Today, July 11, 2012, President Obama signed into law the Food and Drug Administration Safety and Innovation Act. Applauded by big pharma, the American Medical Association, the National Organization for Rare Disorders, and others, this new legislation reauthorizes various user fees, and revises regulations in an effort to address problems around drug shortages, the paucity of therapies for rare diseases, and improving availability of pediatric drugs and devices. For regulatory geeks, there is also new language around the "least burdensome standard," modification of de novo application process, reclassification procedures and more. You can see a bill summary of the legislation here, and download the actual law here (pdf).

Unique Device Identifier

Two things in the FDASIA (pronounced "F-D-A sigh") jumped out at me: unique device identifier and health information technology. Section 614 directs the Secretary of HHS to issue proposed unique device identifier (UDI) regulations by December 31, 2012, and to finalize the proposed regulations not later than 6 months after the close of the comment period.

In general, the UDI is a good thing in that it will likely contribute to improved supply chain efficiency. All the claims about improved post market surveillance, patient safety and quicker, more reliable recalls are considerably beyond the ability of what is really just a hopped up serial numbering scheme. To achieve the widely trumpeted safety benefits would require the wide adoption of an information system that does not yet exist. There are a lot of cool ways such an information system could come into being - the feds, some outfit like the ECRI Institute, or an open source software project driven by hospitals.  And of course, you'd have to get health care providers to, you know, actually use the software.

Needless to say, the easy part with be getting the UDI onto products (and that's taken years).

The big news for many folks is that there is now a legislative mandate to regulate HIT.

Regulation of Health Information Technology

Based on the process laid out in the FDASIA, the time it will take to realize a medical device UDI will, in retrospect, probably seem like a blink of the eye. In short, the FDA, FCC and NCHIT are to get together, with a working group of external stakeholders, to create a report on how to regulate HIT. This is supposed to happen within 18 months of today. What happens after the report is not specified.

From the text, below, HIT appears to include EMR/EHRs, mHealth, and other information systems that pose a risk to patient safety.


(a) REPORT.—Not later than 18 months after the date of enactment of this Act, the Secretary of Health and Human Services (referred to in this section as the ‘‘Secretary’’), acting through the Commissioner of Food and Drugs, and in consultation with the National Coordinator for Health Information Technology and the Chairman of the Federal Communications Commission, shall post on the Internet Web sites of the Food and Drug Administration, the Federal Communications Commission, and the Office of the National Coordinator for Health Information Technology, a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.

(1) IN GENERAL.—In carrying out subsection (a), the Secretary may convene a working group of external stakeholders and experts to provide appropriate input on the strategy and recommendations required for the report under subsection (a).

(2) REPRESENTATIVES.—If the Secretary convenes the working group under paragraph (1), the Secretary, in consultation with the Commissioner of Food and Drugs, the National Coordinator for Health Information Technology, and the Chair- man of the Federal Communications Commission, shall deter- mine the number of representatives participating in the working group, and shall, to the extent practicable, ensure that the working group is geographically diverse and includes representatives of patients, consumers, health care providers, startup companies, health plans or other third-party payers, venture capital investors, information technology vendors, health information technology vendors, small businesses, purchasers, employers, and other stakeholders with relevant expertise, as determined by the Secretary.

The FDA has already published a draft guidance on mobile apps, and they've been waving a red flag about their patient safety concerns regarding clinical decision support systems (CDSS) specifically, and EMRs in general. Last year I attended a public workshop at FDA on mobile apps and CDSS where they received input and laid out their ideas about a way to evaluate patient safety risk in those areas. (If you'd like to know more about what was discussed, give me a call.)

I think it's important to note that while identifying the key government stakeholders (FDA, FCC and NCHIT), the legislation does not change any of the stakeholders responsibilities or authority: the FDA is responsible for patient safety and effectiveness, the FCC remains responsible for RF spectrum allocation, and the NCHIT is responsible for ensuring that HIT solutions meet a minimum level of functionality. Which entity will loom largest over manufacturers? The FDA.

The interested readers should also note that there is nothing in the legislation to preclude FDA from regulating manufacturers as soon as they feel the need.

Implications for Industry

In a world where it is almost impossible to buy a home hot water heater or air conditioner from a manufacturer who does not follow a quality system (ISO9001), it would not seem to be a big hurdle for HIT manufacturers to follow a quality system too. For HIT vendors, the biggest hurdle will be adopting the FDA's Quality System regulation (which is not that different than ISO9001). Some products may require pre-market approval, i.e., the submission of a 510(k) by the manufacturer and clearance by FDA before the product is sold. Very few - if any - HIT products will require PMAs and clinical trials like drug companies have to contend with.

So what should industry do now? The following are some questions that anyone (vendors or providers) developing HIT software or systems should ask:

  • Do any of my products meet the legal definition of a medical device?
  • Based on FDA's recent actions, how likely is it that my company/market segment will become regulated?
  • What does it mean to become a regulated manufacturer?
  • How might my products be regulated?

You can find many posts on this blog that look at these issues:

Tim Gee is Principal of Medical Connectivity Consulting. He is a master connectologist, technologist and strategist working for medical device and IT companies and various provider organizations. You can learn more about Tim here.