On December 8, 2017, the U.S. Food and Drug Administration (“FDA”) issued draft guidance titled “Clinical and Patient Decision Support Software”(“CDS Guidance”). According to FDA Commissioner Scott Gottlieb, M.D., the CDS Guidance is intended to clarify the types of clinical decision support software (“CDS”) that would no longer be defined as a medical device and, therefore, would not be regulated by the FDA.

Stakeholders in the digital health industry have long awaited clarification of the scope of the FDA’s regulatory oversight of CDS, specifically the differentiation between low-risk and high-risk CDS. The FDA had first announced its plan to develop guidance for CDS in 2011. Unfortunately, stakeholders seeking clarity may have to wait longer.

CDS Guidance Does Not Incorporate a Risk Framework

In 2014, the FDA was actively engaged with the International Medical Device Regulators Forum (“IMDRF”) in developing a risk framework, which can be summarized into two factors that drive risk:

  1. Significance of the information provided by the Software as a Medical Device (“SaMD”) to the health care decision—i.e., is the information critical to the decision-making, or more peripheral?
  2. State of the health care situation or condition—i.e., could the patient die, and how urgent is the condition?

Unfortunately, the FDA does not incorporate the IMDRF risk framework into the CDS Guidance. Rather, the FDA appears to merely restate the 21st Century Cures Act (“Cures Act”) framework that exempts software if a physician user can independently review the basis for the recommendation. The CDS Guidance suggests that software that does not provide a reasonable basis for reviewing a recommendation will always be regulated regardless of risk. For example, software that utilizes a complex machine learning algorithm to determine which patients have the common cold will be regulated because a physician is unable to mentally duplicate the algorithm.

The CDS Guidance does not answer basic questions when applied to current and future forms of CDS, which is and will be based on machine learning and other forms of complex algorithms that add to the knowledge of physicians. Unless the FDA intends to regulate all such software regardless of risk, the CDS Guidance does little to elaborate on the analysis used to differentiate the types of CDS to be regulated by the agency.

CDS Guidance Does Not Clearly Differentiate Between Regulated and Unregulated CDS

The CDS Guidance provides several examples of unregulated and regulated CDS; however, no explanation is given as to why a particular example triggers regulation or not. Most of the examples of unregulated software appear to make recommendations based on information that is already available to the user. Most of the examples of CDS and other software functions to be regulated as medical devices appear to utilize computer-based algorithms that analyze, manipulate, and/or extrapolate signals generated from medical devices.

Although the section on patient decision support software (“PDS”) states that the FDA intends to exempt certain software, the test largely relies on whether patients can understand the basis for the software. Considering that technological sophistication will vary across the patient population, this is not a clear standard. This would most likely set a very high bar for PDS and therefore subject most PDS to FDA regulation.


The draft CDS Guidance elaborates little more than what the Cures Act already set forth. This would leave an industry segment that is advancing at a rapid pace with much ambiguity as to the rules of the road. CDS producers and their investors, as well as consumer/patient advocates, may wish to press the FDA to make the final guidance much crisper. The public has until February 6, 2018, to comment.

* * *

For additional information about the issues discussed above, please contact the Epstein Becker Green attorney or EBG Advisors consultant who regularly assists you, or the author of this advisory:

Bradley Merrill Thompson
Washington, DC

Daniel Kim, a Law Clerk – Admission Pending (not admitted to the practice of law) in Epstein Becker Green’s Washington, DC, office, contributed significantly to the preparation of this advisory.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.