United States: The Latest FDA Move To Limit Digital Health Software Regs

On Dec. 8, 2017, the U.S. Food and Drug Administration issued two draft guidance documents that describe types of software functions that the FDA will not regulate, including the FDA's long-awaited policy on clinical decision support software. The FDA published these documents in response to the 21st Century Cures Act, in which Congress removed certain low-risk digital health software from the FDA's jurisdiction. In addition, as part of its broader Digital Health Innovation Action Plan, the FDA announced that it was adopting as final guidance a document developed by the International Medical Device Regulators Forum (IMDRF) on clinical evaluation of software as a medical device. The FDA also announced a Jan. 30, 2018, public workshop on the progress of the Software Precertification (Pre-Cert) Pilot Program.

These developments continue to build on the policies the FDA has been developing in recent years to clarify the applicability of FDA regulatory requirements to digital health technologies. While the FDA's policy structure in this area remains a work in progress, these documents continue the general trend toward relatively limited, risk-based FDA regulation of digital health software.

Draft Guidance on Clinical and Patient Decision Support Software

As discussed in several previous Ropes & Gray articles (summarizing the 21st Century Cures Act, the general wellness guidance, and the Digital Health Innovation Action Plan), device manufacturers have long anticipated FDA guidance on clinical decision support (CDS) software. The FDA's new draft guidance, "Clinical and Patient Decision Support Software," describes the FDA's proposed views on the regulation of CDS as well as a related category of software that the FDA defines as patient decision support (PDS) software.

Section 3060 of the 21st Century Cures Act (Section 520(o) of the Federal Food, Drug, and Cosmetic Act) removes certain software functions from the definition of "device." One category under this provision is a software function that:

  1. Is not intended to acquire, process or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;
  2. Is intended to display, analyze, or print medical information about a patient or other medical information, like clinical practice guidelines;
  3. Is intended to support or provide recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and
  4. Is intended to enable health care professionals to independently review the basis for the software's recommendations so professionals do not primarily rely on the recommendations when making a clinical diagnosis or treatment decision.

In the draft guidance, the FDA proposes to define CDS as software functions that meet the first, second and third criteria listed above. The FDA states that such a CDS function, in order not to be considered a "device," would also have to meet the fourth criterion. The FDA also states that it would continue to regulate as devices software that is Class III (i.e., software that is intended for a use in supporting or sustaining human life or for a use which is of substantial importance in preventing impairment of human health, or that presents a potential unreasonable risk of illness or injury).

The FDA provides examples of CDS that meet, and do not meet, all four of the agency's proposed criteria. Software functions that the FDA would consider to be excluded from FDA regulation are:

  1. Software that makes recommendations by matching patient information with reference information that is commonly used in clinical practice. Within this category, the FDA includes (1) software that identifies drug-drug interaction alerts based on FDA-approved drug labeling and patient-specific information, and (2) software that uses a patient's diagnosis to provide a health care provider with current practice treatment guidelines for common diseases and provides the source of those guidelines;
  2. Software that suggests an intervention or test using clinical guidelines in response to a physician's order, such as suggesting that a health care professional order liver function tests before prescribing a statin; and
  3. Software that uses rule-based tools that compare patient-specific signs, symptoms or results with available practice guidelines to recommend condition-specific diagnostic tests, investigations or therapy.

In contrast, the FDA intends to focus its regulatory oversight on two types of CDS-related software.

First, the FDA will regulate software intended to generate treatment and diagnostic recommendations on which the health care professional will rely primarily in making clinical decisions or determining therapy plans. To be excluded from the definition of "device," the CDS function must be intended to enable the health care professional to independently review the basis for the recommendations presented by the software. In the draft guidance, the FDA states that, to meet this criterion, such software must clearly explain (1) the purpose or intended use of the software function; (2) the intended user; (3) the inputs used to generate the recommendation; and (4) the rationale or support for the recommendation. The FDA believes that a health care professional would be unable to evaluate the basis of a software recommendation independently if it were based on nonpublic or proprietary information. Thus, under the draft guidance, a software function would fail to qualify as nondevice CDS if it operates via a nontransparent algorithm. This aspect of the draft guidance is likely to generate public comment, because it does not take into account the degree of risk posed by the product. However, it is possible that the FDA might choose to exercise enforcement discretion with respect to such software if it falls within another low-risk category set forth in the second draft guidance, described below.

Second, the FDA intends to regulate software designed to acquire, process or analyze a medical image, a signal from an in vitro diagnostic (IVD) device that can detect diseases, or a pattern or signal from a signal acquisition system (a machine that receives, as inputs, signals from sensors on the body). The FDA has historically regulated technologies that analyze the information from signal acquisition systems, such as IVD tests and technologies that measure and assess electrical activity in the body (e.g., electrocardiograph and electroencephalograph machines) as well as medical imaging technologies. Also included within this category are algorithms that process physiological data to generate new data points or that analyze and interpret genomic data to determine a patient's risk for a particular disease.

The following are examples of software functions that the FDA intends to regulate:

  1. Software that customizes the patient-specific surgical plan and instrumentation based on analysis of imaging and device characteristics for orthopedic implant procedures;
  2. Software that analyzes multiple physiological signals (e.g., sweat, heart rate, breathing) to monitor whether a person is having a heart attack;
  3. Software that analyzes near-infrared camera signals of a patient intended for use in determining and/or diagnosing brain hematoma; and
  4. Software that analyzes multiple physiological signals, such as heart rate and eye movement, to monitor whether an individual is having a heart attack or narcolepsy episode, and software that analyzes images of body fluid preparations or digital slides to perform cell counts and morphology reviews.

Moreover, the draft guidance addresses the agency's enforcement discretion policy for low-risk PDS software that is intended for patients or caregivers who are not health care professionals. Specifically, the FDA will exercise enforcement discretion and not enforce compliance with applicable regulatory requirements if the PDS meets the same four criteria that CDS must meet as outlined in Section 520(o)(1)(E) of the FDCA, thus generally mirroring the policy the FDA is adopting for CDS, except that the fourth criterion would be modified in the PDS context to require transparency of the basis for the software recommendations to laypersons (patients) rather than health care professionals.

Other Changes to FDA's Existing Software Policies

The 21st Century Cures Act also excludes from the definition of "device" four other categories of low-risk software functions. These statutory changes affect several existing FDA policies and guidance documents. As a consequence, the draft guidance on "Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act," describes the changes the FDA intends to make to several previously published guidance documents, including the FDA's guidances on "Mobile Medical Applications," "General Wellness: Policy for Low Risk Devices," and "Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices." As an overarching concept, the FDA notes that Section 3060 of the 21st Century Cures Act creates a function-specific standard of software functions that do not meet the definition of "device," independent of the platform on which the software runs.

The draft guidance describes the four types of software functions that the FDA is excluding from the scope of its regulation:

  1. Software functions intended for administrative support of a health care facility: The FDA has historically not regulated most of these software functions as devices. The draft guidance clarifies, however, that laboratory information management systems, which is software intended for administrative support of laboratories and/or for transferring, storing, converting formats or displaying clinical laboratory test data and results, no longer falls under the definition of "device."
  2. Software functions intended for maintaining or encouraging a healthy lifestyle: We have previously described the FDA's policy of exercising enforcement discretion with respect to software devices intended for certain "wellness" purposes. In the draft guidance, the FDA identifies the following examples from the General Wellness Guidance of mobile applications that no longer meet the definition of "device" due to the 21st Century Cures Act amendments: (1) an application that plays music to soothe and relax an individual to manage stress; and (2) an application that solely monitors and records daily energy expenditure and cardiovascular workout activities to allow awareness to improve or maintain good cardiovascular health. In addition, although the statutory amendment does not apply to wellness claims that relate to the role of a healthy lifestyle in helping reduce the risk or impact of particular chronic diseases or conditions, the FDA states that it will continue to exercise enforcement discretion over this category of products as long as they present a low risk to the safety of users and other persons.
  3. Software functions intended to serve as electronic patient records: Under the 21st Century Cures Act, a software function intended to transfer, store, convert formats or display electronic patient records that are the equivalent of a paper medical chart would not be a "device" if: (1) the records were created, stored, transferred or reviewed by health care professionals; (2) the records are part of information technology certified by the Office of the National Coordinator for Health Information Technology (ONC); and (3) the software function is not intended for interpretation or analysis of patient records. In the draft guidance, the FDA states that as long as criteria (1) and (3) are met, it does not intend to enforce the statutory requirement that the software function be certified by ONC. Additionally, the draft guidance clarifies that personal health records, which include software functions that enable a patient or non-health care provider to create, store or transfer health records for their own record-keeping, are not devices.
  4. Software functions that are intended for transferring, storing, converting formats and displaying data and results. In the draft guidance, the agency explains that software functions that solely transfer, store, covert formats and display medical device data would no longer fall within the definition of a "device," but that this exclusion does not apply to software that analyzes or interprets medical device data. Accordingly, software functions that generate alarms or alerts or prioritize patients based on their clinical status are not excluded from the definition of "device." The FDA explains, however, that it intends to exercise enforcement discretion not to regulate "low-risk" software functions of this type, such as analysis of data to provide a notification for which immediate clinical action is not needed.

However, the FDA notes that a software function described above will not be excluded from the definition of "device" if the FDA makes a finding that the software function would be reasonably likely to have serious adverse health consequences and certain substantive and procedural criteria are met, or if the device is Class III.

Software Precertification Program Workshop

The FDA also announced an upcoming public workshop that will be held on Jan. 30 and 31, 2018, which aims to discuss the current development of its Software Pre-Cert Pilot Program, which we summarized here. This voluntary pilot program — which began in September 2017 and currently includes nine participants — will assess a new approach for regulating digital health software that focuses on evaluating the software developer or digital health technology developer, rather than focusing primarily on the product. The public workshop will discuss various topics relating to precertification, such as the criteria and measures to evaluate whether a company is conducting high-quality software design, testing and ongoing maintenance of its software products and the types of digital health products that should be marketed without FDA review based on precertification.

IMDRF Guidance on Clinical Evaluation of Software as a Medical Device

The IMDRF is a voluntary group of medical device regulators from around the world that focuses on international medical device regulatory harmonization and convergence. This group has published several documents relating to regulation of software as a medical device (SaMD), defined as software intended to be used for one or more medical purposes that performs these purposes without being part of a hardware medical device. The guidance document the FDA has recently adopted and published in final form addresses the "clinical evaluation" of SaMD, which includes the activities needed to assess the clinical safety, performance and effectiveness of SaMD for its intended use. When the FDA initially proposed adopting this guidance document in October 2016, the draft was criticized by the medical device industry for its heavy use of terminology and concepts from foreign regulatory systems (particularly European), and its unclear relevance to the FDA regulatory framework. The final document eliminates some of the most concerning uses of such terminology and concepts that commenters identified, but may continue to be of uncertain application for entities that design and develop SaMD for the U.S. market.

Implications for the Digital Health Software Industry

The FDA's release of the two draft guidance documents, and continuing efforts to facilitate the Software Pre-Cert program, represent the agency's efforts to oversee digital health products under a risk-based framework and to prioritize innovation in this field. Whether the IMDRF guidance on clinical evaluation of SaMD will have any real-world impact for U.S. software developers remains to be seen, but the document represents yet another step in the FDA's efforts to build out a more complete and internationally consistent regulatory framework for digital health software. The FDA also has indicated that it will publish separate guidance on the regulation of a product with multiple functions, including at least one device function and at least one software function that is not a device.

Interested persons have until Feb. 6, 2018, to submit comments on the two draft guidance documents.

Originally published by Law360 on December 21, 2017.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement

    Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of www.mondaq.com

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at enquiries@mondaq.com.

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions