Regulating Health IT: When, Who, and How?

Health care providers and consumers are increasingly using mobile technology to exchange information. Many health IT providers readily acknowledge that some level of oversight is required to ensure patient safety and privacy protections, but many providers question whether the FDA is the right agency for the job and want to see the FDASIA recommendations.

Can the FDA, with its already limited resources and lengthy review cycles, regulate the fast-moving health IT industry? Should it? Health IT is fundamentally different from a medical device in many ways. For oversight purposes, the key differentiator between the two is the opportunity for clinical intervention in the use of health IT. Many medical devices interact directly with the patient (such as an infusion pump or pacemaker). Most health IT, on the other hand, merely provides information to clinicians, who ultimately make independent, experienced care decisions. Physicians are informed, but not controlled, by the information. This leads to a vast difference in the patient risk proposition and rigid regulatory oversight is not appropriate.

Advocates of a broad health IT oversight framework – which encompasses mobile health IT – are urging the FDA to delay release of its final guidance, particularly in light of a July 2012 Congressional mandate for the creation of a comprehensive oversight framework that avoids regulatory duplication.

But some mobile medical application developers are pressing the FDA to move forward immediately, believing its guidance will reduce the regulatory uncertainty that they believe is stifling innovation and investment in some aspects of mHealth.

The Draft Mobile Guidance states that the FDA does not presently intend to regulate electronic medical textbooks, apps that automate general office operations, and EHR apps…yet. That implied “yet” has given many in the health IT industry a pause. Contrary to the hopes of those who expect the Mobile Guidance, once finalized, to provide regulatory certainty to the mHealth industry, that “yet” underscores the fundamental uncertainty inherent in reliance on regulatory guidance – guidance is not binding and can be revised by the issuing agency at any time.

Recent FDA hearings have provided some clarity regarding specific categories of apps that will or will not be regulated, at least in the immediate term (see http://www.eweek.com/mobile/fda-clarifies-plans-for-mobile-health-app-regulation/). But gray areas remain depending on how the FDA ends up interpreting its own obligations, and a staggering number of apps could easily fall within the FDA’s regulatory purview.

For example, if the FDA regulates apps acting as clinical decision support tools (apps that essentially collect information, convert it using algorithms and provide a patient-specific result), reference tools like prescription reference apps, drug interaction checkers, and even arguably, EHRs, could become subject to FDA regulation. This would result in the regulation of technology merely because it automates a calculation that could be done by a physician less efficiently and with much greater possibility of human error. The Draft Guidance could result in the regulation of information delivered to physicians via mobile technology—essentially regulating technology by supposed category (“mobile”) rather than by true function. Such an outcome would stifle progress and innovation in the burgeoning mobile health IT industry, to the detriment of patients, care providers and the health care system.

Overbroad, heavy-handed regulation can and does stifle innovation. As the mHealth Regulatory Coalition has correctly pointed out, regulatory uncertainty can have no less an innovation-stifling effect. Congress’s FDASIA mandate is correct: any permanent oversight framework should be risk-based, appropriately taking into account the vastly different risk profiles of health IT compared to traditional medical devices. It should protect patients, while promoting innovation and avoiding regulatory duplication (both of which also protect patients, by allowing innovation to flourish).

The FDASIA Workgroup is working at a rapid pace not often seen in Washington. Final Mobile Guidance is unnecessary, would create rather than alleviate regulatory uncertainty, and would arguably be counter to Congress’s express mandate to avoid regulatory duplication.

Rebecca L. Jewell, Esq., is the assistant general counsel at Epocrates, Inc., an athenahealth company. Dan Haley is the vice president of government and regulatory affairs at athenahealth.

7 replies »

  1. When I originally commented I appear to have clicked the -Notify me
    when new comments are added- checkbox and now every time a comment is added I receive 4 emails with the same comment.
    There has to be an easy method you are able to remove me from that
    service? Cheers!

  2. There is certainly evidence that physicians are at times held responsible for information they “should have known” but didn’t see or didn’t act upon. That’s a great fear of clinicians who argue against having tons of data available to them that they may not have the ability to digest and utilize. So do patients need to know enough to utilize the data themselves? Or do we need to create a system where all that data can be gathered and providers have a system of having that data available to them when it’s needed to avoid harm? I think it’s partly “yes” to both questions. The Quantified Self bunch seem to be moving on question one, and I think technology is moving in the direction of answering question two. I think providers, however, need to think about what information they do need at their fingertips and what they need to look at more retrospectively – it may help them figure out patterns but wouldn’t help immediately avoid harm. I don’t have the answers; I’m glad to have this conversation because I don’t think that there has been the right kind of communication to make physicians, other providers (LTC providers, dentists, etc.), consumers, family caretakers understand each others’ perspectives. Many in those groups need to stop advocating their position and start listening to others in the room, I think.

  3. The current vendor-based regulatory domain for connected devices and, in the future, connected apps is unsustainable because safety and effectiveness are increasingly beyond the control of the vendor. As devices and apps become part of a network, safety and effectiveness are determined by how they’re used, not how they’re made.

    It makes no sense to regulate construction crane vendors. It’s how the crane is installed and used that makes them safe, and that’s typically assessed by an independent inspection on-site.

    Medical schools are another example. A physician licensing exam is not seen as a barrier to innovation because clinical innovation happens afterward, in practice, in a network. Medical innovation safety and effectiveness are managed through decentralized peer review, open publication, open teaching and local institutional review boards. The only centralized gatekeepers have traditionally been publishers – but they, in turn, are a collection of competing and mostly volunteer peer reviewers. Secrecy is shunned in modern medicine.

    As we move paper-based medical practice into networked software and apps we seem to be losing sight of the big picture. If our experience with electronic health records is any guide, putting innovation under the control of proprietary vendors licensing secret code seems to be creating more problems of innovation, clinical usability and interoperability than we expected. Who do we know that’s eagerly waiting for Meaningful Use Stage 3?

    It’s unreasonable to expect the FDA to solve the innovation problem any more than we expect state medical licensing boards to solve innovation. Physicians must take ownership of our tools and systems as they become digital lest we become skilled, licensed technicians – like plumbers.

  4. Is there any concrete evidence of harm done that would give some argument beyond theoretical considerations? Safety certainly is important, but I would say that many of the policies of payers do far more harm than any app would do. It just seems to be, to use a biblical analogy, straining out the gnat and swallowing the camel.

  5. Thanks for the information. Usually risk/benefit is a balancing test. I’m the first one to say safety is important, and it certainly is not adequately addressed in healthcare right now. But we have to balance “risk of not enough or timely information” against “too many barriers from fear of having the wrong information”. I also believe “do no harm” is important – so do not want people to make decisions based on the wrong information or unduly risk uninformed information disclosure, but let’s not kid ourselves that what’s happening now is “risk free”. I don’t have all the answers – thanks for keeping the discussion going.