Medical and Regulatory Affairs

The Evolution of Regulations for Digital Health Products

It isn’t difficult to see how technology has changed our lives for the better over the last century. From self-driving cars to smartphones, numerous innovations have made our lives safer and much more convenient. Of course, one of the most robust categories where the quality of life has improved is medicine thanks to ongoing technological innovations in clinical research.

What used to require meticulous recordkeeping on the behalf of doctors and nurses can now be controlled through a simple smartphone app. In some cases, information from this type of software transfers seamlessly to researchers’ clinical trial databases in conjunction with more traditional electronic data capture (EDC) solutions. Not only is this better for the patients in the trial, it enables researchers to draw more accurate conclusions about the efficacy of their drug or device.

But that’s where safety regulations and patient privacy concerns start to get a little blurry. While the Food and Drug Administration (FDA) typically handles oversight for all medical devices, digital health products leave companies in a bit of a gray area.

Here is what you need to know about the evolution of this the regulatory framework, including previous guidelines and policies, plus the most recent legislation designed at determining what the FDA is actually responsible for in terms of oversight.

Previous Guidelines and Policies

In the past, digital health products fell into three categories based on their overall risk to patient safety as outlined in the Food and Drug Administration Safety and Innovation Act (FDASIA) Health IT Report issued April 2014.[1] These early classifications and risk determinations informed FDA oversight and generally focused on deciding which products worked as medical devices and whether they were intended to be used as an accessory to a regulated medical device or to transform a mobile platform into a regulated medical device.

The first category included billing and administrative software programs that posed limited or no risk and were mostly for recordkeeping purposes. Early guidelines determined that no FDA oversight or intervention was needed.

The second category featured health management IT applications. These programs included those that feature health information and data exchange, electronic access to clinical results, most clinical decision support, medication management, provider order entry, and patient identification and matching. It was determined at that time that the potential risks of such apps were minimal compared to the benefits, thus requiring enforcement only at the discretion of the FDA.

The final category included medical device health IT, which were determined to be those which pose an immediate risk to patient safety and health. Examples include computer-aided detection software, remote display or notification of real-time alarms from bedside monitors, and robotic surgical planning and control. The FDA decided that these applications required oversight and should be reviewed accordingly.

21st Century Cures Act – What You Need to Know

After determining a closer look into this new frontier of advanced healthcare was needed, Congress stepped up and enacted the 21st Century Cures Act in December 2016.[2] This piece of legislation specifically contains provisions clarifying the FDA’s role in regulating digital health products by determining which categories pose the greatest risk and therefore require greater review prior to commercialization.

To be even more specific, the new law amended the definition of “device” in the Federal Food, Drug, and Cosmetic Act. It stated that the term shall not include any software function that is intended:

  • For administrative support
  • For maintaining or encouraging a healthy lifestyle
  • To serve as electronic patient records
  • For transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results
  • To provide recommendations to healthcare professionals for clinical decisions, where the user can independently review the basis of the recommendation

While this reclassification might sound simple enough on the surface, it is important to realize that this bill drastically changed the digital health products regulatory services industry by determining which situations call for FDA intervention and which do not.

In July 2017, the FDA issued the Digital Health Innovation Action Plan, which included details and timelines for activities supporting digital health technology and the implementation of the 21st Century Cures Act.[3]

This included issuing guidance to provide clarity on the medical software provisions of the 21st Century Cures legislation; launching an innovative pilot pre-certification program to  develop a new approach to digital health technology oversight (FDA Pre-Cert for Software); and building the FDA’s bench strength and expertise in CDRH’s digital health unit.  Over the past year, FDA has indeed put this Plan into action with the issuance of new digital health-related guidance documents[4], a public workshop with key stakeholders on the Software Pre-Cert Pilot Program, and the hiring of entrepreneur-in-residence fellows to support the development of the Pre-Cert program.


While it is important to recognize the FDA’s dedication to protecting the public, it’s also important to remember that the ever-changing nature of the industry can create a challenging situation for digital health products as regulation and guidance evolves to encompass new technologies.

Simply put, FDA acknowledges that a traditional approach for regulating medical devices is not sufficient for the needs of medical software applications. Thus, it continues to create new guidelines to match the needs of the industry while protecting patient health and safety.

[1] FDASIA Health IT Report, April 2014. Available at

[2] 21st Century Cures Act, December 13, 2016. Available at

[3] Digital Health Innovation Action Plan, July 27, 2017. Available at