Commissioner Scott Gottlieb of the U.S. Food and Drug Administration (“FDA”) stole the spotlight this past month when he delivered a speech discussing big promises from the agency regarding artificial intelligence (“AI”) in healthcare. “One of the most promising digital health tools is artificial intelligence, particularly efforts that use machine learning,” said Gottlieb when explaining that the FDA was “actively developing a new regulatory framework to promote innovation in this space.”

Indeed, this year the FDA has shown a lot of support for AI in healthcare by authorizing the marketing of several cutting-edge AI technologies—one of which was even permitted to be marketed without the requirement for additional clinician oversight.

In February, the FDA permitted marketing of clinical decision support software that uses algorithms to help neurovascular specialists arrive at answers more quickly and speed time to treatment for potential stroke patients.

Then in April, the FDA permitted marketing of the first device to use AI to detect a medical condition. Called IDx-DR, the device utilizes an AI algorithm to screen for diabetic retinopathy. This device is unique in that its results do not require additional review by a specialized clinician, which allows the test to be performed in a primary care setting. Like many devices in the digital health space, IDx-DR was reviewed through the FDA’s De Novo premarket review pathway, which is a way for new medical devices that present “a low to moderate risk to patients” and have no legally marketed predicate device on which to base a determination of substantial equivalence to be reclassified into Class I or Class II and avoid the need for a full Premarket Approval (“PMA”) application.

IDx-DR was also granted Breakthrough Device designation, which expedites the review of medical devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. The FDA has consistently shared its intention to be flexible with digital health product developers whose software and devices do not fall neatly into the FDA’s well-established “product types.” Most recently, in May, the FDA permitted the marketing of OsteoDetect, an AI algorithm for aiding providers in the detection of wrist fractures by analysis of two-dimensional X-ray images.

These examples of successful utilization of the De Novo pathway and Breakthrough Devices program are likely to continue to encourage AI innovation by medical device and digital health companies by using these pathways to market as an FDA roadmap for marketing authorization of their own products.

The U.S. Food and Drug Administration’s (FDA’s) Center for Devices and Radiological Health (CDRH) recently issued its Medical Device Safety Action Plan:  Protecting Patients, Promoting Public Health (Action Plan), an aspirational set of goals concerning the agency’s approach to medical device safety.  This Action Plan can be considered the FDA’s attempt to reorganize its toolbox to make its regulatory efforts more efficient, effective, and responsive.  The Action Plan describes the FDA’s intentions to:

  1. Integrate CDRH’s premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety;
  2. Establish a robust medical device patient safety net in the United States;
  3. Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations;
  4. Spur innovation towards safer medical devices; and,
  5. Advance medical device cybersecurity.

Radically Restructuring CDRH

The cornerstone of the Action Plan is a TPLC approach intended to enable nimble and comprehensive medical device regulation, especially as it concerns postmarket medical device surveillance and response, balancing patient benefit, device safety, and innovation.  Perhaps the clearest indicator of the FDA’s embrace of the TPLC approach is the proposed radical restructuring of CDRH, which has been talked about for some time.  The Action Plan sets out the FDA’s rationale for the restructuring:

Rather than assessing a device only at one point in time – for instance, to evaluate whether a device meets the standard for approval, or to evaluate post-market data involving a device safety signal – reviewers, compliance officers, and other experts would work in teams with responsibility for device oversight throughout the product’s development and commercialization.

Therefore, instead of the current structure that focuses on stages of a product’s life cycle, CDRH would be reorganized into one office and seven smaller “device-specific offices that would each be responsible for premarket review, postmarket surveillance, manufacturing and device quality, and enforcement.”  A separate office focused on clinical evidence and analysis is being considered, and it would comprise teams working on “clinical evidence policy, evidence synthesis and analysis, biostatistics, bioresearch compliance, and collaboration and outreach to clinical researchers outside of the FDA.”  With this kind of structure, it is clear that the FDA expects CDRH to adopt a “universal” view of and an integrated approach to medical device regulation, with the goal of eliminating regulatory silos.  The proposed reorganization should also enhance information sharing and analysis.

Establishing a Robust Medical Device Safety Net and Streamlining Implementation of Postmarket Mitigations

Another important theme of the Action Plan is to address some of the limitations of current postmarket surveillance tools (e.g., that Medical Device Reports (MDRs) rely on a clinician to recognize a problem and its relationship to the device rather than some other factor, or that there are few incentives for patients to participate in postmarket surveillance studies of a device).  To that end, the Action Plan seeks to position CDRH to have access to the vast and growing amount of available digital health data.  By focusing attention on developing a robust medical device safety net and the impact that will have on improving the timeliness and effectiveness of postmarket mitigations, the FDA is positioning itself squarely at the crossroads of Big Data and complex data analysis.  CDRH already has programs in place to track medical devices – the Global Unique Device Identification Database (GUDID) – and to understand and use real world evidence (RWE).  Unique device identifiers (UDIs) now appear on most medical device labels, and labelers are required to submit information about each medical device bearing a UDI to the FDA; this information is stored in the GUDID.  According to the FDA, UDIs provide a way to document device use (e.g., electronic health records and registries can include UDI information) so that there can be, among other things, “more accurate reporting, reviewing, and analyzing of adverse event reports” because “healthcare professionals and others [will be able] to more rapidly and precisely identify a device and obtain important information concerning the device’s characteristics.”  RWE (comprised of raw patient health information) typically originates from non-clinical research sources, such as health monitoring devices and claims and billing activities.  RWE can be aggregated and analyzed to assess and identify trends, though special attention must be paid to data quality and privacy issues.

According to the Action Plan, the FDA plans to use this data collection in two critical data evaluation programs:  The National Evaluation System for Health Technology (NEST) and CDRH’s Signal Management Program (SMP).  The SMP uses signals (defined by the FDA as “a new potentially causal association or a new aspect of a known association between a medical device and an adverse event or set of adverse events”) to connect postmarket surveillance with the premarket review process by informing the design and use of similar devices that are in the premarket review phase.  By integrating postmarket surveillance information into pre-market review, the FDA intends for similar devices seeking entry into the market to have already accounted for known safety risks.

It appears that the FDA will make NEST, a public-private partnership (or PPP), the central hub for data evaluation and management that, according to the FDA, will enable improved safety risk identification and postmarket mitigation activity and strategy.  NEST is intended to “facilitate detection of potential safety risks that would not otherwise have been identified as quickly, or at all, as well as facilitate more timely capture of potential safety signals.”  However, by the FDA’s own admission, NEST is currently underfunded; realizing its full potential in the way the FDA envisions remains an open and unaddressed issue.

A critical part of this robust patient safety net, according to the FDA, is attention to women’s health.  The FDA stated that, over the last several years, there have been “several significant medical device safety issues [involving] devices intended for women’s health uses.”  To that end, the Action Plan contemplates building out, for example, the Women’s Health Technologies Strategically Coordinated Registry Network (CRN) to improve its functionality and utility for providing the evidence needed to improve women’s medical device safety evaluation.

The Action Plan also contemplates the FDA using these data collection and analyses portals to improve postmarket mitigations (e.g., labeling or user training).  The FDA plans to examine its current statutory authority to determine whether it can develop a so-called “umbrella regulation” to enable quicker implementation of certain postmarket mitigations.  Because issues related to medical device safety may not be known until the device is used in a clinical setting or among a diverse population, the FDA frequently identifies necessary improvements for medical device safety after a medical device is on the market.  To implement postmarket mitigations, however, the FDA typically must engage in rulemaking, which is a lengthy process involving notice and comment.  Though the FDA is often able to work with manufacturers to voluntarily implement postmarket mitigations, the agency is clearly unhappy with having to resort to this option.  The “umbrella regulation” mentioned in the Action Plan is a way for the FDA to have a more rapid and direct response to postmarket safety incidents.

Facilitating Medical Device Innovation and Safety

As the FDA identifies postmarket mitigations necessary to improve medical safety, so too do manufacturers, on their own, modify and improve the safety of medical devices (e.g., by adding new features).  According to the FDA, however, this kind of innovation is not readily incentivized by the marketplace unless there is a known safety concern.  The FDA is concerned with the effect on the quality of medical devices on the market.  Within the bounds of the FDA’s statutory authority and to encourage innovation – as has been done, for example, with the Breakthrough Devices Program – the Action Plan mentions several things that the FDA intends to do to support and facilitate medical device innovation as it concerns safety.  Among the options the FDA will explore are encouraging greater collaboration between the FDA’s staff and medical device developers, developing a discrete program like the Breakthrough Devices Program, focusing regulatory science resources on safety innovation, and developing scientific toolkits for developers to use to integrate safety risk management into medical device design and development.

Medical Device Cybersecurity as a Patient Safety Issue

Finally, but importantly, medical devices are like every other connected device in today’s world:  They are not immune to the dangers posed by cyber threats.  As interconnectivity increases, so too does exposure to cyber risk, and the Action Plan recognizes this by including a focus on medical device cybersecurity as a patient safety issue.  During the pre-market review process, the FDA will consider requiring firms to embed cybersecurity capabilities (e.g., the capacity to patch a software vulnerability) into the design of the medical device.  Such an approach should emphasize for manufacturers that cybersecurity considerations cannot be an afterthought in medical device design.  Another way the FDA plans to emphasize its commitment to managing cybersecurity issues is by considering postmarket authority that would “require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.”  Consistent with its use of PPPs in other data collection and analysis areas, the FDA is also considering developing a team of experts across several disciplines to be a resource for device makers and the FDA staff.  This CyberMed Safety (Expert) Analysis Board (CYMSAB) would, among other things, assess vulnerabilities, evaluate patient safety risks, consult with organizations, and be a rapid-response field team that investigates the circumstances surrounding a compromised medical device (at the manufacturer’s or the FDA’s request).

The Action Plan:  Looking Ahead

Though aspirational, the Action Plan implicates a number of legal issues, including the traditional (e.g., medical device marketing applications and postmarket surveillance, intellectual property protection) and the novel, emerging, and rapidly-evolving (e.g., cybersecurity threat and risk management, medical device software development, digital health data access, privacy, and protection).  In only a short five item list, the FDA presents a dense, ambitious plan to build on its existing resources and to shift its regulatory approach to one that considers the TPLC of a medical device and that continues to refine the patient benefit-risk framework currently in use.  Only time will tell if this Action Plan will meet the FDA’s quest to be more comprehensive and nimble.  Funding for existing programs and for the expansions contemplated by this Action Plan was not specifically addressed, but the FDA has indicated that it is ready to embrace fresh thinking in medical device regulation.

Venable’s team of attorneys is ready and able to help you plan for the multi- and inter-disciplinary issues presented by this Action Plan, and for the many changes it could introduce into the medical device regulatory space and for your business.  In addition, the FDA is accepting comments on the Medical Device Action Plan: Protecting Patients, Promoting Public Health, and our attorneys are prepared to assist with the drafting and submission of comments.

On February 28, Ethan Davis, the U.S. Department of Justice’s (DOJ) deputy assistant attorney general responsible for consumer protection, gave a speech discussing the Department’s plans for enforcement of laws governing the marketing of medical products. Mr. Davis highlighted recent DOJ enforcement actions and previewed how the Department intends to approach the issue in the Trump administration. The speech was an important marker of how the current administration will navigate the tension between First Amendment protection for commercial speech and government enforcement in misbranding cases. The message: A renewed emphasis on what may be called “plus factors” and on the “rule of law” does not mean the DOJ will stop pursuing misbranding cases.

For those in the life sciences industry who expected the still-new administration to effect radical change in this always contentious area of enforcement, the speech offered little that was truly new. Now is by no means the time for industry to relax its compliance vigilance.

Click here to continue reading this article written by Venable’s Investigations and White Collar Defense attorneys.