U.S. Life Sciences Regulatory and Compliance Outlook 2024 (Part IV): Digital Health

January 31, 2024
29:08 minutes

Join Ropes & Gray’s life sciences attorneys for a podcast series exploring regulatory, compliance, and enforcement changes emanating from Washington, D.C. and the potential impact on life sciences companies in 2024. In this fourth and final episode, attorneys Greg Levine, Sarah Blankstein, and Beth Weinman discuss key areas to watch related to FDA regulation of digital health tools in 2024. These include digital health technologies used in product development, artificial intelligence and machine learning-enabled medical devices, clinical decision support software, and medical device cybersecurity.


Greg Levine: Welcome to Non-binding Guidance, a podcast series from Ropes & Gray focused on current trends in FDA regulatory law, as well as other important developments affecting the life sciences industry. I’m Greg Levine, head of the life sciences regulatory and compliance (“LSRC”) practice group in Ropes & Gray’s Washington, D.C., office. I’m joined today by two of my superstar colleagues from our LSRC practice: Beth Weinman, also based in Washington, D.C. and a former enforcement litigator from FDA’s Office of the Chief Counsel, and Sarah Blankstein, also formerly from our Washington, D.C. office but now based in Boston after a temporary career detour to an in-house position at a leading Boston-based biotechnology company.

Today’s episode will be the fourth and final in our 2024 U.S. life sciences regulatory outlook podcast series. We’ll be discussing some key issues to watch related to digital health in 2024. These include:

  • digital health technologies (“DHTs”) in product development;
  • artificial intelligence (“AI”) and machine learning (“ML”) medical devices;
  • clinical decision support (“CDS”) software; and
  • cybersecurity in medical software.

Let’s start with the digital health technologies in product development. Sarah, could you give us an update on what’s been happening in this area?

DHTs in Product Development

Sarah Blankstein: Happy to, Greg. Digital health technologies in drug and device development certainly is a hot topic with lots of FDA activity last year and more expected in 2024. But, before I get into the specifics, I’m going to take a step back and provide a bit of context. When we talk about digital health technologies (“DHTs”) in product development, that covers a lot of different types of tools used at various points in product development. As defined by FDA, a DHT is “any system that uses computing platforms, connectivity, software, and/or sensors, for health care and related uses.” That could be anything from a mobile app used to collect patient-reported outcomes to a wearable device that records clinical trial participants’ vitals as part of a study endpoint. DHTs like these and other digital tools have become increasingly important to product development from early research stages through clinical development.

Now, not every use of a digital tool in product development is going to be subject to FDA regulation. But, particularly when we’re talking about use of DHTs in clinical trials, it’s critical that sponsors carefully consider the applicable regulatory requirements.

In 2023, FDA took some important steps to clarify the requirements applicable to DHTs when used in product development. In particular, in December, the Agency finalized its guidance on Digital Health Technologies for Remote Data Acquisition in Clinical Investigations. The draft of that guidance was issued in 2021, and the final guidance reflects updates required by the Food and Drug Omnibus Reform Act of 2022 (“FDORA”).

Notably, the final guidance—like the draft guidance—is cross-center and provides considerations for the use of DHTs in clinical investigations of drugs, biologics, and devices. It addresses a range of issues, including DHT selection, information to be included about DHTs in regulatory submissions like investigational new drugs (“INDs”) or investigational device exemptions (“IDEs”), verification, validation, and usability assessments, statistical and trial design considerations, risk assessment, recordkeeping, and training. So, it covers a lot of ground.

There are a number of changes in the final guidance, but I was particularly interested to see how FDA addressed regulatory requirements for DHTs that are medical devices. When a DHT is a medical device, there’s a question of whether its use requires submission of an IDE, which could be in addition to an IND for the clinical investigation of the drug or biologic in which the DHT is being used. The final guidance provides some helpful clarification on that point. First, FDA says that it expects it to be uncommon for an IDE application to be required. However, where the regulations would require an IDE application, FDA now says that, “when all of the information required in an IDE application . . . is also contained in the IND, FDA generally does not intend to request that sponsors submit a separate IDE application,” so some helpful streamlining and efficiency there.

Ultimately, while the guidance, I would say, is helpful in clarifying how FDA is approaching DHTs used for remote data collection in clinical trials, the expectations are quite rigorous and also will turn on the particulars of the given trial design, disease state, DHT, and other factors. So, I expect that sponsors will still need to engage extensively with the applicable FDA review division on plans to incorporate DHTs in their clinical development programs.

Apart from the new guidance, FDA took some other notable actions on DHTs in drug development in 2023.

In March, the Center for Drug Evaluation and Research (“CDER”) and the Center for Biologics Evaluation and Research (“CBER”) issued a Framework for the Use of Digital Health Technologies in Drug and Biological Product Development. The framework fulfills a Prescription Drug User Fee Act (“PDUFA”) commitment and outlines FDA’s plans for addressing DHTs in drug development. Among other things, the framework provides for workshops, demonstration projects, establishment of internal processes for evaluating DHTs, promotion of shared learning and consistency across the Agency, and publication of guidance documents.

Then, in May, FDA issued a discussion paper on AI and Machine Learning in the Development of Drug and Biological Products. It’s an interesting paper, though more of a survey of the landscape than a proposed regulatory approach to AI in drug development. FDA notes that submissions across the drug and biological product applications that include AI/ML have increased substantially over the last several years to more than 100 submissions in 2021. The aim of this paper is to spark discussion with stakeholders on AI and ML in drug development, and a workshop is planned with stakeholders for further engagement. So, more to come on that topic.

Looking at 2024, as part of the latest PDUFA reauthorization, FDA had committed to a number of actions to enhance the use of DHTs to support drug development and review. One of those commitments is to host a series of five public meetings or workshops on DHT topics, the first of which was held last year and focused on validation, and I expect that at least one will be held in 2024, as well. I could certainly see the learnings from these workshops as well as from FDA’s experience actually reviewing and working with sponsors on clinical studies that incorporate DHTs leading to new or revised guidance from the Agency. In fact, that’s another of FDA’s PDUFA commitments, that beginning in FY 2024, FDA will publish additional draft guidances in identified areas of need informed by stakeholder engagement, such as acceptable approaches to capturing and reporting adverse events in clinical trials using DHTs.

I’m certainly interested to see what, if anything, ends up on CDER’s 2024 guidance agenda addressing DHTs in drug development or AI and machine learning topics. As of this recording, though, that agenda is yet to be published.

AI/ML in Medical Devices

Greg Levine: Thanks, Sarah. Lots to come on digital health technologies in drug development it sounds like. Next, I’d like to talk a bit about AI and machine learning functionality in medical devices. AI/ML has been a focus area for FDA’s device center (“CDRH”) for a number of years, and in 2023, that was certainly no exception.

If we look at the devices that FDA authorized in 2023, there’s data that FDA published in October that identifies that through the end of July of 2023, in just that seven-month period—January to July 2023—FDA authorized 108 AI-enabled devices. About 80% of those fell in the radiology area, which is one of the major areas where we already have seen many authorizations of AI-enabled devices. Then, the next biggest group involves cardiovascular-related tools.

On the policy side, the most notable development was the device center’s publication of the greatly anticipated draft guidance on predetermined change control plans (“PCCPs”) for AI/ML-enabled medical devices. That was published in April, and we discussed that in depth in a client alert—I won’t rehash all of that here. That draft guidance came after a number of steps FDA had taken in recent years to address AI/ML-based software, including publication of a 2019 discussion paper and request for feedback on a Proposed Regulatory Framework for Modifications to AI/ML-Based Software as a Medical Device (“SaMD”).So, that’s what this PCCP relates to those kinds of changes to the AI/ML-enabled medical devices. That draft guidance also came after FDA’s 2021 publication of an action plan on AI/ML-based software as a medical device. FDA had first introduced that concept in 2019 of predetermined change control plans as a mechanism to allow FDA to authorize anticipated AI/ML-based modifications to device software products during the premarket review process. And then, in 2022, in the Food and Drug Omnibus Reform Act, Congress provided FDA with express statutory authority for PCCPs. These are novel, in that it is a plan that FDA approves at the outset when they clear a device that allows modifications to the cleared product without having to go back through FDA, which is why it was thought that additional statutory authority might be required there.

The 2024 CDRH guidance agenda includes finalizing the PCCP draft guidance for AI/ML-enabled devices, as well as publishing draft guidance on PCCPs for other types of medical devices. As far as the final guidance, I expect it will address at least some comments that were received from stakeholders on the draft. While the comments generally are supportive of the use of PCCPs and the concept of PCCPs, there were a number of areas where industry was hoping for greater clarity, and there were comments seeking to expand the potential use cases for PCCPs and also to ensure appropriate transparency about PCCPs to device users while still protecting the proprietary and confidential information of the developer of the software.

Even without that final guidance in place, I want to mention that FDA is already receiving and reviewing device submissions that include PCCPs. In April of 2023, for example, FDA cleared a 510(k) with a PCCP for Medtronic’s AccuRhythm AI, which is an arrhythmia detector with an alarm feature. And so, for companies planning to submit PCCPs to FDA in 2024, I think it will continue to be important to engage with FDA about these plans, for example, through the Q-sub process. FDA is still ramping up in this area and its thinking about PCCPs will likely evolve as it gains more experience reviewing such plans.

Sarah, let’s go back to you. Aside from the PCCP guidance, what are you watching this year on the subject of AI and ML?

Sarah Blankstein: The final PCCP guidance is definitely a big thing I will be watching for this year. Also, on CDRH’s 2024 guidance agenda is a new draft guidance on life cycle management considerations and premarket submission recommendations for AI/ML-enabled device software functions. It remains to be seen exactly what that draft guidance will cover, but based on the title, I expect one topic may be aspects of the total product life cycle approach that FDA discussed in its AI/ML-proposed framework and action plan. FDA has emphasized the importance of real-world data collection and monitoring for AI/ML-based software to mitigate risks with software modifications. Stakeholders have raised many questions about this—things like: How much oversight should be performed? When and how much data should be provided to FDA? How can the feedback be incorporated? So, I’m looking for this new draft guidance to potentially answer some of those questions.

Last year, we also saw FDA issue its second “guiding principles” document on AI/ML-enabled devices jointly with the UK MHRA and Health Canada. In October, the agencies issue, the high-level Guiding Principles on Predetermined Change Control Plans for Machine Learning-Enabled Medical Devices. It follows upon the three agencies’ 2021 Guiding Principles on Good Machine Learning Practice for Medical Device Development. I’m not aware of particular plans or topics for 2024, but I do think we will continue to see FDA engaging and seeking to harmonize with foreign regulators as regulatory authorities around the world grapple with creating frameworks to appropriately handle these new and evolving technologies.

Lastly, although not specific to FDA, I would be remiss if I didn’t mention the Executive Order President Biden issued at the end of October on artificial intelligence. Among other things, the Executive Order directs the Department of Health and Human Services (“HHS”) to establish a task force within 90 days, and then, within one year after that, to develop a strategic plan on responsible deployment and use of AI and AI-enabled technologies in the health and human services sector, including specifically, research and discovery, drug and device safety, health care delivery and financing, and public health. The strategic plan would describe the regulatory actions that FDA and other HHS agencies would need to take to implement the plan. So, I expect we will see the task force up and running soon per the timelines in the Executive Order with work on the strategic plan happening over the course of 2024.

Turning to another topic, we should spend some time talking about clinical decision support (“CDS”) software, as well. Greg, what has been happening with CDS?

Clinical Decision Support

Greg Levine: Clinical decision support software continues to be a very hot topic. As you know, FDA released final guidance on CDS software in 2022, and we addressed that in depth in another client alert that we have published, as well as a companion podcast that we put out at the time.

What we discussed in that alert and podcast is that that guidance was really a significant departure from the prior drafts, and there’s quite a bit of controversy around it. Industry has widely criticized the guidance as an overreach by FDA, as reading in criteria for CDS to be a non-device—to be outside the statutory definition of a medical device—that are not part of the statutory exemption. There is a statutory exemption, Section 3060 of the Cures Act, that took certain kinds of software functions outside of the definition of medical device, and so, the concern is that FDA added criteria to that that are not straight from the statute and that are, in some ways, perhaps not appropriate. Moreover, given how much the guidance changed from the prior draft, industry has a problem in that they’ve been left with a lot of questions about CDS offerings that they were already marketing, which had been analyzed under the prior draft guidance from FDA. In addition to a new interpretation of the criteria to qualify as a non-device clinical decision support software function, the draft guidance contained some enforcement categories, including for patient-directed, as opposed to physician-directed, clinical decision support software that were removed from the final guidance, that no longer exist.

So, software developers are continuing to grapple with this issue of what to do with their CDS tools, both current ones and ones that they already had on the market and, ultimately, having to make judgment calls about mitigations and the level of risk they may be willing to take on without going through FDA for marketing authorization.

The ambiguities in FDA’s regulation and enforcement policies for software tools are not limited to the CDS guidance. Even if the tool does not fit within the CDS exemptions as a non-device—at least as interpreted by FDA in this 2022 final guidance—there are other exemptions and enforcement discretion policies that FDA has published that may apply, such as those that are published under and collected under FDA’s Policy for Device Software Functions guidance document. And there, again, there’s a lot of gray as to whether a particular tool may qualify for enforcement discretion—for example: Is a particular calculator performing simple calculations routinely used in clinical practice such that it would be subject to enforcement discretion? Does the tool seem analogous to any of the examples that FDA provides in the appendix to the guidance document? Or, if we’re talking about a licensed practitioner-developed tool, is that tool being deployed in the practitioner’s “own practice,” such that it is exempt from FDA registration, listing, and 510(k) clearance requirements? So, lots of tough questions to grapple with there.

These are the types of issues CDS developers are contending with for their tools. And, again, depending on their risk tolerance, another business and circumstance-specific factors, they have some decisions to make. In some cases, they can choose to go to FDA to seek clarity, for example, through an email to FDA’s digital health mailbox, or more formally by submitting what’s called a 513(g) request to FDA. Or, maybe, they’ll get comfortable with some ambiguity and a lack of enforcement currently and take some steps to mitigate their risk, like increasing disclosures in the CDS software associated manuals or labeling, and then, go ahead and continue to commercialize the tool without consulting FDA, which creates lots of work for lawyers, like us, to advise companies on those kinds of decisions, which can be very challenging.

There are also a couple of citizen petitions filed in 2023 challenging the CDS guidance and its alignment with the statutory criteria, and also, whether it perhaps raises issues under the First Amendment to the constitutional questions. The citizen petitions are asking FDA to go back and revise and republish this guidance. One of those petitions, for example, challenges FDA’s interpretation of the third criteria for the CDS exemption, which relates to software “supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition.” FDA’s position is that the CDS tool “should not recommend a single treatment or diagnosis or be intended for time-critical decision-making.” And so, as I mentioned before, whether those kinds of restrictions go beyond the statute is a question that has been raised. It has been argued that FDA should substantially revise that guidance, so we’ll see what happens. It’ll be interesting to see how FDA ultimately responds to these petitions, but the FDA often takes years to respond to these types of policy-directed citizen petitions. So, we shouldn’t hold our breath that we’re going to see something on this topic in 2024.

Meanwhile, with this final guidance published in the last few months of 2022, what is happening or what could we expect to see from an enforcement perspective? We were keeping our eye on that in 2023, and there was one notable warning letter that was published, but beyond that, we really haven’t seen much from FDA yet, even though there’s nothing in the law that stops FDA from taking enforcement action. FDA didn’t identify any transition period for implementation in the final guidance—at least not as a formal matter.

Beth, last but not least, let’s turn to you on this topic of enforcement. Talk about what we have seen, please, and then what we might expect to see in 2024.

Beth Weinman: Greg, I think you mentioned we really haven’t seen much related to the use of CDS tools, which I think stems from a number of things. First of all, it’s really hard to police this kind of software. Whether the Agency has the capacity to really be looking in full force at this kind of software, I doubt it. I think a lot of things are flying under the radar, because a lot of these tools are developed by companies that are not otherwise registered or inspected by FDA, so it’s hard for FDA to even be aware of what’s happening. Maybe there’s not been a lot of enforcement because of a perception that this type of software is relatively low-risk, and so, might be a lower priority for enforcement. And then, finally, it might be that the guidance was just finalized towards the end of 2022—there were some big changes, and maybe the Agency is giving companies some time to unpack and understand what’s expected. That said, we’re now in 2024. There’s been a little bit of time to sit with the guidance and understand it, and, I think, maybe we will start to see at least incrementally more enforcement from FDA in this space.

You mentioned there was one warning letter, that was in September 2023, and I’ll just talk about that for a second. I think that’s a signal that FDA may be gearing up for more enforcement in the coming year. At an inspection, FDA discovered that the company was marketing software for use with its medical device system—this is a system that’s used to help a patient’s heart pump blood in a critical care setting. The software that was discovered, it wasn’t controlling the device, but it was allowing remote monitoring of the performance of an individual pump or multiple pumps, and it allowed for the filtering of notifications by alarm status. The software sent email notifications about alarms and also displayed case tiles that included pump metrics and alarm state, and these displays were color-coded to reflect the alarm state—so, red, yellow, green to reflect the seriousness of the alarm. The company took the position that the software is a non-device CDS, but FDA asserted that it was a secondary alarm system, and it failed under criterion three because it provided for time-critical alarms. It seems from the warning letter that FDA is moving ahead with interpreting the CDS exemption criteria in the final guidance—namely, as we can see in this case, reading a requirement that the information not be “time-critical” into the third criterion. Now, that’s a requirement that’s not in the statute, so that’s important to recognize.

Greg Levine: Thanks for that, Beth. Are there other areas where we may see increased enforcement relating to software or digital tools?


Beth Weinman: Yes. I can think of another area that’s ripe for possible enforcement in 2024, and that’s with respect to cybersecurity. As medical devices have grown more integrated with wireless, internet, and network-connected systems and portable media, FDA has grown increasingly concerned about risks to device safety and effectiveness arising from insufficiently robust cybersecurity controls. And FDA was granted new authority to take action in this area as part of the Food and Drug Omnibus Reform Act, which was signed into law in the last days of 2022. So, for those of you who’ve been following cybersecurity developments, the new provision exists in Section 524(b) of the Act or 21 U.S.C. 360(n-2), and it includes text that was originally proposed in the PATCH Act, which is legislation in development for years to define a framework for insuring at least a minimum level of cybersecurity for the U.S. health care system, including medical devices. The piece relevant to medical devices was incorporated through FDORA, and the new authority does a few things.

First, it includes a definition for “cyber devices,” which are subject to the new authority. They are defined as:

  • software validated, installed or authorized by the sponsor of the pre-market application as a device or in a device;
  • has the ability to connect to the internet; and
  • contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.

Second, the legislation authorizes FDA to demand information about cyber device cybersecurity controls in marketing submissions—so, 510(k)s, PMAs, and de novo submissions. Those who wish to market cyber devices will need to include a bunch of information to ensure that the statutory requirements are met, including a plan to monitor, identify, and address post-market cybersecurity vulnerabilities. They’ll need to develop and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber-secure and make postmarket updates and patches to the device to address real-time cybersecurity vulnerabilities as they emerge. They’ll need to provide the Agency a software bill of materials, including commercial, open-source, and off-the-shelf software components. And they’ll need to comply with other requirements that FDA may require through regulations.

At the end of September, FDA issued a final guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” and that guidance provided updated recommendations on meeting the new statutory requirements, including with respect to cybersecurity risk assessments, interoperability considerations, and documents that should be included in premarket submissions. We issued an alert on this back in October—you can find that on our website. The statutory requirements were supposed to become effective in March of 2023, but the effective date was pushed to October—so, now, in 2024, they’re clearly in effect. And that brings us back to the question of enforcement—the statutory amendment creates a new prohibited act prohibiting “the failure to comply with any requirement” implemented under the new section—so, that’s any violation of the requirements we just talked about. The new section enables the government to prosecute violations of these cybersecurity requirements criminally or to pursue injunctive relief against a company that’s out of compliance.

Cybersecurity has also been a focus of congressional investigations, class-action lawsuits, and DOJ False Claims Act investigations, even before FDA gained this new authority, so it’s a hot topic. A hacking episode involving a medical device and patient safety issue could certainly lead to an investigation into whether a company complied with FDA’s new authorities. Also, FDA will be policing compliance with these requirements through quality system inspections. A lot of the requirements relate to building cybersecurity controls into existing design, manufacturing and postmarket surveillance requirements, as well.

The last thing I’ll say, just in closing, is that DOJ does have a Civil Cyber-Fraud Initiative that reflects a hyper-focus on enforcement of cybersecurity requirements and government controls. And we all know that FDA regulation is a fertile area for False Claims Act enforcement, so new authority in the device arena also provides DOJ civil frauds with detailed expectations for cyber devices that it can look to if and when it’s pursuing False Claims Act investigations against medical device companies.

Greg Levine: Thanks for that, Beth. And thank you, Sarah, as well. This concludes the fourth and final episode in the Outlook 2024 series from our life sciences regulatory and compliance practice group here at Ropes & Gray. For more information about our practice and other topics of interest to life sciences companies, please visit our FDA regulatory and life sciences practice pages at www.ropesgray.com. You can also listen to Non-binding Guidance and other RopesTalk podcasts in our podcast newsroom on our website, or you can subscribe to this series wherever you listen to podcasts, including on Apple and Spotify. Thank you again for listening.

Subscribe to Non-binding Guidance Podcast