CDSS Guidance Document, the FDA also issued five revised policy documents: Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act; General Wellness: Policy for Low Risk Devices; Off-The-Shelf Software Use in Medical Devices; Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices; and Policy for Device Software Functions and Mobile Medical Applications (originally titled "Mobile Medical Applications").

The first listed guidance addresses specific digital health provisions included in the Cures Act, including the FDA's interpretation of the types of software that are no longer considered medical devices. Consequently, conforming changes were made to the latter four guidances that had been issued prior to the enactment of the Cures Act. In fact, some policies in the guidances served as a blueprint for the subsequent medical software legislation, resulting in similarities between the regulatory outcomes of the guidance documents and the Cures Act. Certain updates to the guidance documents, however, represent important distinctions. For example, under the previous iteration of the General Wellness Guidance Document, a subset of medical software was considered by the agency to be under enforcement discretion meaning that the FDA did not intend to enforce the applicable regulatory requirements, but reserved the right to do so in the future. Now, the FDA concludes in the newly-issued General Wellness Guidance Document that the subset is not within the scope of products FDA has the authority to regulate at all.

In general, the guidances published on September 26 reduce medical software regulatory burden as compared to the agency's prior policies. Many of the changes discussed above, particularly with respect to the CDSS Guidance Document, reflect FDA's coordination with global regulators that intend to harmonize the regulatory requirements for medical devices that vary from country to country. Harmonization efforts are primarily deliberated by the International Medical Device Regulators Forum (IMDRF), of which the U.S. FDA is a member. Another key IMDRF member is the European Union (EU) who is set to enforce its new medical device regulation (MDR) that overhauls how the region oversees most medical devices, including medical software. Though IMDRF member countries often share similar policies, this is not always the case and medical software regulation in the U.S. versus the EU is a fitting example. Accordingly, companies should consider the software policies established by the FDA guidance documents highlighted in this alert, as well as the E.U. MDR before its May 2020 compliance date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.