Coalition Concerned that Proposed Regulatory Framework for Health Information Technology will Undermine the FDA’s Mission to Protect the Public Health

Coalition Comments of Members of the Patient, Consumer, and Public Health Coalition on the ”Proposed Risk-Based Regulatory Framework and Strategy for Health Information Technology Report”

Division of Dockets Management (HFA-305)Food and Drug Administration

5630 Fishers Lane, Rm. 1061

Rockville, MD 20852

Comments of Members of the Patient, Consumer, and Public Health Coalition  “Proposed Risk-Based Regulatory Framework and Strategy for Health Information Technology Report” Docket No. FDA-2014-N-0339

As members of the Patient, Consumer and Public Health Coalition, we appreciate the opportunity to comment on the Proposed Risk-Based Regulatory Framework and Strategy for Health Information Technology Report.

The Food Drug and Administration Safety and Innovation Act (FDASIA) required the Food and Drug Administration (FDA) to work in consultation with Office of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC) to prepare a report on a framework for health information technology (IT), including mobile medical applications. The report reviews strategies to promote innovation, protect patient safety and avoid regulatory duplication.1

We are unable to support the proposed framework because we are very concerned that it will undermine the FDA’s mission to protect the public health. The framework “primarily relies” on the ONC and private sector capabilities to coordinate activities with FDA and FCC, which leaves the FDA in a secondary role. The FDA has overseen medical devices, including medical device software, for nearly four decades. The Agency has been regulating software on mobile platforms for more than a decade and has cleared approximately 100 mobile medical apps such as ECG machines and smartphone based ultrasounds.

We strongly disagree with the report’s recommendation that “no new or additional areas of FDA oversight are needed.”1 Since many health IT products—especially mobile medical applications–are in their infancy, we do not know how much FDA oversight these products will require. To broadly state that no new FDA oversight is needed is premature and dangerous.

The report focuses on the potential benefits of health IT and downplays the risks. For example, in the Introduction section, there is a long paragraph about the “tremendous benefits” of health IT followed by a single sentence that “it can pose risks to patients.” In fact, poorly regulated health IT devices can seriously harm huge numbers of patients, and can be fatal.

Below are our comments on specific sections of the report:


The report states that administrative health IT functions (such as billing and claims processing) pose little risk to patient safety. We agree with this assessment and are fine with ONC oversight of these products, as long as they are not defined as medical devices.

Health Management

We strongly disagree with FDA’s proposal to selectively enforce medical devices that fall into the health management category. FDA stated, “If a product with health management health IT functionality meets the statutory definition of a medical device, FDA does not intend to focus its oversight on it.”

This will lead to more inconsistencies in the clearance or approval of medical devices—something that the medical device industry has complained about for years. We also do not agree with the report’s conclusion that the safety risks for health management functions “are generally low compared to the potential benefits” because there is no scientific evidence to support that statement. We do not have a reliable measure of safety risks. The report also notes that most health management health IT “products, services, or systems are not devices…and are not required to register and list with the FDA.” The report then provides a short list of health management medical devices currently regulated by FDA. We would like to see the FDA provide a list of all health management devices to the public.

Medical Devices

We agree with the FDA that it should focus on the functionality of medical products such as mobile application devices rather than its platform, in deciding whether or not it is a device. We agree with Center for Devices and Radiological Health Director Jeff Shuren who cited an EKG device as an example. He said that “Traditionally, it’s [an EKG device] a box and it comes on a table. Today, there’s a software program we’ve cleared and it will transform your smartphone into an EKG machine. It’s used for the same purpose, and we treat it the same.”2

Promote the Use of Quality Management Principles.

This needs to be better defined. The report states that “Quality management principles help to identify, prevent, track, and monitor safety hazards and to reduce risks.” But it does not state how that should be done, except to note that health IT developers “must have flexibility.” Flexibility can lead to subjective and inconsistent standards. The statement: “The Agencies [FDA, ONC, and FCC] view this strategy, rather than a formal regulatory approach, as the appropriate method for advancing health IT quality framework,” is not backed up by evidence comparing quality management principles to regulations, especially in regards to safety and effectiveness.

Identify, Develop, and Adopt Standards and Best Practices

This section is silent about enforcement. Since the standards are “not binding,” what happens if the standards are not met?

Leverage Conformity Assessment Tools

The conformity assessment tools are voluntary. If the product fails testing or certification or other standards, will it still be allowed on the market? We strongly oppose the “development [of] post-implementation tests [that] could help users monitor whether their systems meet certain safety benchmarks.” Safety benchmarks should be met before products are allowed on the market. We strongly disagree with the report’s recommendation that voluntary conformity assessment tools should be implemented by the private sector. This would create conflicts-of-interest because the companies doing the assessments would want to please their clients (the ones whose products they are certifying) and this would lead to less rigorous reviews.

Create an Environment of Learning and Continual Improvement

This section would create a voluntary system to identify adverse events and near misses and analyze events and identify patterns. This proposal is directly contradicted by a 2012 IOM report noted that there is “Persistent underreporting of patient safety events and near misses, even when there are well-established programs in place encouraging health professional to report.”3 We are concerned that this voluntary system will understate the problem, as is the case for FDA’s voluntary adverse reaction reporting system.


The ONC has also suggests creating a public/ private Health IT Safety Center. Public-private partnerships are often primarily funded by industry, and frequently represent industry’s views more than consumers’ views. The report also states that IT stakeholders want a “reporting environment that is non-punitive, arguing that disincentives to transparent reporting include fear of liability, [and] punitive action…” That may be true for industry stakeholders but not for consumer stakeholders or patients who have been injured or killed by faulty health IT products. The report states that “the ultimate goal” of the public-private partnership is to create a “health IT learning system that avoids regulatory duplication.” That is an inappropriate goal for a “Safety” center. The report noted that ONC released a report in July 2013 with short-term strategies to improve health IT safety that included increasing the quantity and quality of data by using the FDA’s Manufacturer and User Facility Device Experience (MAUDE) database and using the Agency for Healthcare Research and Quality (AHRQ) to analyze patient safety information from private companies. This is inadequate because MAUDE is known to greatly underreport adverse events. If private companies are not required to report all adverse events, they would most likely under-report as well.


The report found several challenges to a successful health IT system including “poor human-computer interactions can contribute to serious injury and Death;” and “Significant knowledge gaps exists in our understanding of the benefits and risks to patients associated with different health IT functionalities.” The report also notes evidence that health IT can “result in adverse consequences, such as medication dosing errors or delays in diagnosis and treatment.” These are serious risks, and that is why these products should be regulated by the FDA as medical devices that require evidence of safety and effectiveness, not a public-private partnership whose interests may not be aligned with public health.


Health care providers and patients rely on the FDA to establish that a device is reasonably safe and effective. If FDA does not carefully scrutinize health IT products to evaluate evidence that those that are devices have benefits that outweigh the risks, patients may be seriously harmed. Even if the health IT product is not harmful, if it is ineffective, then patients could be harmed by inaccurate results that are either anxiety-producing or erroneously reassuring. These outcomes could result either in unnecessary testing or serious illness or death.

For the above reasons, we believe that the proposed health IT regulatory framework will undermine the FDA’s primary mission, which the FDA Commissioner has emphasized is to protect the public health. Health IT products must be shown to be safe and effective and the results they claim must be shown to be accurate and supported by sound scientific evidence. The FDA is the agency best suited to make those determinations, and will need resources to do so. All health IT products that are medical devices (including health management devices) should be regulated by the FDA, not overseen by ONC or FCC. American Medical Women’s Association Annie Appleseed Project National Center for Health Research Center for Science and Democracy at the Union of Concerned WoodyMatters The Patient, Consumer, and Public Health Coalition can be reached through Paul Brown at or (202)223-4000.

1 Food and Drug Administration (2014). FDASIA Health IT Report; Proposed Strategy and Recommendations for a Risk-Based Framework.

2 Ravindranath, M (April 13, 2014). FDA report hints at relaxed approach to IT rule-making. The Washington Post.

3 Institute of Medicine (2012). Health IT and Patient Safety: Building Safer Systems for Better Care

Leave a Comment

Your email address will not be published.