At the Food and Drug Law Institute (FDLI) digital health conference this week, regulators, experts and industry leaders debated top-of-mind issues for digital health product regulation. As expected, the FDA’s new final guidance on Clinical Decision Support (CDS) was a key topic of interest, while regulators also offered insights about when industry can expect new (and long awaited) policies on artificial intelligence (AI), extended reality and where to look for information about trends in reimbursement for digital health products.
The digital health event focused on key trends in digital health product regulation.
- Hosted by the Food and Drug Law Institute (FDLI), the two-day meeting included discussions on current and emerging issues in digital health regulation. In addition to discussions about expanded use of telehealth during the pandemic and new efforts from the Federal Trade Commission (FTC) and Department of Justice (DOJ) to crack down on fraud and other concerns following this rapid expansion, the meeting had several sessions on FDA regulation of digital health products. These included sessions on the FDA’s recent policy work on wearable technologies, privacy and cybersecurity, and the FDA’s plan to issue new guidance on artificial intelligence and machine learning (AI/ML).
- On AI/ML policy: Just because it’s not a “priority,” doesn’t mean it’s not a priority. The FDA has been working on a new draft guidance related to AI/ML technologies that is intended to help developers design and receive authorization for products with more flexibility for instituting post-market changes. The policy will outline best practices for pre-determined change control plans (PCCPs) to be developed and submitted pre-market, and then implemented in post-market settings. While the guidance has been long awaited, it has yet to be issued – and, as AgencyIQ has noted, it is listed as a “B-List” priority on CDRH’s FY2023 guidance agenda, not an A-List priority. Ariel Seeley, Associate Director of Regulatory Documents and Special Products in CDRH’s Office of Policy, was asked about the B-Listing of the draft guidance document, even as the agency has continued to tout it as a top priority. According to Seeley, “A and B are kind of… I don’t want to say arbitrary, because I think both are strong priorities for us,” but “the A-List is for when we have a hard goal… and then the Bs are all priorities that we really want to do.” Throughout the event, regulators from FDA touted how high-priority the AI/ML PCCP guidance is, and their intent to issue the guidance in the next year. However, as industry saw during the pandemic, capacity and timing play a role in what policy documents the FDA can feasibly issue, and a “nice to have” B-List guidance without a hard deadline can easily get pushed back – although CDRH Digital Health Center of Excellence’s (DHCoE) Sonja Fulmer reiterated that they are “very hopeful” that this draft guidance on PCCPs for AI/ML devices is coming soon. For now, developers can always refer to the FDA’s list of AI/ML device authorizations if they have preliminary questions about regulatory precedent for certain products.
- Another policy update that could be coming soon: XR. Alternate, virtual and extended Reality (AR/VR/ER) technologies are increasingly being developed for novel uses in the medical field, with some of these products meeting the definition of medical device and subject to regulation by the FDA. AgencyIQ has recently noticed that the FDA is working to amp up its own scientific and practical understanding of these products, and from there will build a regulatory framework. For example, the agency held a Patient Engagement Advisory Committee (PEAC) meeting on AR/VR technologies in July 2022 to help regulators understand end-user experiences with AR/VR products and how these should be assessed in regulatory settings, while FDA and NIH investigators have been researching the novel risks of these products. While not listed on the guidance agenda for FY2023, Fulmer also indicated that the DHCoE is working on the issue of XR and could have some materials available in the next year. What that would look like (e.g., draft framework for comment, discussion paper, more meetings, or a draft guidance) remains to be seen, however.
- The cybersecurity final guidance may also be expected in 2023 – but there are still outstanding concerns for the agency. In 2022, FDA issued a new draft guidance on cybersecurity for medical devices and connected products. Suzanne Schwartz, Associate Director for Science and Strategic Partnerships at CDRH, touted the agency’s work on this guidance, which she asserted is “significant, I would say, a significant raising of the bar” from the agency’s 2014 final guidance on pre-market cybersecurity considerations. Notably, while the agency has current guidance on cybersecurity in pre- and post-market settings (finalized in 2014 and 2016, respectively), these documents broke the strategy down into defined pre- and post-market activities and considerations. The new draft focuses on a more total product lifecycle (TPLC) approach (and is entitled, in part, “Quality System Considerations and Content of Premarket Submissions”), said Schwartz. Going forward, while the agency is working to “really mak[e] the link very, very clear… between cybersecurity and safety,” said Schwartz CDRH’s request for more explicit authority to require cybersecurity information from sponsors did not make it through Congress this year, either as the standalone bill (the PATCH Act) or as part of the user fee reauthorizations. Further, Schwartz asserted the need for a more whole-of-government approach to cybersecurity issues, including FDA liaisons with CISA (within the Department of Homeland Security) and the Department of Justice, as well as better understanding of the rippling effects that a vulnerability or attack can have (e.g., a “cyber blast radius”). In short, while sponsors can anticipate a finalization of the 2022 draft guidance in 2023, the next several years are likely to have myriad developments and policy updates related to cybersecurity, intimated Schwartz.
The final Clinical Decision Support (CDS) guidance, and what to do next (TLDR: e-mail, pre-sub, and 513(g) only if necessary).
- Quick background: The FDA’s final CDS guidance – Six years after Congress exempted specific types of software from FDA regulation as a medical device, the FDA agency finalized the last of its outstanding guidance documents to implement those policies – the Clinical Decision Support (CDS) guidance. The final guidance followed two draft versions and, as AgencyIQ noted when the guidance was published, deviated significantly from the most recent (2019) draft version of the guidance.
- At a high level, the guidance outlines what the FDA thinks falls under the category of CDS that is a medical device functions and what functions would be considered non-device CDS (and therefore outside of the scope of the FDA’s regulatory authority) and which device CDS functions could fall under an enforcement discretion from the FDA. At the FDLI event, digital health expert Robert Jarrin expressed support for the work the agency has done on the subject, noting that the statutory language in 21st Century Cures that direct these changes is “absurd language, it was horribly written” and acknowledged the FDA’s “gymnastics” in its interpretation and implementation.
- The new guidance has received a lot of attention – and caused a lot of confusion. As noted above, the final guidance document varies significantly from the revised draft [see AgencyIQ’s analysis of these outstanding questions here]. At the FDLI event, Sonja Fulmer of the FDA’s Digital Health Center of Excellence (DHCoE) provided a brief summary of the changes between the final version and the revised draft from 2019, including a re-calibration of how the agency interprets the statutory criteria for device/non-device CDS function carve outs and the removal of references to the International Medical Device Regulators Forum (IMDRF) SaMD risk categories – and therefore a set of enforcement discretion policies that were outlined in the 2019 revised draft that depended on those risk categories.
- The questions are both “device versus non-device” and whether a device function could meet an enforcement discretion. As Fulmer acknowledged, the biggest update in the final guidance is that “there’s no longer the enforcement policies” that were outlined in the 2019 revised draft. Since the guidance was published, DHCoE officials have maintained that the new policy does not re-define the scope of what the FDA considers to be a medical device – overall, “I don’t think that the overall interpretation” of what makes a product a device CDS versus a non-device CDS has changed, said Fulmer. However, the removal of references to the enforcement discretion has concerned industry, especially those with products on the market that they believed fell under the enforcement discretion that is no longer available. Further, the re-configuring of FDA’s thinking about how the four criteria on defining a device CDS and non-device CDS have led to questions about whether products need to be updated to stay within their intended definition.
- The confusion about the interpretation of the criteria for defining device and non-device CDS. Statutorily, under the 21st Century Cures Act, there are four criteria that define whether a software function can be regulated as a device (at which point the FDA can decide on whether it wants to exercise enforcement discretion) or is statutorily excluded from regulation as a device. As Sonia Nath (Partner, Cooley LLP) stated at the event, “the biggest change that I’ve seen… is probably criteria 3,” which outlines how to consider whether product supports or provides recommendations to a provider. As Nath noted, the 2019 revised draft guidance document did not mention considerations about whether scoring and risk probability would fall within the device or non-device function explicitly, so the new specific reference means that this is an “area where I now find myself being much more cautious in my advice.” However, DHCoE’s Fulmer countered, explaining that the question of risk scoring was addressed through IMDRF’s (now deleted from the guidance) framework; in effect, “I do think it was there, it just wasn’t as explicit, and it wasn’t as understandable,” said Fulmer. By removing the proxy consideration via IMDRF and addressing it directly in the guidance instead, Fulmer stated that the intent was simply to clarify existing policy – not foundationally change the way that FDA views these products.
- While there is wiggle room, that also means that there’s a lack of clarity for industry. Throughout the session on the CDS guidance, Fulmer reiterated that “I think common sense makes sense” when interpreting the four criteria for defining device versus non-device functions and urging developers and manufacturers to work with the agency to define a path forward. However, several of the phrases that provide this wiggle room, such as the concept of “simple calculations” that can fall outside of a device function definition, or the question of how many options make up a “list” of recommendations (rather than a single direction) are open to interpretation – and therefore have led to confusion for industry.
- As a specific example: Jason Brooke (Brooke & Associates) cited the list example, which, notably, was a topic of debate at DHCoE’s recent webinar on the final guidance. While criterion 3 states that non-device CDS can support decision making, it cannot direct a specific course of action, which the agency has interpreted as meaning that a non-device CDS needs to present options, not a single recommendation. Brooke noted that this raises “a lot of [user interface, user experience] UI/UX questions” about what it means to be a list, or how to prioritize options (what the software function would determine to be the “right” option) in a way that’s not causing undue influence – including spacing, ordering, bolding or otherwise presenting certain options as preferred. Panel moderator Maura Norden (Greenleaf Health) concurred, noting that this has been a question for her clients, elevating their concerns that even in situations where there is only one reasonable option that they would need to include other, potentially less appropriate options, simply because the output needs to be a list to fit the non-device definition – in effect, “do you include other options that aren’t really reasonable ones to present,” just to maintain the non-device categorization. Fulmer stated that in this case, “there should be a good faith effort made” to show why a single option is presented or preferred – and that the definition is intended to not allow certain products that would be diagnostics to fall under the non-device software function category. However, the definition of the “good faith effort” or how those would be considered by regulators – and whose definitions of “common sense” the FDA will be applying – are still outstanding questions for regulated (or potentially non-regulated) industry.
- A point on labeling for non-device CDS products. One way for a product to maintain its non-device CDS status is to show its work. Specifically, under criterion 4, the health care provider must be able to “independently review the basis for recommendations” (per the statute) through “plain language instructions” (per the guidance), with those incorporated within the software’s labeling. As Fulmer explained at the FDLI event, the agency “didn’t want to be overly prescriptive… for non-medical devices” and developers “just have to apply a little bit of common sense” to ensure that their software function can appropriately show its work in an understandable way. Notably, this consideration under criterion 4 applies no matter how complex the product itself – up to and including AI/ML-enabled software, if the manufacturer can show that users can understand how it works and review its outputs and decision-making process). However, industry (and AgencyIQ) have some outstanding questions here: In particular, how can the FDA have any level of recommendations on labeling for products that are not medical devices?
- So, what should a firm with a question about where they fall on the line – or changes they’d need to make to fit into a category – do? A significant outstanding question for industry has been when and how the FDA will step up enforcement for products that a sponsor either previously considered a non-device CDS or a device CDS that fell under the enforcement discretion. According to Fulmer, the agency doesn’t have a set deadline – and doesn’t consider it a “transition.” In particular, because the statutory definitions have technically been in place since 2016, and “it hasn’t changed,” there is no formal transition period. However, the fact remains that this is a common concern from industry, acknowledged Fulmer, providing assurance that her team does not have “a force of FDA-ers in windbreakers” ready to deploy to enforce the CDS guidance. Overall, all of FDA’s device enforcement actions are risk-based, and developers and manufacturers should start with the lowest-level interaction before scaling up in interaction acuity. For firms with this particular problem, Fulmer recommended starting with an email to the CDRH digital health inbox, who will be able to advise if a pre-submission or 513(g) device determination request is necessary.
- To 513(g) or not to 513(g), that is the question. If a developer or manufacturer has a real pressing need to identify whether their product is a device or not a medical device, they can submit a 513(g) device determination request. These requests are typically used to garner a formal declaration from the FDA – on official letterhead, and requiring a user fee – that a product is or is not a medical device. For digital health products, 513(g)s can be helpful when a sponsor needs to seek out a determination and official response from the FDA for reimbursement purposes, such as for a remote patient monitoring or therapeutic monitoring claim from CMS (which does, currently, require the product be FDA-authorized).
- For CDS questions, Fulmer noted that a 513(g) might not be the most efficient route, and noted that an email to the CDRH inbox could provide some clarity about next steps; “we can help you get there” and “make some tweaks or changes” to ensure that the non-device definition is still appropriate, or enforcement discretion criteria are met for device CDS functions (if that’s the sponsor’s intent). If more information is needed, the Q-sub process might be a better forum, said Nath, because of the constraints of the 513(g) process – in effect, “they’re not going to be expecting a debate” or a back-and-forth through that system, and developers will not be able to have the type of conversation in a 513(g) that they might get through a Q-sub interaction. Finally, of course, a Q-submission is free and tied to a performance goal – so “if a pre-sub can do the trick… a pre-sub is obviously cheaper” and might be a sponsor’s best bet if an email to the digital health inbox does not suffice, said Nath. Fulmer concurred, noting that she rarely recommends 513(g)s unless “you really need that letterhead.”
To contact the author of this item, please email Laura DiAngelo.
To contact the editor of this item, please email Alexander Gaffney