Skip to main content Accessibility help

We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.

Close cookie message
×
Hostname: page-component-848d4c4894-8kt4b Total loading time: 0 Render date: 2024-06-16T22:38:59.278Z Has data issue: false hasContentIssue false

3 - Are Electronic Health Records Medical Devices?

from Part I - AI and Data as Medical Devices

Published online by Cambridge University Press:  31 March 2022

By
Craig Konnoth
Edited by
I. Glenn Cohen ,
Timo Minssen ,
W. Nicholson Price II ,
Christopher Robertson  and
Carmel Shachar
I. Glenn Cohen
Affiliation:
Harvard Law School, Massachusetts
Timo Minssen
Affiliation:
University of Copenhagen
W. Nicholson Price II
Affiliation:
University of Michigan, Ann Arbor
Christopher Robertson
Affiliation:
Boston University
Carmel Shachar
Affiliation:
Harvard Law School, Massachusetts

Summary

Are Electronic Health Records Medical Devices? While statute (largely) excludes EHRs from the medical device category, commentators have struggled to offer a justification. They have argued that EHRs inform but do not replace clinical decision-making, do not directly interact with patients, and are constantly being upgraded and modified. But all these characteristics are often true of many medical devices. I argue the key aspect of EHRs that render them foreign to the FDA’s jurisdiction is their systemwide interconnectedness. The patient’s EHR affects others. EHRs must work in a certain way, for the integrity of the whole system. EHR data is used for both clinical and quality management research. Alternatively, the safety of EHRs involves greater systematic, upstream regulation – of third-party networks, data formats, and other issues that present collective action problems. This goes far beyond the mandate of the FDA that fails to consider such issues and lacks jurisdiction over many necessary third parties. I argue that the distinction between EHR functions that have a direct and primary effect on the particular patient versus those such as data format and interoperability that present these third-party and systematic considerations should determine the respective jurisdictions of the FDA and health data subagencies.

Keywords

EHRDevicesFDAONCNetworks
Type
Chapter
Information
The Future of Medical Device Regulation
Innovation and Protection
 , pp. 36 - 46
Publisher: Cambridge University Press
Print publication year: 2022
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

Are Electronic Health Records (EHRs) medical devices? Answering this question is important. It will determine, in part, which agency will regulate EHRs, and under what paradigms. Either the Food and Drug Administration (FDA) will regulate EHRs as medical devices, or the Office of the National Coordinator of Health Information Technology (ONC), another subagency within HHS that focuses on health data regulation, will provide the framework. This chapter argues that the task should be divided between the two agencies in a way that reflects their respective expertise to produce an optimum outcome. The criterion should be the extent to which the particular function being regulated involves networking with other systems and users. To the degree that it does, the ONC should hold primacy. But for more patient-facing functions that do not involve networking, the FDA should run point. Thus, the ONC should control data-format standardization in EHRs; the FDA might lead clinical decision support (CDS) efforts.

At the outset, some may argue that the question I raise is moot, and my solution is impossible. Section 520(o)(1)(C) of the Food Drug and Cosmetic Act (FDCA), inserted by the 21st Century Cures Act of 2016 (Cures Act), seems to shift the balance of power toward the ONC. It provides that EHRs are not medical devices if they were “created, stored, transferred, or reviewed by health care professionals,” “are part of health information technology that is certified” by the ONC, and “such function is not intended to interpret or analyze patient records.”Footnote 1 But at the same time, the HHS Secretary has the authority to undo the exclusion, admittedly subject to notice and comment rulemaking, and a finding that a particular “software function would be reasonably likely to have serious adverse health consequences.”Footnote 2 If the exclusion of EHRs from FDA jurisdiction does not make sense, then, the Secretary could likely take steps to undo or modify the statutory mandate.

The question then is, should they? And the statute provides no answer to that question. On one hand, the statute does exclude EHRs as medical devices. But at the same time, by negative implication, Section 520(o)(1)(C) suggests that but for its exclusion, EHRs would be medical devices – after all, why bother to say a product was not a device, if that product would not have, anyway, been covered in the definition of device?Footnote 3 While the statute quite clearly excludes EHRs as medical devices, neither the statute, nor the legislative history, is clear on the reasons for doing so. Thus, there is little guidance in the statute as to how the Secretary can and should exercise discretion.

I argue that the key aspect of EHRs that render them foreign to the FDA’s jurisdiction is their systemwide interconnectedness; they affect and are affected, both directly and indirectly, by third parties. First, a patient’s EHR affects others. The EHRs must work in a certain way, not just for the safety of the patient, but for the integrity of the system as a whole. The data from EHRs is used for both clinical and quality management research, for example. On the other hand, the safety of EHRs involves greater systematic, upstream regulation – of third-party networks, data formats, and other issues that present collective action problems. This goes far beyond the mandate of the FDA that fails to consider such issues and lacks jurisdiction over many necessary third parties.Footnote 4

While I therefore endorse some aspects of the FDA’s historic reasoning with respect to EHRs, which I describe below, I argue that it should be allowed to regulate only those functions that have a direct and primary effect on the particular patient – such as the quality of a particular algorithm that renders CDS. However, it should not be allowed to regulate aspects of EHRs such as data format and interoperability that present these third-party and systematic considerations.

3.1 Existing Reasons Against Regulating EHRs and their Shortcomings

The Food, Drug, and Cosmetic Act of 1938 was amended in 1976 to include medical devices within the FDA’s ambit. A device is:

[A]n instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.Footnote 5

Devices are categorized as Class I through III, depending on the extent to which they support or sustain human life, or present a risk of injury. Class I devices do not support or sustain human life and do not unreasonably risk injury; Class II devices are somewhere in the middle, as they support or sustain human life and present a higher risk; Class III devices present a high risk of injury.Footnote 6 FDA controls are commensurate with device risk. Class I devices are subject to “general controls” – for example, prohibitions on misbranding. Class II devices are subject to some additional, discretionary controls. Class III devices require premarket approval from the Secretary, though there are methods for obtaining exemptions.Footnote 7

Turning next to EHRs, these consist of software that offers various kinds of functionality, including data entry, storage, retrieval, transmission, and CDS, among others.Footnote 8 In the late 1980s and early 1990s, EHRs began to take on their modern form, offering functions such as computerized order entry, CDS, and medical device interfaces – even though the early computer systems were slow, had low storage capacity, and paper was omnipresent.Footnote 9

On my account, the FDA regulates EHRs in whole or in part when it takes on regulation of these functions, including when these functions appear in an EHR context. Thus, if the FDA declares authority over CDS regulation, it engages in regulation of EHRs to some degree because of the ubiquity of CDS in EHR contexts. Starting in the late 1980s, as EHRs took on their modern form, the FDA offered various reasons both for and against regulating EHRs and EHR-type products.

On one hand, the reasons for regulating EHRs seem obvious – it falls within the medical device definition. It seems that EHRs constitute an “apparatus” or “contrivance” that is “intended for use” in the process of disease diagnosis, as well as in “the cure, mitigation, treatment, or prevention of disease.” Thus, when data from bloodwork is fed into an EHR, and a medical professional looks at the EHR to make a diagnosis, and also looks at the EHR to determine what other medication a patient is taking, so that they can determine what should be prescribed, the EHR plays a role in both the process of diagnosis and treatment. Prominent data regulation scholars, Sharona Hoffman and Andy Podgurski, similarly conclude: “Given that they feature decision support, order entry, and other care delivery and management functions, one might reasonably conclude that EHR systems are as essential to patient care as are many regulated devices. Furthermore, their software can be more complicated than that found in many computer-controlled medical devices that are subject to FDA jurisdiction.”Footnote 10

This understanding appears to have undergirded the thinking of at least one senior FDA official, who, a decade ago, suggested that EHRs should be regulated as medical devices. As he explained, Health Information Technology – in this case, it would appear from context, specifically EHRs, are vulnerable to various errors that affect patient safety. These include “(1) errors of commission, such as accessing the wrong patient’s record … (2) errors of omission or transmission, such as the loss or corruption of vital patient data (3) errors in data analysis, including medication dosing errors of several orders of magnitude and (4) incompatibility between multi-vendor software applications and systems, which can lead to any of the above.”Footnote 11 Two years later, a dissenting view in an Institute of Medicine Report advanced similar reasons for regulating EHRs as medical devices.Footnote 12 EHR “components participate directly in diagnosis, cure, mitigation, treatment, and prevention of specified individual human beings” squarely falling within the definition of medical devices.Footnote 13 Indeed, for reasons I will not engage here, the dissent argued that EHRs should be regulated as Class III devices.

On the other hand, over the years, regulators have offered various reasons against regulating EHRs as devices, though none seem to overcome the squarely textual reasoning above. First, the FDA has noted EHR outputs are subject to independent clinical judgment. Physicians can use their independent experience and knowledge to evaluate the EHR output and make their own decisions concerning patients.Footnote 14 Second, “health IT is constantly being upgraded and modified to reflect new evidence and clinical interventions, changing work flows, and new requirements … Constantly evolving systems … don’t lend themselves to discontinuous oversight mechanisms such as those used for medical devices.”Footnote 15 Third, the FDA lacks “capacity” to regulate;Footnote 16 and fourth, that “regulation of health IT [including EHRs] by FDA as a Class III device could have” an impact “on innovation.”Footnote 17

But there are problems with these rationales. The independent review rationale also founders because professionals are just as reliant on EHRs as they are on many other devices (and relatedly, unable to carry out fully independent reviews). Indeed, depending on the error, a professional may be more likely to see if an x-ray machine malfunctioned – because the image is fuzzy, perhaps – than if an EHR contains wrong data. Similarly, as Hoffman and Podgurski note, “in the midst of surgery or in the intensive care unit” it would be hard for a provider to reflect on the data that the EHR has provided.Footnote 18 Further, the concept of “intervention” is hard to suss out. Does “intervention” require the practitioner to follow the EHR’s output or recommendation only if it accords with their assessment, but ignore it otherwise? If so, the value-add of the EHR is unclear – if the practitioner is going to stick to their judgment no matter what.

Similarly, the other rationales also fail. On the second objection, medical devices generally are subject to various kinds of upgrades and “constant[] evol[ution]”; the FDA has offered a preliminary discussion regarding upgrading different kinds of software, with different tracks for “locked” versus continuously evolving algorithms.Footnote 19 As for the third, FDA funding and support can be increased. And the fourth concern goes to the kind of regulation that would be appropriate for EHRs as medical devices – it does not speak to whether EHRs are devices, and whether the FDA should have control.

Thus, while it is clear that many stakeholders have concerns with giving the FDA full control over EHR regulation, they have not provided strong rationales.

3.2 Additional Rationale: Networked versus NonNetworked Aspects of EHR Use

In this section, I argue that fundamental aspects of EHRs – namely, their systemwide interconnectedness – render at least some important EHR functionalities foreign to FDA expertise. Thus, I argue that the FDA should refrain from regulation on aspects of EHRs that directly implicate data networks. That regulation should remain in the hands of the ONC, which has relationships with data networks and EHR developers.Footnote 20 However, FDA regulation may be appropriate where the subject of regulation is the point at which the EHR interacts directly with patient care.

In other work, I have explained that EHR use occurs at two levels: at the individual level, and a population-based level.Footnote 21 At the individual level, a medical professional uses EHR for the care of a specific patient. They look up a patient’s medical history, past medical conditions, treatments and the like. They can use the data to treat the patient, ensuring that there are no adverse drug interactions.

At a systemwide level, many EHRs are connected in ways that allow the data they contact to be pulled together and analyzed to draw conclusions on the safety and effectiveness of treatments and procedures, among other purposes, across vast populations. For this purpose, troves of data are cleaned, collated, and analyzed. The goal of a so-called learning health system would be to pull together data – much, if not most of it, in the form of EHRs – in real-time to figure out what interventions work best based on current knowledge, to reenter data back into the system, which in turn, is then used to refine the outcome for future interventions on other patients in an iterative feedback loop.Footnote 22 While not all EHRs can carry out these functions, many of them do so, and the goal is to have full interconnectivity.

Further, it is not just the uses of EHRs that invite population and systemwide considerations. Pulling together EHRs involves other population- and system-level considerations. For example, the data formats and elements that one EHR uses have ramifications for how other, unrelated EHR systems work – if they do not use the same formats and elements, the overall system cannot function properly.Footnote 23 Thus, as one regulatory entity put it: “[i]ndividual health IT components may meet their stated performance requirements, yet the system as a whole may yield unsafe outcomes.”Footnote 24

These questions of population-level data and interconnected networks should determine the bounds of FDA jurisdiction. The operation of EHRs in a certain instance, then, is fundamentally interconnected to a broader system. When a doctor deploys an EHR in a particular context, their action draws on data, data formats, users (who may have input the data years ago), and networks. More than that, their engagement with the EHR can have implications for patient care – not just that of their patient, but, if the EHR is agglomerated and used elsewhere, on that of other patients.

This is the key difference between most devices and EHRs. As long as other devices are integrated into the relevant medical system of which they are a part, they fulfil their primary function. Safety considerations therefore focus on the particular context in which the device is used – while there may be downstream effects, they are less important. The purpose of EHRs however, is to record, transmit, aggregate, and use information downstream. At a fundamental level EHRs must engage with other systems and subsequent patients – or the same patient in subsequent visits.

Because of this interconnected nature, unlike with other devices, where the safety of a particular MRI is not (within reason) dependent upon which supplier the provider obtained it from, it is harder to tease EHR and their data away from how it was delivered and sourced, and how it may play with other systems. In regulating EHRs, the FDA would not have to just consider the particular EHR system at hand. It would have to consider how the EHR system works with other EHR systems and formats, and other users. It would have to consider downstream uses of the data thus input, as it may be used for future analyses.

Limiting the FDA’s ability to engage with the third party and indirect effects of EHRs fits in with the broader approach it currently takes. In previous work, I have argued that the FDA generally lacks expertise and has limited authority to regulate inter alia indirect drug effects and drug effects on third parties. As I explain, an indirect cause is one which is “separated from an effect by an intervening cause. This intervening cause must 1) be independent of the original act, 2) be a voluntary human act or an abnormal natural event, and 3) occur in time between the original act and the effect.”Footnote 25 Thus, the use of birth control may lead (some claim) to higher incidents of STDs, since individuals may have condomless sex. But such condomless sex is a voluntary, intervening act. Similarly, “[t]hird-party harm occurs when the drug is prescribed for use, and actually used by person A, but person B is harmed by the use either directly or indirectly.”Footnote 26 Such harm includes, for example, secondhand smoke directly inhaled by third parties who do not use cigarettes. Some harms are both indirect and third party, such as downstream partners who may contract an STD caused by condomless sex that some claim occurs due to the availability of birth control.Footnote 27 I explain that while the FDA should sometimes regulate indirect and third-party harm, its expertise and authority are at its nadir when it does so, and its intervention should be limited. That is the situation in which EHRs reside.

Without considering its implications for regulatory control, two regulatory entities have recognized that EHRs raise questions of indirect and third-party harms. They are part of “a complex sociotechnical system.”Footnote 28 Yet, they do not distinguish the networked and nonnetworked aspects of EHRs. Rather, they focus on the interaction of users with EHRs, and the error that results. As they emphasize, the interactive nature of EHRs, organizational workflow, and user understanding, determine safety.Footnote 29 Scholars, such as Sara Gerke and coauthors, writing in the context of artificial intelligence (AI), have similarly argued that AI in health implicates a “system” view, by which they mean the intersection of humans, and organizational workflow, with technology.Footnote 30

But in the EHR context,Footnote 31 the distinguishing factor is not user-technology interaction. After all, other devices raise concerns regarding user-technology interactions, and the errors that result, and the FDA has, to some degree at least, sought to regulate such concerns by reviewing labeling, and the like.Footnote 32 There are limits – for example, the FDA cannot “regulate the practice of medicine.”Footnote 33 But the user-error concerns here arise with respect to all medical devices. They are not unique to EHRs (or, for that matter, to medical software more generally). Rather, the relevant boundary is between networked and nonnetworked EHR functions.

Separating EHR use into two aspects allows us to determine the bounds of FDA jurisdiction. On one hand, it may make sense for the FDA to regulate certain aspects of the EHR as they pertain to a specific patient – subject to the limits on regulating the practice of medicine. But when networked aspects of the EHR are involved, the FDA should step back. In that situation, the ONC, which has developed relationships with EHR developers, national data networks, and indeed, has created a process to create a voluntary national health data network, should step in and regulate. How might this play out? Let us consider a taxonomy developed by various HHS agencies and see how the approach works.

3.3 Applying the Framework

The Food and Drug Administration Safety and Innovation Act (FDASIA) required the FDA, ONC, and the Federal Communications Commission (FCC) to develop “a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication.”Footnote 34

The report separated Health IT into three sets of functions:

1) administrative health IT functions [namely ‘billing and claims processing, practice and inventory management, and scheduling’], 2) health management health IT functions [namely ‘health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and matching’], and 3) medical device health IT functions [namely ‘computer aided detection software, remote display or notification of real-time alarms from bedside monitors, and robotic surgical planning and control’].Footnote 35

The report suggested that only category 3) functions were subject to FDA regulation. That seems correct, but not for the reasons in the Report.

First, administrative functions – “billing and claims processing, practice and inventory management, and scheduling” – are not patient facing, and can be separated on that ground.

Next, health management health IT functions include “health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and matching.”Footnote 36 The Report concluded that it did not have to regulate these functions because they presented a lower risk.Footnote 37 In so concluding, it cited little evidence. The better reason is that these functions all have to do with EHR integration with other systems and its interaction with multiple users. They all have to do with EHR as a networked product – networked with both technology and system users. The FDA, which rarely regulates at a systemwide level, focused primarily on the interaction between device and patient, is ill-suited for such regulation. Rather, the ONC, which has developed relationships with multiple players in the health data world, should take the lead role.Footnote 38

Finally, medical device health IT functions include “computer aided detection software, remote display or notification of real-time alarms from bedside monitors, and robotic surgical planning and control.”Footnote 39 The Report suggested that these functions are higher risk, and therefore fall within the FDA’s purview. On my account, these functions are more focused on HIT functionality as it pertains to specific patients, rather than networking aspects. It therefore falls more within FDA expertise.

Similar issues arise in the context of CDS regulation. Cures Act Section 520(o)(1)(C) excludes software that is meant to display medical information about a patient and the like, as long as the “health care professional [can] independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.”Footnote 40 In guidance, the FDA explained that whether a professional exercised such judgment depended on “[t]he purpose or intended use of the software function; The intended user (e.g., ultrasound technicians, vascular surgeons); The inputs used to generate the recommendation (e.g., patient age and gender); and [t]he rationale or support for the recommendation. In order for the software function to be excluded from the definition of device, the intended user should be able to reach the same recommendation on his or her own without relying primarily on the software function.”Footnote 41

Commenters responded with confusion.Footnote 42 As Professor Efthimios Parasidis noted,

“The FDA’s statement does not represent a reasonable interpretation of the statute, because it focuses on the physician’s ability to come up with a treatment decision independent of the CDS program, rather than focusing on the ability of the physician to independently review ‘the basis of such recommendation that such software presents.’ It is one thing to be able to diagnose a patient independent of a CDS program, and another to understand and independently review the output of a CDS program. The statute covers the latter, while the FDA’s draft guidance appears to cover the former.”Footnote 43

In 2019, the FDA doubled down on this approach, however.Footnote 44

On my account, CDS should fall within the FDA’s purview to the extent it involves the quality of an algorithm and the outputs it produces. The ONC has little expertise on issues of algorithmic quality, while the FDA encounters such issues in its regulation of other devices apart from EHR.Footnote 45 However, CDS relies on the data collected from a range of different EHRs. To the extent that a CDS problem arises with data quality, transmission, or input from EHRs – that is, issues relating to the quality of networking across the national health information network – it falls under the ONC’s authority. The HHS Secretary should use their authority to recalibrate the relevant authority between the two agencies in this way.

3.4 Conclusion

I have argued that the delineation of authority between the FDA and the ONC should not be based on the extent of provider intervention or control over HIT, which involves conceptually hard distinctions. It should not be based on how risky a piece of HIT is as such outcomes are highly context-dependent and still empirically hard to ascertain. Rather, they should be based on whether the aspect of the HIT subject to regulation involves its ability to network with other systems and users. To the degree that it does, the HIT should fall within ONC regulation. However, as long as the focus of the HIT function does not implicate networking – such as the quality of algorithmic analysis – FDA jurisdiction is appropriate. The line between the categories can be blurry – after all, the analysis of algorithmic quality might implicate questions of data collection and standardization. But if history is any guide, such blurriness will inevitably be the case, no matter what standard is adopted, as we move to more and more automated health systems.

Footnotes

1 21 U.S.C. § 360j(o)(1)(C).

2 21 U.S.C. § 360j(o)(3)(A)–(B).

3 Cf. Metro. Life Ins. Co. v. Massachusetts, 471 U.S. 724, 741 (1985) (“Unless Congress intended to include laws regulating insurance contracts within the scope of the insurance saving clause, it would have been unnecessary for the deemer clause explicitly to exempt such laws from the saving clause when they are applied directly to benefit plans.”).

4 For an extended treatment of this framework see, generally Craig J. Konnoth, Drugs’ Other Side Effects, 104 Ia. L. Rev. 171 (2019).

5 21 U.S.C. § 321(h).

6 21 U.S.C.A. § 360c(a)(1).

7 Footnote Id.; Sharona Hoffman & Andy Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech. 103, 137 (2009).

8 R.S. Evans, Electronic Health Records: Then, Now, and In the Future, Yearbook Med. Inform. S4861 (2016), www.ncbi.nlm.nih.gov/pmc/articles/PMC5171496/; see also HealthIT.gov, Clinical Decision Support, www.healthit.gov/topic/safety/clinical-decision-support (“The majority of CDS applications operate as components of comprehensive EHR systems”).

9 See Evans, supra Footnote note 8.

10 Hoffman & Podgurski, supra Footnote note 7at 130. They raise concerns about FDA authority and would give the oversight to the Centers for Medicare and Medicaid Services, another subagency in HHS. However, the Cures Act allows the Secretary to entrust authority to the FDA. See also Nicolas Terry, Pit Crews with Computers: Can Health Information Technology Fix Fragmented Care?, 14 Hous. J. Health L. & Pol’y 129, 183 (2014) (“In straining to avoid untimely over-regulation, the FDA may have under-regulated. If the agency had asserted its jurisdiction over EMRs rather than backing down to ONC and CMS during MU, maybe better, safer products would have been brought to market (admittedly later).”).

11 Jeffrey Shuren, Dir. of FDA’s Ctr. for Devices and Radiological Health, Testimony at the Health Info. Tech. Policy Comm. Adoption/Certification Workgroup (Feb. 25, 2010) (acknowledging the receipt of 260 reports of malfunctioning EHR systems since 2008), www.cchfreedom.org/pdfs/Health%20IT%20Deaths%20-%20FDA%20jeffrey%20Shuren.pdf.

12 Inst. of Med., Health IT and Patient Safety: Building Safer Systems for Better Care 194 (2012), www.ncbi.nlm.nih.gov/books/NBK189661/pdf/Bookshelf_NBK189661.pdf [hereinafter IOM Report].

13 Footnote Id.

14 This remarkably stable rationale has spanned the last thirty years. Compare 52 Fed. Reg. 36,104 (1987) with Bipartisan Policy Center Health Innovation Initiative, An Oversight Framework for Assuring Patient Safety in Health Information Technology 15 (2013), https://bipartisanpolicy.org/wp-content/uploads/2019/03/Patient-Safety-Health-IT.pdf; See also infra Footnote note 42 (describing recently released guidance pertaining to the Cures Act).

15 Bipartisan Policy Center, supra Footnote note 14, at 16.

16 IOM Report, supra Footnote note 12, at 154.

17 Footnote Id.

18 Hoffman & Podgurski, supra Footnote note 7.

19 US Food & Drug Admin., Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML) Based Software as a Medical Device (SaMD): Discussion Paper and Request for Feedback 3 (2019), www.fda.gov/media/122535/download [hereinafter SaMD Discussion Paper].

20 See generally Craig Konnoth & Gabriel Scheffler, Can Electronic Health Records Be Saved?, 46 Am. J.L. & Med. 7, 719 (2020).

21 Craig Konnoth, Data Collection, EHRs, and Poverty Determinations, 46 J.L., Med. & Ethics 622, 625–6 (2018).

22 Craig Konnoth, Health Information Equity, 165 U. Penn. L. Rev. 1317, 1319 (2017).

23 Craig Konnoth, Regulatory De-arbitrage in Twenty-First Century Cures Act’s Health Information Regulation, 29 Ann. of Health L. & Life Sci. 136, 137 (2020).

24 US Food & Drug Admin., FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework 10 (Apr. 2014), www.fda.gov/media/87886/download [hereinafter, FDASIA Report].

25 Craig J. Konnoth, Drugs’ Other Side Effects, 105 Ia. L. Rev. 171, 197 (2019).

26 Footnote Id. at 200.

27 Richard J. Fehring et al., Influence of Contraception Use on the Reproductive Health of Adolescents and Young Adults, 85 Linacre Q. 167, 167–77 (2018).

28 FDASIA report, supra Footnote note 24, at 10.

29 IOM Report, supra Footnote note 12, at 61–2.

30 Sara Gerke et al., The Need for a System View to Regulate Artificial Intelligence/Machine Learning-Based Software as Medical Device, 3 npj Digital Med. (2020), www.nature.com/articles/s41746-020-0262-2?lead_type=mba.

31 And I emphasize that the scholars above were not considering the EHR context.

32 US Food & Drug Admin., Device Labeling, www.fda.gov/medical-devices/overview-device-regulation/device-labeling.

33 Gerke et al., supra Footnote note 30.

34 FDASIA Report, supra Footnote note 24.

35 Footnote Id. at 11–12.

36 Footnote Id. at 13.

37 Footnote Id. at 12.

38 See IOM Report, supra Footnote note 12, at 20–1 (describing the ONC’s relationship with stakeholders).

39 FDASIA Report, supra Footnote note 24, at 13.

40 21 U.S.C. § 360j(o)(E)(iii).

41 US Food & Drug Admin., Clinical and Patient Decision Support Software: Draft Guidance for Industry and Food and Drug Administration Staff 8 (2017), www.regulations.gov/document?D=FDA-2017-D-6569-0002.

42 See Barbara Evans & Pilar Ossorio, The Challenge of Regulating Clinical Decision Support Software After 21st Century Cures, 44 Am. J. L. and Med. 237, 239–40 (2018) (“The Cures Act singles out CDS software that recommends diagnoses or actions to treat or prevent disease. It defines a standard for deciding when such software can be excluded from FDA regulation. Congress excludes CDS software from FDA regulation if the software is intended to enable the ‘health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.’ To escape FDA regulation, the software vendor/manufacturer must intend for the software to make it possible for health care professionals to override its recommendations by explaining its rationale in terms that a clinician could understand, interrogate, and possibly reject. Whether CDS software is subject to FDA regulation potentially turns on the software’s ability to answer the quintessential epistemological question: How do we know?”).

43 Efthimios Parasidis, Comment on Clinical and Patient Decision Support Software: Draft Guidance for Industry and Food and Drug Administration Staff, 82 Fed. Reg. 53,987 (Dec. 8, 2017), www.regulations.gov/document?D=FDA-2017-D-6569-0010; Am. Med. Informatics Ass’n, Comment on Clinical and Patient Support Software: Draft Guidance for Industry and Food and Drug Administration Staff, 82 Fed. Reg. 53,987 (Dec. 8, 2017), www.regulations.gov/document?D=FDA-2017-D-6569-0016.

44 US Food & Drug Admin., Clinical Decision Support Software: Draft Guidance for Industry and Food and Drug Administration Staff 12 (2019), www.fda.gov/media/109618/download.

45 See generally SaMD Discussion paper, supra Footnote note 19.

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×