Clinical decision support (CDS) software has been recognized — including by government agencies — as having significant potential to increase quality of care and enhance health outcomes, and companies across the health care and life sciences industries have developed a variety of CDS software. In September 2022, the U.S. Food & Drug Administration (FDA) published final guidance interpreting the statutory criteria for determining when CDS software will be regulated as a medical device (Final CDS Guidance). Since then, FDA has taken numerous steps to further explain the approach set forth in the Final CDS Guidance, including issuing an infographic, holding a webinar to discuss the Final CDS Guidance, and participating in numerous external panels addressing the Final CDS Guidance.
The Final CDS Guidance provides helpful finality regarding FDA’s approach to CDS software, and FDA has made commendable efforts to clarify the guidance for industry. Nevertheless, significant questions persist about how the Final CDS Guidance should, and will, be applied in practice. While the full impact of the Final CDS Guidance will become clearer as FDA begins to enforce it, it appears that FDA is moving generally toward increased oversight of CDS software. Companies that are already in the CDS space, or that are considering entering it, should continue to monitor FDA’s evolving approach to regulating this important software category.
Background on the Final CDS Guidance
The regulatory concept of software as a medical device (SaMD) covers a range of products, from patient-centric applications on smart phones to CDS products directed to health care practitioners, and it has evolved considerably over time. The 21st Century Cures Act, enacted in December 2016, was a watershed moment in the regulation of SaMD, as the Cures Act specifically excluded a number of categories of software, including CDS meeting specified criteria, from the definition of a “device” subject to the Federal Food, Drug, and Cosmetic Act (FDCA).1
Section 520(o)(1)(E) of the FDCA sets forth four criteria (Statutory Criteria) that must be met for CDS software to fall outside the definition of a medical device and be considered a “Non-Device CDS”:
- Criterion 1: The software is not intended to acquire, process or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;
- Criterion 2: The software is intended for the purpose of displaying, analyzing or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines);
- Criterion 3: The software is intended for the purpose of supporting or providing recommendations to a health care professional (HCP) about prevention, diagnosis or treatment of a disease or condition; and
- Criterion 4: The software is intended for the purpose of enabling the HCP to independently review the basis for such recommendations that the software presents.
Key Changes in the Final CDS Guidance
In the three years between the issuance of the draft CDS guidance and the Final CDS Guidance, FDA had the opportunity to observe the software functions that were, and were not, subject to regulation as “devices” under the interpretation of the Statutory Criteria set forth in the draft guidance. It appears FDA has concluded that its draft guidance was too permissive, as the Final CDS Guidance is significantly more restrictive in a number of key respects:
Omission of prior enforcement discretion policy
FDA’s draft CDS guidance incorporated the International Medical Device Regulators Forum (IMDRF) risk categorization framework to evaluate whether software should be treated as a medical device based on (1) the significance to a health care decision of the information provided by the software and (2) the state of the patient’s health. In the draft CDS guidance, FDA indicated that it would exercise enforcement discretion for software presenting lower risk under this framework. In contrast, the Final CDS Guidance eliminated the concept of enforcement discretion altogether.
Exclusion of CDS software intended for use by patients
Among the software functions potentially subject to enforcement discretion under the draft CDS guidance were lower-risk CDS software functions intended for use by patients. Under the Final Guidance, however, no CDS software functions intended for use by patients or caregivers qualify for exclusion under the Non-Device CDS exception in Section 520(o)(1)(E). Nevertheless, patient-facing software may be excluded from the definition of a medical device under a different Cures Act statutory exception (e.g., software to support a healthy lifestyle).
Narrow interpretations of “medical information” (Criterion 2)
The Final CDS Guidance adopts a narrow interpretation of the second Statutory Criterion, by interpreting the phrase “medical information about a patient” to include only the types of information “normally” communicated between HCPs in clinical conversations or between HCPs and patients in the context of a clinical decision. The Final CDS Guidance also provides that, while a single measurement or discrete test result will generally be considered permissible “medical information about a patient” under Criterion 2, a more continuous sampling or a series of test results will rise to the level of a “pattern” or “signal” that precludes a software function from qualifying as a Non-Device CDS under Criterion 1.
Similarly, the Final CDS Guidance explains that FDA interprets the phrase “other medical information” in Criterion 2 to include peer-reviewed clinical studies, clinical practice guidelines, and “information that is similarly independently verified and validated as accurate, reliable, not omitting material information, and supported by evidence.” The Final CDS Guidance thus sets a high evidentiary bar for what will qualify as “other medical information” that can be displayed, analyzed or printed under Criterion 2.
Revised interpretation of Criterion 3 based on concerns over automation bias
The Final CDS Guidance revises FDA’s interpretation of Criterion 3 in light of FDA’s concern that automation bias may lead HCPs to place outsized weight on information derived from CDS software, so that the software may, in effect, be used to diagnose or treat, rather than to support or provide recommendations to HCPs in connection with their diagnosis and treatment decisions. As a result, the Final CDS Guidance provides that software does not meet Criterion 3 when it is either intended to support “time-critical” decision-making or provides a “specific preventive, diagnostic or treatment output or directive.” On the latter point, the Final CDS Guidance makes clear that software that suggests that a patient “may exhibit signs” of a particular disease, or identifies a risk score for a specific disease, will not meet Criterion 3.
Stringent requirements for divulging the basis for CDS recommendations (Criterion 4)
The Final CDS Guidance takes a stricter approach than the draft CDS guidance with respect to Criterion 4. In particular, the Final CDS Guidance includes detailed suggestions for software and labeling to ensure that they enable HCPs to “independently review the basis” for a software’s recommendations, while noting that sponsors may choose different approaches to meet Criterion 4. Among other things, FDA recommends that software or labeling include “a plain language description of the underlying algorithm development and validation” and descriptions of the data relied upon and “the results from clinical studies conducted to validate the algorithm/recommendations.”
Despite FDA’s Efforts to Provide Clarity, Key Questions Remain
While FDA’s efforts to explain the complexities of the Final CDS Guidance are laudable, a number of key questions remain. In particular:
What is the impact of FDA’s elimination of its prior enforcement discretion policy for low-risk CDS software?
The Final CDS Guidance may result in more software being regulated as medical devices. However, given the overlap between the various categories of software exempt from regulation under the Cures Act, it is also possible that CDS software previously understood to be subject to enforcement discretion may still fit within FDA’s interpretations of other Cures Act statutory exceptions, such as mobile medical or general wellness apps.
Where will the line be drawn between “medical information about a patient” and a “pattern” or “signal”?
The Final CDS Guidance makes clear that a single test result or measurement will meet the definition of “medical information about a patient” under Criterion 2, while repeated measurements or test results will rise to the level of a “pattern” or “signal,” which will disqualify a software function from meeting Criterion 1. It remains unclear what number of measurements or test results would constitute a “pattern” or “signal” rather than “medical information about a patient.”
During FDA’s September 2022 webinar, the speakers were pressed for more clarity in this regard and offered the rule of thumb that “medical information about a patient” is the type of information that might be exchanged by HCPs in a hallway conversation. They further explained that this would be likely to include a statement such as, “my patient’s blood pressure is increasing” but would not cover the review of hundreds of blood pressure data points. This somewhat extreme hypothetical does little to clarify whether, for example, two or three test results taken at one-month intervals would meet, or be disqualifying under, Criterion 2.
How will the term “time-critical” be defined?
Similarly, the Final CDS Guidance provides that software functions intended for use in “time-critical” decision-making will not meet Criterion 3 because, in such settings, HCPs are more likely to suffer from automation bias and place undue reliance on the software’s suggestions or information rather than their own medical judgment.
During the September 2022 webinar, the FDA speakers were asked whether any software used in emergency settings could be considered Non-Device CDS under the Final CDS Guidance’s narrowed interpretation of Criterion 3. In response, FDA declined to draw a bright line, stating that the Final CDS Guidance was not intended to preclude the use of Non-Device CDS in any particular setting. However, FDA has not further explained which settings or decisions may be considered “time-critical,” making it difficult for sponsors to evaluate whether their software functions will be viewed as meeting Criterion 3.
How can sponsors meet the explanatory and labeling requirements under Criterion 4 while protecting proprietary information?
The Final CDS Guidance sets forth detailed suggestions regarding software and labeling that would meet Criterion 4 by enabling HCPs to independently review the basis for a software function’s recommendations. Among these suggestions are that labeling include a “summary of the logic or methods relied upon to provide the recommendations.”
While the Final CDS Guidance does not require a sponsor to turn over its underlying code to HCPs, FDA does suggest that comprehensive disclosures are required to meet Criterion 4. This level of expected disclosure may create tension for sponsors looking to protect intellectual property and other proprietary information used to develop software functions.
In public remarks about the Final CDS Guidance, FDA has maintained that its interpretation of the Statutory Criteria has always been consistent with the 21st Century Cures Act, and that software functions will not become devices under the Final CDS Guidance that were not devices under the draft CDS guidance. Nevertheless, as discussed above, it is clear that the Final CDS Guidance includes narrowed interpretations of certain Statutory Criteria and that this will restrict the types of products exempt from regulation as devices.
As a consequence, sponsors may find that they have marketed or developed a software function that they understood to be Non-Device CDS based upon the draft CDS guidance, but which no longer qualifies as Non-Device CDS under the Final CDS Guidance. Sponsors who find themselves in this position will likely face increased costs to ensure their software complies with applicable device regulations.
While FDA has not given any indication that it will exercise enforcement discretion for software functions that may be regulated as devices under the Final CDS Guidance, it has expressed a willingness to help sponsors assess potential pathways for moving forward. Those may include making changes to software functions still under development to ensure that they fit squarely within the exceptions in the Final CDS Guidance, or seeking device clearance or approval for substantially developed or marketed software functions that, under the narrowed interpretation in the Final CDS Guidance, will be regulated as medical devices.
1 The other four software categories excluded from the definition of “device” under Section 520(o)(1) of the FDCA are: (i) administrative software, (ii) software to support a healthy lifestyle, (iii) electronic patient records, and (iv) Medical Device Data Systems.