FDA Health IT Framework Good Start, Not Yet Addressing Complexities, FDA Hears

The framework, released in April (CD April 4 p8), created three broad, risk-based categories for health IT devices, attempting to bring clarity to the FDA’s health IT device review process, given the explosion of telehealth devices. Industry and privacy groups had lauded the risk-based approach. The framework’s first two categories -- administrative health IT and health management IT products -- pose little direct risk to a patient’s health, and merit less oversight, FDA officials have said. The final group encompasses products with medical device health IT functions and merits greater FDA attention, said the framework.

"There’s a lot of bleed-over between categories,” American Medical Association Chief Medical Information Officer Michael Hodgkins said Monday. Often devices in the third category rely on correct information from the first two categories to deliver proper care, said Harvard Medical School assistant professor Meghan Dierks. Lines separating the three categories can’t stay forever, she said.

The basic process of building code relies on drawing from multiple categories, said Morgan Reed, Association for Competitive Technology (ACT) executive director. Software is “assembled like Legos,” he said. It involves pulling multiple pieces built by various people for different purposes, and then using a person’s own expertise to “glue them together” in a novel way, he said. “You need to understand that in each case you will have bleed-over literally in the code."

An FDA official acknowledged the inadequacy of fitting a rigid structure on a fluid market. More education and research is needed “to demarcate those boundaries,” said Center for Devices and Radiological Health Senior Policy Adviser Bakul Patel. “We don’t have those rules.” AMA’s Hodgkins agreed: “I don’t think you can deal with [the complexity] other than by learning the environment."

That environment is also shifting because “data is geometrically growing,” said Anand Iyer, chief data science officer of WellDoc, which provides a health data collection and analysis platform. The framework doesn’t truly address widespread data collection, he said. Data collection is the “bottom bucket” under “all three of these buckets” laid out in the framework, Iyer said. For instance, WellDoc has a “free note section” where patients can simply record whatever behavior they would like, said Iyer. For WellDoc, this type of ambiguously defined data science is “a big deal and I think it’s going to be a big deal for the industry.” It’s not clear where this type of data science belongs in the framework, though, he said.

Data science goes to the question of whether the framework’s use-based approach is appropriate, said the FDA’s Patel. “Data science is not intended use to some extent, one could argue,” he said, which might leave it out of the framework. But “data science is exactly where a lot of innovation is going to happen” in health IT, he said. The use-based approach to assessing devices extends to other areas, said AMA’s Hodgkins. Multiple low-risk devices can be combined to create a high-risk device, he said. If the government must account for secondary uses, that’s greatly expanding the testing that needs to be done, said Hodgkins. “Who’s responsible for that?"

Many have pushed for Congress to answer these questions by passing a bill that would set down official definitions of some opaque health IT terms, like “telehealth” (CD May 2 p8). Others have asked the FTC to play a bigger role in reviewing the soundness and security of health IT devices. For now, the FDA’s framework is “a starting point,” said ACT’s Reed. “But we are going to have to expect there are going to be modifications. Then we're actually going to have to put it into practice.”