Cutting Edge Issues in Health Care Technology & mhealth Vernessa Pollard July 2014 Agenda The Regulatory Landscape Jurisdiction and Authority Over Mobile Health Products Requirements, Compliance and Enforcement Healthcare Fraud & Abuse Risks Points to Remember Regulatory/Legal Checklist 2 1
What is Health IT? Health IT is a broad term that describes the convergence of telecommunications and medical technologies and solutions... that offer the potential to improve health care outcomes while simultaneously controlling costs and extending the reach of a limited pool of health care professionals. -- National Broadband Plan, FCC 3 Who Regulates Health IT? Plaintiffs Bar FDA Competitor CMS Health IT FTC States FCC Industry Groups 4 2
Focus of FDA Regulation The Food and Drug Administration (FDA) believes that Health Information Technology (HIT) offers tremendous health benefits to the American public. HIT also poses potential risks that can and should be mitigated. Jeffrey Shuren, M.D., J.D., Director, Center for Devices and Radiological Health (CDRH), FDA, December 12, 2010 5 Basic Principles of FDA Regulation Products cannot be marketed without appropriate premarket approval unless they are exempt from such requirements Products must be designed and manufactured to ensure safety and quality Manufacturers, importers, distributors, and certain product users ( user facilities ) must collect, evaluate and report adverse events to FDA, although requirements differ slightly for each group Every entity and individual in the product marketing or supply chain has potential liability for statutory violations if they distribute or further the distribution of non-compliant products 6 3
How Does FDA Regulate? Through Premarket Review and Approval of Products Reviews and approves devices before they are marketed Establishes requirements for clinical trials and testing Sets standards for product specifications and performance Through Postmarket Requirements and Surveillance Ensures compliance with Good Manufacturing Practices (GMPs) and Quality System (QS) Requirements Performs inspections and compliance reviews Regulates marketing and promotion Conducts Postmarket Surveillance and Safety Activities Through Interpreting and Enforcing Laws Regulations, guidance, advisories Inspections and enforcement Coordinating with other regulators (e.g., FTC, DOJ, CMS, FBI, SEC, CBP, States) 7 What is a Medical Device? A medical device is an instrument, apparatus, implement, machine, contrivance... or other similar or related article, including any component, part, or accessory intended for use in the diagnosis, treatment, cure, or prevention of a disease or condition, or intended to affect the structure or function of the body which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes See 21 U.S.C. 321(h) 8 4
What is a Product s Intended Use? Intended use refers to the objective intent of the persons legally responsible for marketing the product, and is shown by: Labeling (e.g., packaging, user manuals, medication guides, other information that is integral to a transaction or necessary to ensure safe use of the product) Promotional Statements (e.g., advertising, sponsorships, or other activities intended to raise awareness of a business or product, or surrounding content/graphics are important factors) Other Statements Made By or On Behalf Of the Marketer (e.g., securities registration, patent filings, testimonials, oral statements by sales reps, depictions of conduct or use) Actual Knowledge of the marketer as to end user intent; circumstances of marketing See 21 C.F.R. 801.4 9 Intended Use Doctrine in Practice Your website notes that [Product] is an intelligent image analysis software system.... It is [an] information driven Histopathological and Cytopathologic image analysis, quantification, management and retrieval system that assists pathologists in detection, counting, classification and evaluation of cells and tissues in the given image... and physicians, in their war against cancer - a step ahead in pathological diagnosis and prognosis." [Product] is a device as that term is defined in... the Federal Food, Drug, and Cosmetic Act... because it is intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or because it is intended to affect the structure or any function of the body. Based on a recent review of your website... FDA has concluded that you are marketing [Product] without approval or clearance from FDA, in violation of the law. * FDA Warning Letter 5/25/05, available at http://www.fda.gov/iceci/enforcementactions/warningletters/2005/ucm075422.htm 10 5
Key Premarket Concepts To establish that a medical device is safe and effective for an intended use, the sponsor/marketer must: Establish that it is exempt from premarket review because it is subject to an existing classification regulation that exempts such devices from premarket review; or Submit a premarket notification (510(k)) to show that the device is substantially equivalent to a device that is already authorized by FDA; or If it is not substantially equivalent to a previously authorized device (e.g., because it is new technology or involves a new use for a marketed device), submit a Premarket Approval application (PMA), including laboratory, technical, and clinical trial data to show that the device can be safely used as intended The types of clinical trials or other data necessary to demonstrate safety and effectiveness depends on several factors including the device s classification, characteristics, and intended use 11 What is the Classification? FDA classifies devices into three classes based on risks: Class I (low risk) Usually exempt from premarket review, with some exceptions Class II (moderate risk) Typically require a 510(k) Class III (high risk) Typically require a PMA Over 1800 medical device types are classified by regulation. See 21 U.S.C. 360c (device classification); 21 C.F.R. Parts 860-892 12 6
Clinical Trial Requirements Institutional Review Board (IRB) approval is: Required for all clinical trials: research or testing of an unapproved device or new intended use of approved/cleared device on humans Not required for consumer preference research: market or opinion research involving FDA-approved or cleared devices, or exempt devices (e.g., surveys, opinion polls, home use tests), but research must involve approved or cleared uses The IRB must monitor and review the clinical trial to ensure participant safety, data integrity, and compliance with Federal and state requirements See generally 21 C.F.R. Part 56 13 Labeling and Advertising FDA regulates labeling (e.g., packaging, instructions for use) for all medical devices and advertising of restricted medical devices Labeling definition is broad and may encompass many forms of advertising FTC regulates advertising of non-restricted devices Focuses on deceptive advertising/trade practices (e.g., statements, omissions of material facts, practices that are likely to mislead consumers) States regulate the practice of medicine Healthcare providers may prescribe medical devices for unapproved uses based on their medical judgment, but they are subject to Federal and state laws that prohibit the promotion of products for unapproved (off-label) uses 14 7
Device Labeling Intended Use must comply with: Device Classification Regulation ( Specifications ) List and explains conditions under which devices can be marketed and classification Indications for use, etc. Final classification regulations are published at 21 C.F.R. Parts 862-892 Premarket notification(510(k)) Labeling must contain: Identity, Quantity, Business name on package label 21 C.F.R. Part 801 Adequate directions for use (including warnings) 21 C.F.R. 801.5 15 Device Advertising Advertisements must comply with applicable FDA and FTC requirements FTC Act prohibits unfair and deceptive trade practices of over-thecounter ( OTC ) drugs, medical devices, food, cosmetics, and other FDA-regulated products 15 U.S.C. 52; 16 C.F.R. 255.5 (e.g., statements, omissions of material facts, practices that are likely to mislead consumers) The net impression created by the claims, graphics must be truthful, accurate, and non-misleading, etc. Claims (including testimonials) must be substantiated by competent and reliable scientific evidence (e.g., by clinical data or other studies or evidence) Disclaimers are permitted, but may not always be sufficient to cure misleading statement; FDA and FTC generally disfavored the use of disclaimers in most contexts 16 8
Medical Device Compliance Requirements Manufacturers are required to meet certain specific requirements prior, and subsequent to marketing: Good Clinical Practice (GCP)/Investigational Device Exemptions (IDE) Premarket Clearance (510(k)) or Premarket Approval (PMA) Establishment Registration and Device Listing Good Manufacturing Practice/Quality System Medical Device Adverse Experience Reports (MDRs) Labeling and Advertising Compliance Recalls, Corrections, Removals, Market Withdrawals 17 Medical Device Requirements: Applied to Health IT 18 9
Medical Device Data Systems (MDDS) A medical device data system (MDDS) is a [medical] device that is intended to provide one or more of the following uses, without controlling or altering the functions or parameters of any connected medical devices: The electronic transfer of medical device data; The electronic storage of medical device data; The electronic conversion of medical device data from one format to another format in accordance with a preset specification; or The electronic display of medical device data 21 C.F.R. 880.6310 This may include software, electronic or electrical hardware, modems, interfaces, and a communications protocol This does not include devices intended for use with active patient monitoring (these are medical devices, but not medical device data systems) 19 Mobile Medical Applications (MMAs) A mobile medical application (MMA) is a mobile application that (1) meets the definition of a device in section 201(h) of the FDCA and (2) Either (a) Is used as an accessory to a regulated medical device; or (b)transforms a mobile platform into a regulated medical device Mobile Application - software application that can be used on a mobile platform or a web-based software application that is tailored for use on a mobile platform but is executed on a server. Mobile Platform - commercial off-the-shelf (COTs) handheld computing platform, whether or not it has wireless connectivity capabilities. Examples include PDAs, tablets, and smart phones. 20 10
MMAs in Practice: MiMVista and FDA 21 FDA MMA Guidance (Sept. 2013) Describes FDA s regulatory approach for mobile apps It covers mobile apps, but does not address other types of Health IT or software It defines key terms and categories of mobile apps and provides examples of regulated and unregulated apps It provides recommendations for manufacturers and developers on how to comply with FDA requirements Three Categories of Apps Apps that are not Medical Devices These apps are not regulated because they do not meet the legal definition of a medical device Apps Subject to Enforcement Discretion These apps are or could be medical devices, but FDA is choosing not to regulate them because they are perceived to be low risk Mobile Medical Apps These apps are medical devices. They perform the same functions as currently regulated medical devices and pose similar risks. 22 11
Mobile Apps Regulatory Continuum No FDA Regulation Enforcement Discretion 1 Full Compliance 2 Full Compliance 510(k) Full Compliance PMA Not a Medical Device Medical devices that FDA chooses not to regulate Class I Low Risk Class II Moderate Risk Class III High Risk 1. Enforcement discretion means that FDA has the discretion to decide not to enforce certain requirements for certain products. FDA may withdraw its discretion based on new information, safety issues, or other factors. 2. Unless otherwise exempt from certain requirements 23 App Name Description Regulatory Category Neonatal Monitoring App Allows consumers and HCPs to hear and see fetal heartbeat through sensor that connects to smart phone Mobile Medical App (Class II device) Depression Symptom Tracker Clinical Trial and Physician Finder Examples of Mobile App Categories Allows consumers to manually enter signs and symptoms of depression and daily moods and behaviors; graphs and tracks symptoms based on preset parameters; provides coaching on managing depression Allows patients and HCPs to locate clinical trials and clinicians based on conditions, therapy, or HCP specialty Enforcement Discretion Not a medical device 24 12
Clinical Decision Support Tools (CDS) A clinical decision support (CDS) tool is a device that: Uses an individual s information from various sources (electronically or manually entered) Converts this information into new information that is intended to support clinical decision-making Could be a mobile application, web-based service or desk top application According to FDA, the source or manner of input is not relevant to definition Information could be (1) entered by a person; (2) transferred electronically from a manually connected device; (3) collected and entered by a connecting device; (4) environnemental data (pollen count, temperature, etc); (5) demographic data Regulatory status and classification decisions focus on the type of information being analyzed and how information is converted Conversion or analysis could include: (1) using algorithms (fixed or iterative); (2) using formulae; (3) database look-ups or comparisons; (4) using rules and associations 25 Possible Implications/Categories for CDS? App Name Description Regulatory Category Cancer Diagnostic Software Patient Care Improvement Software Clinical Trial and Physician Finder Analyzes images from digital mammography systems and uses an algorithm to detect and highlight suspicious lesions; compares lesions against pre set parameters and examples; provides treatment recommendations based on size and severity of lesions and patient information Analyzes patient medical records, claims data, patient profile, and compares data against published data; provides educational information on certain diseases or conditions and general recommendations to HCPs on improving overall patient adherence to pre established treatment plan (e.g., communication, follow up, etc.) Allows Patients and HCPs to locate clinical trials and specialists based on conditions, therapy, or HCP specialty Class II device Status likely depends on nature of recommendations, but likely subject to Enforcement Discretion Not a medical device 26 13
Overview Currently Marketed CDS Products* Certain CDS-like tools are registered with FDA-- Distinguishing characteristics? Registered products/platforms obtain data from external biometric measuring devices (regulated by FDA) Blood pressure monitors, scales, oximeters, etc. The software is designed to analyze vital signs or device data from these external devices Clinicians/patients then receive messages, analytics based in part on such data *Data based on publicly available information 27 Overview of Currently Marketed CDS Products cont d Common Characteristics of Non-registered Software Focused primarily (or solely) on EHR analytics Integrating data from medical, pharmacy, lab claims in key areas: Drug interactions (e.g., dosage, multiple diseases, duplication) Care coordination Omission of essential care (e.g., missed diagnostic or drug test) Switching from brands to generics & medication history Encouraging HCP appointments, specific exams Patient/HCP messaging based on these analytics Care alerts RxSafety Alerts Adherence Email, fax, mail, mobile apps Data integration with calls from nurse hotlines or wellness coaches Some are disease focused (e.g., HIV, COPD) Use of clinical guidelines /algorithms for analytics/messaging Likely proprietary, though some may be public Includes updated FDA risk/warning information 28 14
Health IT Quality Standards Applicants seeking to market software-based medical devices must demonstrate, among other things, that appropriate: Design control procedures were used to develop the software (e.g., documentation of design processes, specification changes), including: Software validation: specifications conform to user needs and intended uses; part of software development; tested under simulated use and at user test sites Software verification: consistency, completeness, correctness (output = input) Level of validation/verification required increases as safety risks increase Software engineering needs an ever greater level of managerial scrutiny and control than does hardware engineering because of complexity, difficulty detecting problems, and risk that minor coding mistakes can cause major problems down-the-line See General Principles of Software Validation; Final Guidance for Industry and FDA Staff (2002) 29 FDASIA Sec. 618 Health Information Technology (HIT) FDA is required to publish a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications Developed in consultation with the National Coordinator for HIT (ONC) and FCC Strategy should promote innovation, protect patient safety, and avoid regulatory duplication Working group charged with providing expert input on issues and concepts identified by FDA, FCC, and ONC 30 15
April 2014 FDASIA Health IT Report Categorizes Health IT into three categories based on functionality, rather than the platform 1. Administrative Health IT functions Proposed no additional oversight of these types of products because pose little or low risk e.g., billing and claims processing, practice and inventory management, scheduling, analysis of historical claims data to predicate future utilization or cost-effectiveness, determination of benefits eligibility, population health management 2. Health management Health IT functions Potential safety risks generally low compared to potential benefits Proposed relying on quality management principles, industry-standards, and best practices to assure a favorable benefit-risk profile [i]f a product with health management health IT functionality meets the statutory definition of a medical device, FDA does not intend to focus its oversight on it e.g., health information and data exchange, data capture and encounter documentation, most clinical decision support, medication management, provider order entry, patient identification and matching, clinical evidence management 3. Medical device Health IT functions These functionalities pose greater risk to patient safety and are the focus of FDA s attention and oversight e.g., computer aided detection software, remote display or notification of real-time alarms from bedside monitors, robotic surgical planning and control The FDASIA Health IT Working Group did not propose the need for new FDA authorities or additional oversight, but recommended that FDA provide greater clarity 31 April 2014 FDASIA Health IT Report (Cont d) Summary and Recommendations Regarding Clinical Decision Support Tools Health Management Health IT Functionality Most CDS functionalities can be categorized as health management Health IT FDA does not intend to focus its regulatory oversight on these products/functionalities, even if they meet the definition of a device Non-regulatory approaches described in report sufficient to mitigate safety risks Examples: Evidence-based clinician order sets, most drug dosing calculators, reminders for preventative care, facilitation of access to treatment guidelines and other reference material, calculation of predication rules and severity of illness assessments, suggestions for possible diagnoses based on patient-specific information retrieved from patient s EHR Medical Device Health IT Functionality Small subset of CDS tools that are medical device health IT functionality present higher risk FDA s active oversight should continue FDA will work to clarify the types of CDS tools that should be the focus of oversight Examples: Computer aided detection/diagnostic software, remote display or notification of real-time alarms from bedside monitors, radiation treatment planning, robotic surgical planning and control, electrocardiagraphy analytical software 32 16
April 2014 FDASIA Health IT Report (Cont d) Proposed Strategy and Recommendations for a Health Management Health IT Framework Promote the use of quality management principles Use of quality management principles necessary for the safe design, development, implementation, customization, and use of health IT Identify, develop, and adopt standards and best practices Focus areas for standards and best practices implementation: (i) Health IT design and development, including usability; (ii) Local implementation, customization and maintenance of health IT; (iii) Interoperability; (iv) Quality management, including quality systems; and (v) Risk management Leverage conformity assessment tools Conformity assessment tools (e.g. product testing, certification, accreditation) should be used in a risk-based manner to distinguish high quality products, developers, vendors and organizations Create an environment of learning and continual improvement Recommended creation of a Health IT Safety Center that would serve as a trusted convener of health IT stakeholders and identify the governance structures and functions needed for the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts 33 FTC Emphasis on Health IT Advertising Regardless of the size of your business, the Federal Trade Commission (FTC) the nation s consumer protection agency has guidelines to help you comply with truth-in-advertising standards and basic privacy principles..... Laws that apply to established businesses apply to you, too, and violations can be costly. In addition, satisfied users may be your best form of marketing. Breaking into the business with an app that delivers on its promises is key to your long-term success. FTC Guidelines, Marketing Your Mobile App: Get It Right from the Start, April 2013 34 17
FTC Guidelines -- Marketing Your Mobile App: Get It Right from the Start (April 2013) Tell the truth about what your app can do Disclose key information clearly and conspicuously Offer choices that are easy to find and easy to use Build privacy considerations in from the start Be transparent about your data practices Honor your privacy promises Protect kids privacy Collect sensitive information only with consent Keep user data secure Collect only the data you need; Secure the data you keep by taking reasonable precautions against well-known security risks; Limit access to a need-to-know basis; and Safely dispose of data you no longer need 35 Points to Remember Regulatory/Legal Checklist Is your Health IT product a medical device? If it is a medical device, how does it impact patient health or safety? Does it pose any risks, and what is the likelihood that these risks will be realized? Have you created appropriate design, validation, verification, and development processes to manage and mitigate these risks? Do you have systems and processes to identify, record, report and address complaints, deviations, or malfunctions? Have you considered pricing, reimbursement, and Fraud & Abuse Issues? If you are purchasing, licensing, or sourcing a device or component from a thirdparty developer, have you verified the developer s compliance with applicable requirements? 18
Points to Remember Regulatory/Legal Checklist (cont d) If your product is not a medical device, have you considered what other regulatory requirements apply beyond FDA? Have you considered FTC marketing and promotional requirements for regulated devices and unregulated products? Have you implemented appropriate systems to comply with HIPAA, HITECH, and other privacy and data security requirements? Have you considered FCC regulations or requirements? What about warnings, instructions for use, and other disclosures or disclaimers? Who owns the Intellectual Property for the device? If you re working with a third-party developer or contractor, does your agreement contain appropriate reps and warranties regarding regulatory issues, appropriate indemnification provisions, and appropriate quality requirements? 19