New FDA Rule on Data Systems Has Implications for Device Manufacturers, Health IT Developers, and Healthcare Providers

February 15, 2011

The Food and Drug Administration (FDA) today issued the long-awaited final rule for Medical Device Data Systems, three years after the publication of its initial proposed rule. This new rule affects the regulatory status of many health information technology (health IT) systems, and imposes new requirements on certain hospitals and other healthcare facilities that employ such systems.

The final rule classifies as Class I devices certain computer/software systems that electronically transfer, store, convert, or display medical device data (e.g., data from glucose meters or nurse call systems), which FDA is calling Medical Device Data Systems, or MDDS. The implementation of this new rule will end FDA's prior policy of enforcement discretion for MDDS devices, and subject these products to FDA's regulatory requirements for Class I devices. However, acknowledging that device regulation is new to many MDDS manufacturers, FDA has provided a staged implementation schedule, giving manufacturers 90 days to register and list with FDA, and 12 months to establish systems and procedures for compliance with its quality systems regulation (QSR) and medical device reporting (MDR) requirements.

What Are MDDS?

Consistent with its 2008 proposed rule, FDA's final rule defines MDDS to include systems that electronically transfer, store, or display medical device data, and systems that electronically convert medical device data from one format to another in accordance with preset specifications. The definition does not include systems that control or alter the function of any connected medical devices, or systems intended for use in connection with active patient monitoring.

Who Is Affected by the New Rule? 

The final rule affects all "manufacturers" of systems and products that fall within the scope of the MDDS definition. In its preamble to the final rule, FDA clarifies that the term manufacturer includes not only traditional computer/software manufacturers, but also users (such as hospitals and other providers) that modify computer/software products beyond the original manufacturer's specifications and then use the modified products for their "clinical practice or otherwise for commercial distribution." The express inclusion of hospitals and other healthcare facilities signals a shift for FDA, which previously limited its focus to manufacturers/sellers of device products. Healthcare facilities that currently customize computer/software products will need to consider the impact of the final rule on their use of such technology.

What Are the Requirements?

All devices that meet the definition of an MDDS are now classified as Class I devices, exempt from premarket notification requirements. This includes devices that fall within the MDDS definition, but were previously cleared through the premarket notification process as accessories to other device types. MDDS manufacturers will be required to comply with Class I device requirements, including registration, listing, labeling, QSR, MDR, and correction and removal reporting requirements. Within 90 days of the date of the publication of the final rule, MDDS manufacturers must be registered and listed with FDA. As noted above, FDA is allowing MDDS manufacturers 12 months to establish compliant quality and medical device reporting systems. Significantly, FDA does not intend to enforce the QSR design control requirements retroactively to currently marketed MDDS devices, but will enforce these requirements for any design changes to a currently marketed device.

What Are the Major Changes from the Proposed Rule?

The most significant change to the final rule from the MDDS proposed rule issued in 2008 is the elimination of 510(k) premarket clearance requirements for MDDS devices that perform irreversible data compression or that are intended for lay use. In the final rule, FDA determined that 510(k) clearance was not necessary for MDDS devices that feature irreversible data compression. Similarly, FDA found that MDDS devices continue to be low risk whether used by lay persons or healthcare professionals. Thus, FDA is not requiring 510(k) clearance for lay use MDDS devices, but noted that it is reserving the right to change its decision if reports suggest that this broader use presents an unreasonable safety risk.

What Does the Future Hold?

FDA appears to be taking a more proactive approach to its regulation of computer/software systems than in the past, and likely will extend its regulatory authority to other health IT and mobile health products. In response to the various rulemakings from the HHS Office of the National Coordinator for Health Information Technology encouraging the adoption of electronic health records (EHRs) and implementation of a national health IT infrastructure, FDA is drafting a guidance that defines which aspects of health IT are considered regulated medical devices (e.g., clinical decision support systems, EHRs). Additionally, FDA Commissioner Margaret Hamburg announced in July 2010, at a joint FDA-FCC meeting, that FDA is drafting a guidance document on mobile health devices (e.g., those that utilize wireless technology).

If you have any questions or would like more information on any of the issues discussed in this LawFlash, please contact the authors, M. Elizabeth Bierman (202.739.5206; and Michele Buenafe (202.739.6326;