Thursday, October 24, 2013

HR 3303 Introduced – FDA Software

Yesterday I mentioned that Rep. Blackburn (R,TN) introduced HR 3303, the Sensible Oversight for Technology which Advances Regulatory Efficiency Act of 2013 (with the snappy short title – SOFTWARE Act of 2013). I had hoped that this bill would be addressing (at least in part) cybersecurity issues for medical software regulated by the FDA. Boy was I wrong.

The Provisions

It starts off by defining ‘medical software’ in 21 USC §321 as software that would be intended or marketed to either “directly change the structure or any function of the body of man or other animals” {§321(ss)(1)(A)} or used “by consumers and makes recommendations for clinical action” {§321(ss)(1)(B)}. The definition specifically excludes software that is “integral to the functioning of a drug or device” {§321(ss)(2)} or component of a device. So the software controlling communications with Vice-President Cheney’s pacemaker would be excluded from the definition of ‘medical software’.

Section 2(b) of the bill would add a new section to 21 USC Subchapter V (§524B) that would make the provisions of 21 USC Subchapter V Part A apply to medical software and treat them like devices.

Section 3 of the bill would add another definition to 21 USC §321; ‘clinical software’ is software used in a clinical setting that “captures, analyzes, changes, or presents patient or population clinical data or information and may recommend courses of clinical action, but does not directly change the structure or any function of the body of man or other animals” {§321(tt)(1)(A)}. It specifically includes in this definition “associated hardware and process dependencies” {§321(tt)(1)}.

Another term is also included in this paragraph (though it is odd that it does not get a paragraph of its own); ‘health software’ which is not medical software or clinical software. It includes software (and again including hardware and associated processes) that:

• Captures, analyzes, changes, or presents patient or population clinical data or information {§321(tt)(2)(A)};
• Supports administrative or operational aspects of health care and is not used in the direct delivery of patient care {§321(tt)(2)(B)}; or
• Has the primary purpose is to act as a platform for a secondary software, to run or act as a mechanism for connectivity, or to store data {§321(tt)(2)(B)}.

Section 3 goes on to add another section to 21 USC Subchapter V Part A {§524(C)} that specifically excludes clinical software or health software from regulation by the FDA.

What Is Missing

There is nothing in this bill that addresses or even identifies concerns about cybersecurity for any of these three types of software. This bill would be a very good place for Congress to specifically provide FDA the authority to regulate the security of software that might directly affect the health or life on individuals or the privacy of an individual’s medical information.

Moving Forward

It is unusual for a bill to actually be published by GPO the day after it is introduced in the House. Bills that get this expedited service have typically been identified for early action. Since Ms. Blackburn is Vice-Chair of the House Energy and Commerce Committee, the sole committee given jurisdiction over this bill, I would assume that it will get prompt attention in that Committee and will move promptly to the floor. It will probably get considered under suspension of the rules.

I see no reason why this bill would attract any serious opposition on either the floor of the House or the Senate. 

No comments:

/* Use this with templates/template-twocol.html */