Medical Software and the 21st Century Cures Act

The 21St Century Cures Act, Pub. L. No. 114-255, 130 Stat. 1033, was signed into law on December 13, 2016.  This expansive statute addresses topics ranging from investigational drug clinical trial design, mental health program funding and insurance coverage, to a new Medicare benefit for home infusion therapy, among many others.  This post focuses on amendments to the Federal Food, Drug, and Cosmetic Act (“FDCA”) addressing FDA regulation of medical software.

Section 3060 of the 21St Century Cures Act describes five types of medical software that are not to be considered a regulated medical device under the FDCA.    Perhaps most notably, this includes software intended to support or provide recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition, or to display, analyze, or print medical information about a patient or other medical information  such as peer-reviewed clinical studies and clinical practice guidelines.

However, to avoid regulation the software function must enable a health care professional to independently review the basis for the software’s recommendations, so that it is not intended that the health care professional rely primarily on the software’s recommendations to make a diagnosis or treatment decision about an individual patient. In addition, the software function must not be intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system.

This provision essentially ensures that FDA may not regulate many types of clinical practice support software as medical devices, so long as the software does not acquire or analyze medical images or in vitro device signals, and does not perform biomedical signal acquisition.

The other four types of medical software excluded from the definition of a medical “device” are software intended:

  1. to transfer, store, convert, format, or display clinical diagnostic laboratory test results or other device data, findings by a health care professional regarding such data and results, and general information about those findings and background information about the tests and devices, so long as the software is not intended to interpret or analyze a laboratory test or device data, results, or findings;
  2. for administrative support of a health care facility (including processing claims and billing information, business analytics, population health management, lab workflow, cost-effectiveness and utilization analysis, and appointment scheduling);
  3. to maintain or encourage a healthy lifestyle, so long as the software is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition; and
  4. to serve as an electronic patient record to the extent the electronic record is intended to transfer, store, convert formats, or display the equivalent of a paper medical record, and so long as: (a) the records were created, stored, transferred, or reviewed by a health care professional (or by those supervised by a health care professional); (b) the records are part of a certified health information technology; and (c) the software function is not intended to interpret or analyze patient records in order to diagnose, cure, mitigate, prevent, or treat a disease or condition.

The medical software industry will welcome these provisions because they clear away ambiguity as to whether many types of clinical practice support software, EHR software, and other types of administrative software used in health care settings may be regulated as medical devices under the FDCA. As medical software continues to evolve and biomedical signal acquisition and similar features continue to integrate into administrative and clinical practice software, certainly  some software functions of more complex, multi-use software may be regulated under FDA’s  medical device authorities.   Moreover, medical software developers and producers must remain attentive to regulation affecting certain aspects of their products and product use (such as HIPAA and FTC privacy and security regulation).   But the 21st Century Cures Act undoubtedly brings greater certainty about the costs and ongoing regulatory burden associated with a wide variety of medical software.

Ross C. D'Emanuele

Ross works in the health care provider, payor, and drug and medical device segments of the health care industry. His areas of expertise include health care fraud and abuse, Stark and anti-kickback laws, HIPAA and other privacy and security laws, reimbursement rules and appeals, clinical trial agreements and regulation, FDA regulation, open payments and state "Sunshine Act" laws, accountable care organizations, value-based reimbursement, and telemedicine.