Digital Health Update: HHS’ new AI Office, FDA’s report on AI in surveillance – and coming policy
In late July 2024, the Department of Health and Human Services (HHS) announced a new Assistant Secretary for Technology Policy, elevating what has historically been an office within the Centers for Medicare and Medicaid Services to lead HHS-wide artificial intelligence and technology policy work. Simultaneously, the National Institute for Standards and Technology (NIST) is releasing new guidance, while FDA is previewing future work. Meanwhile, life sciences companies operating in Europe are readying for the AI Act’s implementation.
First up: HHS has a new digital technology office
- In July 2024, the Department of Health and Human Services (HHS) announced a reorganization of its digital health functions. Per the announcement, the reorganization “will streamline and bolster technology, cybersecurity, data, and artificial intelligence (AI) strategy and policy functions.”
- What the reorganization does: The Office of the National Coordinator for Health Information Technology (ONC) is being elevated to an Assistant HHS Secretary position; the new office of the Assistant Secretary for Technology Policy (ASTP) office will oversee a wider swath of digital health issues than ONC had previously. ASTP/ONC will centralize HHS’ work on many digital health topics as well as cybersecurity issues.
- ASTP/ONC will lead HHS’ work under the 2023 Executive Order (EO) from President Biden on “Safe, Secure, and Trustworthy” development and use of AI. [ See AgencyIQ’s analysis of that EO here.]
Some quick context: What is ONC, and how does it intersect with FDA?
- The Office of the National Coordinator for Health Information Technology, which has been historically known as ONC, is the federal entity that oversees many of the health information technology (IT) products that are carved out of FDA’s authority under the provisions of the 2016 21st Century Cures Act. These are primarily related to the non-medical device functions of health IT, see an explainer of these authorities here). ONC has been the agency that sets standards for electronic health record (EHR) products, and certifies certain EHRs (known as Certified EHR Technology, or CEHRT) that meet their baseline criteria for their capabilities; for example, compliance with standards from ISO/IEC and those from the National Institute for Standards and Technology (NIST) and that they are using the ONC recognized data standards (e.g., the U.S. Core Dataset for Interoperability (USCDI) current version) to bolster the ability to share data between EHR systems, which is known as interoperability. Under the Medicare program, administered by the Centers for Medicare and Medicaid Services (CMS), certain providers and facilities must use CEHRT (as certified by ONC’s criteria) in order to receive full payment through the program; this is known as the Medicare Promoting Interoperability (PI) program, which builds on the work of the previous Meaningful Use requirements.
- Basically, ONC is the entity that standardizes and oversees EHRs, as well as the data standards that EHRs use themselves. ONC also oversees patient privacy (and data access) issues under the Health Insurance Portability and Accountability Act (HIPAA), in conjunction with the HHS Office of Civil Rights (OCR).
- How have ONC and FDA worked together? As noted above, FDA and ONC share an overlapping series of responsibilities over digital health products. Under section 3060 of the 21st Century Cures Act, Congress defined software as a medical device (SaMD) by a process of exclusion: medical device functions of a digital health product do not include things that provide administrative support to facilities, things that encourage or maintain a healthy lifestyle, EHRs, software that transfers, stores, converts, or displays laboratory results, or software that can inform care that does not meet the definition of Clinical Decision Support (CDS) device functions. The interpretation of CDS has, notably, been a point of debate in the last few years. Medical device functions are, instead, defined as those software functions that “acquire, process, analyze or interpret medical information.”
- These responsibilities are trending to greater overlap in both digital health and real-world data (RWD) policy. FDA and ONC’s mandates are increasingly intertwined, as new digital health products can include both device and non-device functions, new widgets are being built into EHRs (for example, a sepsis risk-scoring tool was specifically flagged in FDA’s final CDS guidance, cited above and discussed below) and the FDA is building its use of data from real-world sources (RWD, such as EHRs), for regulatory purposes. The FDA has a seat on ONC’s Health Information Technology Advisory Committee (HITAC), which advises ONC on EHR and laboratory data standards, as well as issues in data continuity and quality.
- Still, there are gaps as the agencies navigate the increasingly interconnected health data landscape. The most recent annual report from HITAC points to the need for closer collaboration between ONC and FDA specifically on the subject of CDS, particularly those that use AI, and to help invest in standards to support data linking and patient matching in different data sources. HITAC specifically calls on ONC to hold a listening session to hear about the experience of other government agencies, including FDA, in linking data across systems, which could inform how ONC (ASTP) builds out systems and standards for EHRs in the future.
- Notably, “data linkage and synthesis” has a whole section in FDA’s recently finalized guidance on RWD from electronic health data sources (EHR and claims). This document highlights the challenges that life sciences product sponsors face with linking data, although the FDA also acknowledges that the linkages can “increase the amount of data available to capture the longitudinal patient journey, increase the amount of data available on individual patients, and provide additional data for validation purposes.” EHR/health IT vendors weighed in on the draft guidance document to express interest in improving secondary use of data generated from their offerings as fit-for-purpose RWD. This segment of industry, however, also cited a lack of regulatory direction on the issue.
- Speaking of improving data in RWD sources, the HITAC annual report also points directly to the need to improve two areas of structural challenge for the FDA: consistent data standardization for laboratories, and better connectivity of pharmacy data “with the broader health IT ecosystem.” Laboratory information systems (LIS) are not subject to the same data standardization and certification expectations as EHRs, which has led to a diagnostic data gap in RWD (see here for a discussion on the issue from FDA’s July 2024 electronic health data guidance, under the “missing data” section). The laboratory/diagnostic data gap is something the FDA is working to address through its Diagnostic Data Program (DDP), and ONC is working on methods from the health IT side. Notably, the FDA official representing the agency on HITAC, KEITH CAMPBELL, is the program director for the Systemic Harmonization and Interoperability Enhancement for Laboratory Data (SHIELD) program. SHIELD is one of two workstreams under FDA’s DDP, and is also recognized as a collaborative community by the Center for Devices and Radiological Health (CDRH); Campbell’s seat on HITAC highlights the importance of the diagnostic data gap for both ONC and FDA.
- Gaps in pharmacy data connectivity (the subject of a separate HITAC report from November 2023) are also expanding. The boom in electronic prescribing has not kept pace with the “interoperable data exchange between all pharmacy constituents,” according to the report. Pharmacist scope of practice is also expanding, but services such as such as vaccination will not be reflected in EHRs, and recording of virtual care provider visits is variable. These gaps in the pharmacy data landscape are likely of pivotal interest to drug sponsors seeking to use RWD for regulatory purposes.
- In short: ONC is the entity that’s in charge of data that become RWD for regulatory use, as well as the “other,” “non-device” functions of some multiple function devices (MFDs) – although, notably, the line between the device and non-device functions is increasingly blurry.
The Assistant Secretary for Technology Policy (ASTP)/ONC
- ASTP/ONC, which will be the division’s formal name going forward, will consolidate federal work on several digital health priorities: “Oversight over technology, data, and AI policy and strategy” will move from HHS’ Assistant Secretary for Administration (ASA)’s office into ASTP/ONC. Further, the federal government 405(d) program, a joint public-private partnership on health sector cybersecurity, will move from ASA to the Assistant Secretary for Preparedness and Response (ASPR), the office that houses most of the rest of HHS’ cybersecurity work.
- The new ASTP/ONC will lead work under the 2023 Executive Order (EO) on AI. This means that HHS roles under that EO will be housed in ASTP/ONC, including the Office of the Chief Technology Officer, the Chief Technology Officer and the Offices of the Chief AI Officer and Chief Data Officer. ASTP/ONC will also house a new office of Digital Services.
- What will these Offices do? According to HHS, the Chief AI Officer situated within ASTP/ONC will “set AI policy and strategy for the Department,” build out “internal governance, policies, and risk management approaches for uses of AI internal to HHS,” coordinate on HHS’ approach to AI, “support the safe and appropriate use of AI technologies and tools across the department,” and coordinate HHS staff trainings. The Chief Data Officer will “continue to oversee data governance and policy development,” manage HHS’ data strategy, “support data collaboration and exchange,” and manage HHS data, including Medicare program data, “as a strategic asset for the department.”
- The reorganization elevates ONC from an office within CMS to an HHS Assistant Secretary position. MICKY TRIPATHI, who was the National Coordinator (i.e., head of ONC), has been named both the Assistant Secretary and the Acting Chief AI Officer. The Department is actively hiring for other roles, including Chief Technology Officer, Chief AI Officer, and Chief Data Officer.
- If Tripathi’s name sounds familiar, he and FDA Digital Health Center of Excellence (DHCoE) Director TROY TAZBAZ recently worked with industry on the development of the Coalition for Health AI (CHAI). That entity is the driving force behind the idea of AI “Assurance Labs,” third-party laboratories that pressure-test AI methodologies. Notably, both Tazbaz and Tripathi recently resigned as federal liaisons to CHAI, with Tripathi citing his new role as Chief AI Officer and FDA indicating that there was “no need” for Tazbaz to be involved – see reporting from Healthcare IT News here.
- What does ONC’s elevation to ASTP/ONC mean for the life sciences industry? Ideally, the consolidation will make it easier for industry to track policy updates. The Department’s work under the AI EO will also come together; as AgencyIQ noted at the time, much of the work directed under the EO specifically for HHS and FDA was fairly high level, including the establishment of the task force.
- It also means that, going forward, FDA’s work on AI policy may need to align with the efforts out of ASTP/ONC. While ASTP/ONC’s work is likely to be higher-level than FDA’s, the strategic plan on AI could, depending on its development, roll down to FDA policy.
- This is a big expansion for ONC, which will be seeking to hire. The HHS announcement also comes with a note that the Department will be hosting a webinar about federal workforce opportunities in this area. Particularly for the roles cited above, current FDAers (like Tazbaz, other staff from the DHCoE, or FDA’s Office of Digital Transformation (ODT) staff) could be on the list for potential recruits.
Separately, FDA is continuing along on its own AI strategies
- The agency’s work on AI in surveillance was highlighted in the FDA Office of Surveillance and Epidemiology (OSE) annual report, published July 29, 2024. As OSE Director GERALD DAL PAN wrote in his introduction, “our focus was to explore the potential of artificial intelligence (AI) and machine learning (ML)” in a way that would “optimize medication safety for the public” – largely through Sentinel Initiative efforts. Notably, in addition to OSE’s vigilance activities, it also works on novel drug and biological product approvals as part of its epidemiological work. In addition to OSE’s work on AI for internal use cases at FDA, the report highlights the Office’s work to improve RWD for regulatory use – including a project that could build Risk Evaluation and Mitigation Strategies (REMS) into clinical workflows by using HL7 standards.
- How is OSE using AI? Dal Pan wrote that OSE “employed natural language processing (NLP) for medical chart review, creating gold standard data and scalable computable phenotype algorithms. This approach to utilizing electronic health record data and ML methods aims to significantly reduce the labor-intensive demands of manual review and to streamline our operations.” This is an interesting update on the work that the Sentinel Innovation Center, one of three Centers comprising Sentinel, the FDA’s RWD-based surveillance and analysis project, has been conducting in recent years. At the last annual update in November 2023, Innovation Center leaders previewed their work on using NLP for chart review.
- OSE also called out a potential new regulatory use-case for AI: literature review. The report previews that OSE “started piloting the application of large language models (LLM) in scientific literature review. Preliminary results suggest promising capability of LLM for automating literature screening tasks, which is expected to save a significant amount of time for reviewers. We will further explore the potential of LLMs in a follow-up project in 2024,” the report concludes.
- From the medical device side, CDRH leadership is previewing new guidance. Per CDRH’s 2024 guidance agenda, the agency plans to issue new draft guidance on lifecycle management for medical devices incorporating AI/ML this year. This will join a draft guidance, expected to be finalized by year’s end, on pre-determined change control plans (PCCPs). Together, these guidance documents will presumably provide recommendations on pre-market submissions and FDA’s expectations for how manufacturers should oversee and manage AI/ML-enabled medical devices post-launch.
- Troy Tazbaz (Director, DHCoE) and DHCoE Digital Health Specialist JOHN NICOL published a blog post in late July 2024 that potentially previews the contents of that guidance – the post is entitled “A Lifecycle Management Approach toward Delivering Safe, Effective AI-enabled Health Care.” While it doesn’t provide as much information as a guidance would, the blog post highlights the use of standards but stops short of recommending any specific standards – even those already recognized by FDA like IEC 62304 on software life cycle processes. Instead, the authors write that upon DHCoE review, “early AI standards documents… lack specific details.” It highlights the role of a potential AI Lifecycle Management “model” as a “guide” or “playbook,” and invites feedback on the context.
Analysis and what’s next
- Even with HHS re-organizing to take a more concerted lead on AI policy, the FDA is continuing ahead with its own projects. This includes a planned workshop on AI in drug development (scheduled for August, coming after a 2023 discussion paper on the subject), new programs on AI in pharmacovigilance known as the Emerging Drug Safety Technology Program (EDSTP), and, as OSE’s annual report flags, AI in internal regulatory use for the FDA to help with its regulatory workload. In general, while FDA typically has significant autonomy within HHS, the way that ONC(ASTP/ONC) and FDA’s mandates are increasingly overlapping could mean that the work out of the new Assistant Secretary’s office is of increasing importance for the life sciences industry.
- Even with HHS consolidating its AI work and FDA continuing with its projects, other federal entities also need to be watched closely. For example, the National Institute for Standards and Technology (NIST) in late July finalized three of its AI documents and issued draft versions of two more.
- NIST, a division of the U.S. Department of Commerce, was directed to take the lead on much of the cross-Department work under the AI EO in 2023, including framing underlying frameworks/guidance on developing, using and overseeing AI that can be used across the federal government. [See AgencyIQ’s introduction to NIST and its work’s applicability to life sciences regulation here.] NIST has been building its own suite of AI-related policy guidance; in May 2024, it published four guidance documents predominantly focused on generative AI (GAI). [Read AgencyIQ’s analysis of those guidance documents here.] On July 26, it announced that it was finalizing three of those documents: the GAI-focused guidance (NIST AI 600-1), a supplement to its Secure Software Development Framework (SSDF) on Reducing Threats to the Data Used to Train AI Systems, and its plan for Global Engagement on AI Standards (NIST AI 100-5). This leaves one document from the May batch still in draft format, the document on reducing risk from synthetic content (NIST AI 100-4).
- NIST’s new resources issued as drafts in late July 2024 focus on AI foundation models (NIST AI 800-1), a core focus of the AI EO, and a software testing platform “designed to help AI system users and developers measure how certain types of attacks can degrade the performance of an AI system.”
- In sum, HHS will be leading an AI strategy from above FDA, and NIST will be leading the federal government-wide AI policy documents.
- The E.U. has also been busy in this policy area, with the formal publication of the final AI Act kicking off significant European policy work over the next few years. For example, the AI Workplan from the HMA-EMA joint Big Data Steering Group plans workstreams starting in Q3 of 2024 for “preparations to support the implementation of the AI Act.” The publication of the AI Act also has significant impact on the device industry, which is waiting for both implementing acts and guidance from the Medical Device Coordination Group (MDCG) on the intersection with the medical device and in vitro diagnostic regulations. While industry is still awaiting a formal Q&A guidance, AgencyIQ has a two-part analysis of the implications of the AI Act for device and diagnostics companies available here: Part One, Part Two. On the medicines side, the EMA’s Methodology Working Party is slated to take on guidelines on the use of AI in clinical development. Potential topics include “the use of AI/ML applications for selecting study sites and study participants, machine-learning derived endpoints and covariates, and digital twin technology (intersecting with guidance on the use of Real-World Data),” as well as AI in pharmacovigilance, according to the Working Party’s work plan.
- This is a fast-moving, incredibly complex policy area – and life sciences companies will need to be prepared.
To contact the author of this item, please email Laura DiAngelo ( ldiangelo@agencyiq.com).
To contact the editor of this item, please email Kari Oakes ( koakes@agencyiq.com).
Key Documents and Dates
- HHS Reorganizes Technology, Cybersecurity, Data, and Artificial Intelligence Strategy and Policy Functions
- Department of Commerce Announces New Guidance, Tools 270 Days Following President Biden’s Executive Order on AI
- Office of Surveillance and Epidemiology 2023 Annual Report
- AgencyIQ analysis: FDA’s final guidance on electronic health data sources for regulatory use: Validation and quantitative assessments
- AgencyIQ analysis: What life sciences companies need to know about NIST’s new AI guidance