In June 2017, the new Food and Drug Administration (FDA) commissioner Scott Gottlieb pre-announced his agency’s Digital Health Innovation Action Plan that indicates notable shifts in the agency’s approach to digital health technologies. This plan is an important step in FDA regulation of this area, a process that began in 2011 with a draft guidance, followed by significant congressional actions. The new changes should not be surprising, given critiques published by Gottlieb prior to re-joining the FDA. In 2014, he wrote that smartphones are “purposely dumbed down” due to the “risk of unwieldy FDA regulation,” and in 2015, he argued that what most considered the FDA’s “light touch” on digital health was still too heavy-handed. The new plan signals two major shifts: first, a shift from premarket to postmarket review by the FDA; and second, a shift from oversight by the FDA to oversight by independent, nongovernment certifiers. These changes may be bellwethers for how a Trump-era FDA approaches areas far beyond digital health.

The FDA And Digital Health

The FDA’s current approach to digital health began in 2011 when it reclassified some medical device software to its lowest-risk Class I category and when it published a “Draft Guidance on Mobile Medical Applications.” The guidance (which was withdrawn after passage of the 21st Century Cures Act) tried to clarify which applications, hardware, and software platforms might qualify as medical devices. For example, health trackers, disease management apps, and apps providing generalized medical information would not fall under FDA jurisdiction. Other apps that would qualify as “devices” would nevertheless be exempt, per the agency’s “enforcement discretion.” Instead, the agency’s risk-based approach would focus on apps that provided “patient-specific analysis and … patient-specific diagnosis, or treatment recommendations.”

Over the past few years, policy makers began to contemplate a new regulatory framework for digital health. In 2012, Congress passed the FDA Safety and Innovation Act, calling for key agencies, including the FDA, the Federal Communications Commission, and the Office of National Coordinator for Health Information Technology, to recommend a “risk-based regulatory framework” for mobile apps and other health information technology (IT) products. In 2014, the resulting report encouraged the FDA to maintain its circumscribed jurisdiction and made modest proposals, such as creating a new “Health IT Safety Center” to generate best practices.

After the report’s publication, momentum built toward more definitive legislation. In December 2016, Congress passed the 21st Century Cures Act, which amended the definition of “device” to exclude from FDA jurisdiction any “health software” used for administrative, lifestyle, patient record, and some clinical decision support purposes. Despite these broad exemptions, the act gives the FDA discretion to regulate software found to be “reasonably likely to have serious adverse health consequences,” but only after the agency uses a notice-and-comment procedure. Elsewhere, the act reiterates the requirement that the FDA impose the “least burdensome” standards necessary for device review, including consideration of “post-market information.”

Dissatisfied Stakeholders

The FDA hoped that its earlier guidance would “provide clarity and predictability” for the digital health industry. But confusion remained. Some less-than-scrupulous developers have tried to avoid FDA jurisdiction by claiming that their apps are merely “recreational” or “informational,” while more careful developers have delayed or sidelined products due to the FDA’s indeterminacy. More generally, serious companies also saw a disconnect between digital health product lifecycles and the FDA’s relatively long review cycles.

Meanwhile, consumers want reliable information about the safety and efficacy of digital health products. But the FDA reviews very few digital health products on the market. In 2013, the FDA said it had cleared around 100 mobile health applications for marketing to date, and a 2016 report counted 36 products cleared by the FDA that year. By comparison, in 2016, there were 165,000 health-related apps available for Apple or Android mobile devices, with 1.7 billion downloads predicted this year.

The Federal Trade Commission (FTC) has filled some of the void, bringing enforcement actions against digital health products claiming to detect melanomas, treat children with attention deficit hyperactivity disorder, measure blood pressure, or improve vision without a sufficient evidence base. While the FDA has jurisdiction to ensure that devices are safe and effective, the FTC has somewhat overlapping jurisdiction to pursue unfair and deceptive trade practices, including spurious health claims. As such, the FTC promotes “best practices” for mobile health app developers. State enforcement is also filling the void left by the FDA. Recently, the New York Attorney General invoked state unfair trade practice laws against a company marketing a fetal heart monitor app without FDA clearance. But comprehensive screening remains elusive.

A New Framework For Digital Health

In his June 2017 announcement, Gottlieb characterized the FDA’s new Digital Health Innovation Plan as an “entirely new” and “comprehensive approach to the regulation of digital health tools.” Central to the new initiative is the acceptance that the “FDA’s traditional approach to moderate and higher risk hardware-based medical devices is not well suited for the faster iterative design, development, and type of validation used for software-based medical technologies.

The plan suggests at least two important shifts from the FDA’s previous approach. First, the plan includes “a novel, post-market approach” that would shift attention from premarket to postmarket oversight. Although details are sparse, the FDA states that it will exempt “lower risk” digital health products from FDA review and streamline review for “higher risk” products. The FDA also says it will rely on “post-market collection of real-world data” to clear new product functions, referring to the forthcoming National Evaluation System for Health Technology, an FDA-led effort to generate and collect “real-world evidence” about medical devices. July’s formal announcement of the Digital Health Innovation Action Plan did not mention postmarket oversight except in the context of its newly announced Software Precertification Pilot Program. The core of this program is that “Precertified companies that have demonstrated a culture of quality and organizational excellence could bring certain types of digital health products to market without FDA premarket review or after a streamlined, less-burdensome FDA premarket review.

The second shift is from review by the FDA to review by third parties. The new Digital Health Innovation Plan will feature “a third-party certification program” to administer the new, more minimalist premarket clearance process. The FDA envisions a third-party precertification program that relies on the “software as a medical device” framework, which the FDA is implementing through its work with the International Medical Device Regulators Forum.

Important Questions Remain

The FDA’s new Digital Health Innovation Plan raises as many questions as it answers. First, the recent Cures Act doesn’t seem to support the major shifts announced by Gottlieb. Although an earlier House version of the bill included authority to implement a new regulatory framework for software, the version that passed did not, focusing instead on clarifying the FDA’s jurisdiction over software. Thus, the FDA’s new plan will likely be implemented through nonbinding guidance, a weakness previously identified by scholars and by Gottlieb himself. In fact, Gottlieb’s announcement hinted that third-party certification may be difficult to introduce under the FDA’s current statutory authority.

Second, although there remains significant demand among users and payers for reliable evidence to substantiate claims made by digital health products, it is not clear that the new plan will generate much evidence prior to market introduction. Currently, the absence of robust premarket review by the FDA for most digital health products creates an environment of caveat emptor, which can depress both demand and adoption of these new technologies. Such efforts will have more teeth if the FDA retains the authority to use traditional regulatory enforcement tools when necessary. Moreover, if the shift from premarket to postmarket evaluation is to be meaningful, it would be useful to specify a mandatory reevaluation by the FDA at some regular interval, as is being contemplated in other countries.

Third, there are serious questions about the effectiveness of third-party certification. For example, the certification process for ensuring that electronic health records satisfy “meaningful use” standards has had decidedly mixed results. In the digital health sphere, an early certification effort was suspended after serious flaws were discovered in some of the apps that had been certified.

Notably, the FDA is planning to create a new digital health unit—populated by 13 engineers with expertise in software, artificial intelligence, and the like—to coordinate FDA review of digital health products. It will be interesting to see whether that unit or third parties will generate the most reliable evidence that apps are safe and effective. But even national governments find these review efforts daunting. The United Kingdom’s National Health Service (NHS) failed in its first effort to curate medical apps, although it recently relaunched its Digital Apps Library and a companion app portal where developers can test app compliance with NHS standards.

The major shifts proposed by the FDA represent an experiment in medical product regulation—with important ramifications for patients, clinicians, hospitals, payers, and product developers. Under a new administration, the FDA is experimenting with a new way to balance innovation and risk with emerging medical technologies. The big question is whether the experiment will generate evidence that potential users can rely on.

Author’s Note

Professor I. Glenn Cohen has consulted on bioethics issues for pharmaceutical companies involved in digital health technologies.