On November 9, the Department of Health and Human Services (HHS) issued a proposed rule to adopt updated versions of the retail pharmacy standards for electronic transactions adopted under the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and to broaden the applicability of the HIPAA subrogation transaction.

If the proposed rule is finalized, covered entities would have to comply within 24 months after the effective date of the final rule, and small health plans would have 36 months to comply. Comments must be submitted by January 9, 2023 (60 days after date of publication in the Federal Register).


Under HIPAA, HHS is required to adopt standards for electronic health care administrative transactions conducted between health care providers, health plans, and health care clearinghouses. The National Committee on Vital and Health Statistics (NCVHS) serves as an advisory committee to the HHS Secretary and must recommend modification of HIPAA standards following review and approval of new or updated standards developed by Standards Development Organizations.

In 2009, HHS adopted the National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Implementation Guide, Version D, Release 0 (Version D.0) and equivalent NCPDP Batch Standard Implementation Guide, Version 1, Release 2 (Version 1.2) (collectively referred to as Version D.0) for retail pharmacy transactions. HHS also adopted the NCPDP Batch Standard Medicaid Subrogation Implementation Guide, Version 3, Release 0 (Version 3.0) for Medicaid pharmacy subrogation transactions, which Medicaid agencies use in transmitting claims to payers for the purpose of seeking reimbursement from the health plan responsible for a pharmacy claim the State has paid on behalf of a Medicaid recipient.

Since 2018, NCHVS has issued recommendations to adopt the following standards: NCPDP Telecommunications Standard Implementation Guide Version F6 (to replace Version D.0); NCPDP Batch Standard Implementation Guide Version 15 (to replace Version 1.2); and NCPDP Batch Standard Subrogation Implementation Guide Version 10 (to replace Version 3.0). These recommended standards were developed through consensus-based processes, which included the opportunity for public comment. NCVHS has recommended that HHS publish a proposed rule adopting more recent standards to address evolving industry changing business needs and sent letters in 2018 and 2020 that urge adoption of those standards.

Major Provisions of the Proposed Modifications to the National Council for Prescription Drug Programs Retail Pharmacy Standards and the Adoption of a New Pharmacy Subrogation Standard

Consistent with NCHVS recommendations, HHS proposes to adopt the following NCPDP standards:

  • The NCPDP Telecommunication Standard Implementation Guide, Version F6 and equivalent NCPDP Batch Standard Implementation Guide, Version 15:
    • HHS proposes adopting modifications to the current HIPAA retail pharmacy standards for the following transactions: health care claims or equivalent encounter information; eligibility for a health plan; referral certification and authorization; and coordination of benefits.
    • Version F6 would upgrade the currently adopted Version D.0, such as improvements to the information attached to controlled substance claims, including refinement to the quantity prescribed field. This change would enable refills to be distinguished from multiple dispensing events for a single fill, which would increase patient safety. Version F6 provides more specific fields to differentiate various types of fees, including taxes, regulatory fees, and medication administration fees. Version F6 also increases the dollar amount field length and would simplify coverage under prescription benefits of new innovative drug therapies priced at, or in excess of, $1 million.
  • The NCPDP Batch Standard Pharmacy Subrogation Implementation Guide, Version 10, for non-Medicaid health plans:
    • While HIPAA currently only requires Medicaid agencies to use the Batch Standard Medicaid Subrogation Implementation Guide, Version 3.0, Version 10 would require all health plans to use the Pharmacy Subrogation Implementation Guide, pursuant to industry feedback that subrogation is needed beyond Medicaid.
    • The current Medicaid Subrogation Implementation Guide Version 3.0 was adopted to support federal and state requirements for state Medicaid agencies to seek reimbursement from the correct responsible health plan. However, industry stakeholders reported that there is a need to expand the use of the subrogation transaction beyond Medicaid agencies. HHS notes that expansion of the standard would allow for better tracking for subrogation efforts and results across all health plans, and support cost containment efforts.


In the proposed rule, HHS states that the updated retail pharmacy standards are sufficiently mature for adoption and that covered entities are ready to implement them. HHS explains that adoption of the updated versions would provide improvements, including more robust data exchange, improved coordination of benefits, and expanded financial fields that would avoid the need to manually enter free text, split claims, or prepare and submit a paper Universal Claim Form.

The Centers for Medicare & Medicaid Services National Standards Group plans to hold a listening session on the proposed rule on Wednesday, November 30th from 2:00 to 3:30 PM EST to provide an overview of the proposed rule’s provisions and hear stakeholder feedback on the proposed rule. Additional information on the listening session is available here.

In late November, HHS proposed long-awaited changes to regulations at 42 C.F.R. Part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records as required under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act. Generally, HHS is attempting to align Part 2 requirements with the HIPAA (“Health Insurance Portability and Accountability Act”) Privacy Rule. The most significant changes are those to the rules governing consent for entities subject to Part 2’s restrictions to use, disclose, and redisclose Part 2 records with respect to treatment, payment, and health care operations (“TPO”) activities.

Continue Reading HHS Proposed Changes Would Align Part 2 Regulations on Substance Use Disorder Records with HIPAA

The results of the 2022 U.S. midterm elections—during which voters were focused on the economy, public safety, and health care and abortion issues—will have longstanding consequences for the development of health care policy over the next two years. With the U.S. House of Representatives and U.S. Senate controlled by different parties, it will be difficult for Congress to come to bipartisan agreement and pass significant health legislation during the 118th Congress. As a result, the Biden Administration will focus on implementing regulations for key legislative accomplishments and leveraging executive and regulatory authority to advance policy priorities, including implementing the Inflation Reduction Act, lowering health care and prescription drug costs for patients, and addressing health equity gaps across population groups. Considering the impact of the COVID-19 pandemic and expected unwinding of the public health emergency (PHE), concerns regarding health care financing and Medicare Trust Fund solvency, and the acceleration in the adoption of health information technology and digitization in recent years, implementation of these policy priorities will have a substantial impact on all stakeholders within health systems.

In 2023, we expect to see health care policy developments in the following key domains: reproductive rights and gender discrimination, health data privacy, telehealth, and price transparency.  

Reproductive Rights and Gender Discrimination 

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, federal agencies have taken a number of actions to provide resources and guidance on health data privacy in accordance with President Joe Biden’s executive order to support access to reproductive health care. In July, the Department of Health and Human Services (HHS) issued guidance and sent a letter to health care providers reminding them of their responsibilities, irrespective of conflicting state laws or mandates, to provide stabilizing medical treatment to pregnant patients under the Emergency Medical Treatment and Active Labor Act (EMTALA). HHS also issued guidance reminding retail pharmacies of their nondiscrimination obligations under Section 1557 of the Affordable Care Act and directing pharmacies to not discriminate against customers on the basis of sex and disability (e.g., those seeking medication abortion). While the EMTALA guidance is currently being challenged in federal court, we expect the Administration to address additional issues related to reproductive health care services, including state policies affecting telehealth and travel restrictions for abortion. Without bipartisan agreement in the divided Congress, passage of wide-ranging abortion legislation is unlikely.  

Over the summer, the HHS Office of Civil Rights (OCR) issued a notice of proposed rulemaking implementing Section 1557 of the Affordable Care Act and establishing antidiscrimination requirements applicable to health care entities. The proposed rule restores and strengthens certain civil right protections under federally funded health programs and HHS programs which were limited following the previous versions of the rule, specifically regarding discrimination on the basis of sex, including sexual orientation and gender identity. Notably, the proposed rule also addresses the application of federal conscience and religious freedom laws and establishes a process to review whether an entity is entitled to an exemption or modification of the 1557 regulations based on such laws. Comments on the proposed rule closed in October, and we expect related developments on regulations addressing gender discrimination in federal health programs.  

Health Data Privacy 

As a result of the Dobbs decision, the Biden Administration also continues to issue regulations to protect patients’ health data privacy, including reproductive health information. In August, the Federal Trade Commission also issued a notice of proposed rulemaking on the prevalence of commercial surveillance and data security practices, including in the health care sector. Most recently, the OCR issued a bulletin to outline the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities when using online tracking technologies and notably includes several examples focused on protecting reproductive health information. Building on these actions, we expect federal agencies to issue additional guidance on the HIPAA privacy rule and protecting reproductive health care information.

In addition to changes in guidance to support reproductive health care services, HHS has also focused on improving access to health data, supporting care coordination, and improving interoperability by issuing a notice of proposed rulemaking that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder records. As we previously discussed, these modifications are intended to align Part 2’s currently stringent rules more closely with health information privacy rules promulgated under HIPAA and to improve the ability of entities subject to Part 2’s restrictions to use, disclose, and redisclose substance use disorder-related information. Regulatory action on health data privacy is being taken against the backdrop of stalled Congressional negotiations on the American Data Privacy and Protection Act (H.R.8152), which proposes to establish a national data security and digital privacy framework, as well as other data privacy bills. Bipartisan lawmakers agree that additional safeguards are needed to protect consumers’ online data, which indicates that we may see legislative action in the new Congress.  


Depending on whether telehealth extensions are included in the fiscal year 2023 appropriations legislation, Congress may act to bolster federal support for telehealth and extend certain Medicare telehealth flexibilities beyond the COVID-19 PHE. HHS recently extended numerous telehealth flexibilities in the 2023 Medicare Physician Fee Schedule Final Rule for 151 days after the end of the COVID-19 PHE, in alignment with the Consolidated Appropriations Act, 2022. In July 2022, the House of Representatives passed, 416-12, the Advancing Telehealth Beyond COVID-19 Act of 2021 (H.R.4040), which modifies the extension of certain Medicare telehealth flexibilities (i.e., waiving originating site restrictions; allowing audio-only coverage; and expanding the list of telehealth practitioners) through December 2024. HHS will likely provide additional resources and guidance on telehealth, specifically regarding originating site and delivery modality flexibility. During the COVID-19 pandemic, members of Congress and the Biden Administration have acknowledged the importance of telehealth for providing continued access to care, especially for certain vulnerable populations, and have expressed interest in expanding federal support for telehealth. 

Price Transparency 

In 2023, Congress and the Administration will continue to advance price transparency efforts and urge hospitals to comply with the Hospital Price Transparency Final Rule, which required hospitals to disclose their standard charges and make prices publicly available for consumers. In September, the HHS Office of the Inspector General (OIG) announced that it would review the controls in place at the Centers for Medicare & Medicaid Services (CMS) and statistically sample hospitals to determine whether CMS’s controls are sufficient to ensure that hospital pricing information is readily available to patients as required by law. The findings of OIG’s review are expected to be released next year. On the Congressional side, bipartisan leaders of the House Energy and Commerce Committee continue to express concern about hospital noncompliance with the final rule. Committee leaders recently sent a letter to the Government Accountability Office requesting that it examine hospital compliance with the provisions of the Hospital Price Transparency Final Rule in addition to CMS’s efforts to monitor and enforce hospital compliance. 

In regard to the Administration’s price transparency efforts, we also expect to see rulemaking from HHS, along with three other federal agencies, on advanced explanation of benefits and good faith estimate (GFE) requirements of the No Surprises Act after they had issued a request for information in September. Most recently, HHS announced that it would extend beyond January 1, 2023 its enforcement discretion, pending future rulemaking, on the requirement that health care providers make available GFEs to uninsured and self-pay individuals when there are co-providers or co-facilities under the No Surprises Act.  

Next Steps 

In collaboration with Crowell & Moring Government Affairs Group and Crowell & Moring International, Crowell Health Solutions will examine the post-election landscape in health care policy on December 13 at 1:00 PM. We invite you to attend this webinar on what to expect in health care in 2023 in Washington DC, across the U.S., and abroad and how potential policy changes may impact your organization. Register for the webinar here.  

Crowell Health Solutions is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health care.     

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recently issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. The bulletin defines tracking technologies, provides examples of potential impermissible disclosures of electronic protected health information (ePHI) by HIPAA regulated entities to online technology tracking vendors, and outlines procedures regulated entities must take to protect ePHI when using tracking technologies in order to comply with HIPAA rules.

Regulated entities use tracking technologies on websites or mobile apps to collect and analyze information about how users are interacting with a regulated entity’s website or mobile application and may engage a technology vendor to perform analyses on user activity. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI). In the bulletin, OCR emphasizes that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. OCR notes that failure to comply with the HIPAA rules may result in a civil monetary penalty.

PHI and Tracking Technologies

OCR explains that when HIPAA regulated entities use tracking technologies on their websites or mobile apps that the data collected by tracking technologies is often PHI.  Specifically, information such as an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code may be PHI, even if the data does not include specific treatment or billing information like dates and types of health care services. OCR notes that where the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), it will relate to the individual’s past, present, or future health or health care or payment for care even without specific health care or billing information.

Applicability for Various Tracking Technologies

OCR provides insight and examples of how the HIPAA rules would apply on regulated entities’ use of tracking technologies via user-authenticated webpages, unauthenticated webpages, and mobile apps.

  • Tracking on user-authenticated webpages:  OCR states that regulated entities must configure any user-authenticated webpages (i.e., sites that require a user to log in to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform) that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the ePHI collected through its website is protected and secured in accordance with the HIPAA Security Rule. Furthermore, regulated entities that contract with tracking technology vendors to transmit PHI or provide certain services on behalf of a regulated entity must ensure that the disclosures made to such vendors are permitted by the Privacy Rule, including entering into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.
    • For example, if an individual makes an appointment through the website of a covered health clinic and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate and a BAA is required.
  • Tracking on unauthenticated webpages: OCR states that since tracking technologies on regulated entities’ unauthenticated webpages, in general, do not have access to individuals’ PHI, the HIPAA rules would not apply to a regulated entity’s use of such tracking technologies. However, OCR provides examples of tracking technologies on unauthenticated webpages which may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. For example:
    • The HIPAA rules apply when tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login or registration information.
    • The HIPAA rules apply when tracking technologies collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. OCR notes that this may apply when the website addresses specific symptoms or health conditions, such as pregnancy or miscarriage.
  • Tracking on mobile apps: OCR states that regulated entities must comply with the HIPAA Rules for any PHI that individuals disclose on mobile apps, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. OCR notes that the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities. In such instances, OCR states that other laws, including the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR), may apply when a mobile health app impermissibly discloses a user’s health information.
    • For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information).

Compliance Obligations for Regulated Entities

OCR outlines HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI. OCR states that regulated entities should ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that only the minimum necessary PHI to achieve the intended purpose is disclosed. OCR also explicitly states that it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information and that any disclosure of PHI to the vendor can only be done with an individual’s authorization or where the vendor has a signed BAA in place and the disclosure is for a permissible purpose.

OCR notes that website or mobile app privacy policies, notices, or terms and conditions are not sufficient to meet HIPAA requirements.


Regulated entities should evaluate their relationships with tracking technology vendors to determine whether any data disclosed is PHI, determine whether such vendor meets the definition of a business associate, and ensure that the disclosures made to such vendor are permitted by the Privacy Rule.

OCR recommends that regulated entities address the use of tracking technologies in the regulated entity’s risk analysis and management processes and implement other safeguards in accordance with the Security Rule, including encrypting ePHI that is transmitted to the tracking technology vendor. OCR also recommends that regulated entities provide breach notification to affected individuals, HHS, and the media of an impermissible disclosure of PHI to a tracking technology vendor in situations where there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. 

Notably, a number of the examples focus on reproductive health information. As we previously discussed, the Biden Administration and OCR have been taking action to ensure compliance with privacy protections for sensitive reproductive health information, including under HIPAA. We expect additional clarification from the Administration about protecting health information, particularly as it relates to reproductive health services, and will continue to follow these developments.

For more information, or to better understand how this guidance impacts your organization, please contact the professionals listed below, or your regular Crowell & Moring contact.

Earlier this week, the United States Department of Health and Human Services (“HHS”) released a Notice of Proposed Rulemaking (“NPRM”) that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. These modifications, which implement provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, are intended to align Part 2’s currently stringent rules more closely with health information privacy rules promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”), improving the ability of entities subject to Part 2’s restrictions to use, disclose, and redisclose SUD-related information.[1]

The changes generally fall into three categories: (1) proposals that expressly implement the CARES Act amendments to 42 U.S.C. § 290dd-2, the statute that Part 2 implements; (2) proposals that HHS deems necessary to further align Part 2 with HIPAA; and (3) proposals that HHS deems necessary to clarify the full scope of activities regulated under Part 2. The most significant changes are those to the rules governing consent to use, disclose, and redisclose Part 2 records, which would generally be relaxed under the NPRM and more aligned with HIPAA with respect to treatment, payment, and health care operations (“TPO”) activities.

HHS believes these changes would (1) facilitate greater integration of SUD treatment information within other protected health information; (2) improve communication and care coordination between providers and others in the health care system, such as payers; (3) enhance the ability to comprehensively diagnose and treat the whole patient; and (4) facilitate the exchange of Part 2 records between Part 2 programs.

Comments are due 60 days after publication of the NPRM in the Federal Register. HHS proposes that the final rule would take effect 60 days after publication and that enforcement of the new Part 2 rules and modified HIPAA provision regarding Notices of Privacy Practices would begin 24 months after publication of a final rule. HHS requests comment on whether this would be sufficient time for entities to come into compliance with revised regulations, including revising policies and procedures, training workforce, and completing other implementation requirements. For the proposed requirements regarding accountings of disclosures, HHS proposes to toll the compliance date for Part 2 programs until a final HIPAA rule on accountings of disclosures takes effect.

CARES Act Amendments

Enacted in March 2020, the CARES Act made significant changes to the Part 2 statute to more closely align Part 2 with HIPAA regulations. Specifically, section 3221 of the CARES Act amended 42 U.S.C. § 290dd-2 (the confidentiality of SUD records statute implemented by Part 2 regulations) so that once written patient consent is obtained, the contents of a Part 2 record “may be used or disclosed by a covered entity, business associate, or a program subject to this section for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.” Further, the CARES Act amendment provides that any information disclosed in accordance with the above may then be redisclosed in accordance with HIPAA. This is a significant change from the current Part 2 rules, which prohibit redisclosure of Part 2 records unless the individual has expressly consented to such redisclosure. The CARES Act directed HHS to promulgate regulations implementing these amendments, which the NPRM aims to accomplish.

Key Proposals

The NPRM contains several significant changes to current Part 2 rules. Some of the most potentially impactful proposals are summarized below.

A. Consent and Redisclosure

The most impactful changes proposed in the NPRM are those implementing the CARES Act’s amendments regarding consent for the use, disclosure, and redisclosure of Part 2 records. Implementing these amendments, the NPRM proposes that if a patient provides valid consent to a use or disclosure of their records, the recipient may further use or disclose such records in accordance with the following rules:

  1. When disclosed for TPO activities to a Part 2 program, covered entity, or business associate, the recipient may further use or disclose those records as permitted by HIPAA, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.
  2. When disclosed with consent given once for all future TPO activities to a Part 2 program that is not a covered entity or business associate, the recipient may further use or disclose those records consistent with the consent.
  3. When disclosed for payment or health care operations activities to a lawful holder that is not a covered entity, business associate, or Part 2 program, the recipient may further use or disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent. The NPRM does not propose to define the terms “contractors, subcontractors, and legal representatives” but seeks comment on whether doing so would be helpful.

Ultimately, the key impact of these changes is enhanced flexibility when using, disclosing, and redisclosing Part 2 records for TPO purposes, and the ability to receive written consent from a patient once for all future TPO uses and disclosures. This represents a significant relaxation of current Part 2 rules.

In addition, the NPRM proposes numerous changes to the requirements for a valid Part 2 written consent. These changes would align the content requirements for a valid Part 2 written consent with those for a valid HIPAA authorization, including a statement of the right to revoke consent.

HHS asked a number of questions regarding consents, communicating to recipients about consent or revocation of consent, and the negative impacts on confidentiality and privacy from the proposed permission for disclosure of Part 2 data for TPO with consent.

B. Enforcement and Penalties

Currently, Part 2 provides for criminal enforcement. In accordance with the CARES Act amendments, the NPRM proposes to provide for both civil and criminal penalties and align Part 2 enforcement with HIPAA enforcement. Specifically, the NPRM proposes to apply sections 1176 and 1177 of the Social Security Act to violations of Part 2 in the same manner as they apply to a covered entity or business associate for violating HIPAA. This would include the civil monetary penalty tiers established by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. HHS will have civil enforcement authority.

The NPRM also proposes various provisions regarding the liability of investigative agencies that may receive Part 2 records while investigating or prosecuting a Part 2 program or other person holding Part 2 records. These include a proposed safe harbor for investigative agencies that conduct reasonable diligence but nonetheless unknowingly receive Part 2 records without first obtaining the required court order.

In addition, HHS requests comment on whether a safe harbor is appropriate for SUD providers that unknowingly hold records subject to Part 2 and unknowingly disclose them, violating Part 2.

C. Definitions

To enable alignment of Part 2 rules with HIPAA rules, the NPRM proposes to add definitions of terms that are relevant due to the alignment of Part 2 with HIPAA requirements. In some areas, HHS has modified definitions or the wording of certain phrases to match the corresponding language in HIPAA (e.g., changing “disclosure and use” to “use and disclosure”). One potentially noteworthy change is the proposed exclusion of HIPAA-covered health plans from the definition of “third-party payer.” The result of this change would be that Part 2’s disclosure restrictions continue to apply to a narrower set of entities, such as grant-funded programs.

HHS also seeks comment on whether it would be helpful to create an express definition of “lawful holder” and what such a definition should encompass.

D. Uses and Disclosures

Unlike HIPAA, many current Part 2 requirements only mention disclosures of Part 2 records and, with a few exceptions, generally do not mention uses of Part 2 records. The NPRM proposes to make various changes throughout the Part 2 rules to clarify that the rules indeed apply to both uses and disclosures. HHS proposes to adopt a definition of “use” that is consistent with HIPAA’s definition. HHS seeks comment on whether this change would substantively expand the scope of applicable requirements and prohibitions in an unintended manner.

E. Complaints

Part 2 rules currently provide that complaints of Part 2 violations should be sent to the U.S. Attorney for the judicial district in which the violation occurs, and reports of any violation by an opioid treatment program may be directed to the U.S. Attorney and the Substance Abuse and Mental Health Services Administration.

The NPRM proposes to require that Part 2 programs establish a process to receive complaints regarding the Part 2 program’s compliance with Part 2 regulations. It also proposes to prohibit intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against a patient for filing a complaint or otherwise exercising a right provided for under Part 2. Further, the NPRM proposes to prohibit requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services. These requirements are generally similar to HIPAA provisions concerning complaints.

F. Breaches

The NPRM proposes to apply the HITECH Act breach notification provisions currently implemented in the HIPAA Breach Notification Rule to Part 2 programs. Specifically, in the event of a breach of unsecured Part 2 records, Part 2 programs would be required to notify HHS, affected patients, and, in some cases, media outlets. Part 2 programs would also be required to establish and implement policies and procedures addressing notification in the event of a breach of unsecured Part 2 records.

HIPAA only requires notification in the event of a breach of unsecured protected health information. Similarly, under the NPRM, notification would only be required in the event of a breach of unsecured records. The NPRM proposes to apply the same concept to this term, defining it as a record that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.

Since covered entities (and business associates) are already subject to HIPAA’s breach notification requirements applicable to protected health information, these proposed changes are more likely to impact Part 2 programs that are not covered entities, which should be a fairly small group. HHS requests comment on whether it should apply these new Part 2 breach notification requirements to qualified service organizations as well as they are essentially Part 2’s analog to HIPAA business associates and often receive and maintain a significant amount of Part 2-covered information.

G. Requirements for Intermediaries

Patients have a right under Part 2 to receive a list of entities to which an intermediary has disclosed the patient’s Part 2 records pursuant to a general designation. Currently, Part 2 only requires a list of such disclosures made in the last two years; the NPRM proposes to extend this to three years. While Part 2 currently does not define “intermediary,” the NPRM proposes to expressly define this term as “a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.” Examples include a health information exchange, a research institution that is providing treatment, an accountable care organization, and a care management organization.

HHS requests comment on whether the separate requirement for intermediaries to provide a list of disclosures is necessary considering the accounting of disclosures requirements proposed in the NPRM.

H. Security

Currently, Part 2 applies security requirements to Part 2 programs and lawful holders. In the NPRM, HHS states that it would consider the surrounding facts and circumstances to evaluate the extent a recipient of Part 2 records has a duty and ability to reasonably protect Part 2 records against unauthorized uses and reasonably anticipated threats or hazards. HHS requests comment on examples of lawful holders that may not be appropriately held liable for compliance with Part 2’s administrative requirements, such as implementing policies and procedures to protect against unauthorized use or disclosure.

HHS also seeks comment on the extent to which Part 2 programs refer to the HIPAA Security Rule as guidance for safeguarding Part 2 records. It also seeks comment on whether Part 2 should be amended to adopt the same or similar requirements as the HIPAA Security Rule.

I.  Notices of Privacy Practices

The CARES Act directed HHS to modify HIPAA’s requirements regarding Notices of Privacy Practices and specify new requirements for covered entities and Part 2 programs with respect to Part 2 records that also constitute PHI. These requirements would apply to entities that are subject to both Part 2 and HIPAA, including covered entities that are Part 2 programs, as well as covered entities that simply receive Part 2 records from a Part 2 program.

To implement these CARES Act provisions, the NPRM proposes to amend both the Part 2 patient notice requirements at 42 C.F.R. § 2.22 as well as HIPAA’s Notice of Privacy Practices requirements at 45 C.F.R. § 164.520. The NPRM proposes to revise Part 2’s patient notice requirements to substantially align them with HIPAA’s requirements for Notices of Privacy Practices with respect to both content and structure.

J. Individual Rights

The NPRM also proposes to create two patient rights in alignment with individual rights granted under HIPAA. Specifically, the NPRM proposes to create a right for patients (1) to receive an accounting of certain disclosures of their records, and (2) to request restrictions on disclosures of records for TPO, and obtain restrictions on disclosures to health plans for services paid in full by the patient. However, HHS does not intend to formally apply the former before the effective date of the modified HIPAA accounting of disclosures provision mandated by the HITECH Act.

The NPRM notes that HIPAA generally provides individuals a right to access their protected health information in a designated record set. A covered entity’s Part 2 records are generally considered part of the designated record set, whether the Part 2 program is a covered entity or merely a recipient of Part 2 records. However, HIPAA’s right of access excludes psychotherapy notes, which, in some instances, may also be considered Part 2 records. HHS is considering whether to create a similar term that is specific to the notes of SUD counseling sessions by a Part 2 program professional. Such notes would be Part 2 records but could not be disclosed based on a general consent for TPO. Instead, they could only be disclosed with a separate written consent. HHS requests comment on the benefits and burdens on this proposal to create additional privacy protection for SUD counseling notes that are maintained primarily for use by the originator of the notes.

K. De-identification

The NPRM proposes to adopt HIPAA’s de-identification standards at 45 C.F.R. § 164.514 where Part 2 rules address the use or disclosure of non-identifiable information. The NPRM also proposes to require Part 2 programs and lawful holders to implement formal policies and procedures to address de-identification of Part 2 information in accordance with HIPAA’s de-identification standards. In addition, the NPRM proposes to expressly permit disclosures to public health authorities as long as the records are de-identified in accordance with HIPAA standards.

While HHS considered an opt-in approach to de-identification (i.e., consent would be required to de-identify Part 2 records), it ultimately decided against such an approach, determining that an opt-in approach would create a barrier to de-identification that may ultimately negatively affect patient privacy.

L. Required Disclosures to the Secretary

The NPRM proposes to require disclosures to the Secretary of HHS to investigate or determine a person’s compliance with Part 2. Currently, Part 2 does not require disclosure of Part 2 records in any circumstances.

Next Steps

The NPRM has wide-ranging implications for the full spectrum of stakeholders in the health care industry and aims to enhance flexibility in using and sharing Part 2 records. Stakeholders should analyze the potential impact of the NPRM on their operations and submit comments to HHS, which are due 60 days after the NPRM’s publication in the Federal Register. Crowell & Moring has extensive experience with Part 2 and can advise you on understanding the implications of these proposed changes on your business.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

The Belgian regulatory framework for medical devices is highly complex, and the already dense legal landscape was recently added to by the adoption of two new Belgian royal decrees: the Royal Decree of 25 September 2022 relating to performance studies involving in vitro diagnostic medical devices and the Royal Decree of 13 September 2022 amending and repealing various provisions regarding in vitro diagnostic medical devices.

What impact will these new Royal Decrees have? This alert will first provide you with a structured overview of the existing regulatory framework and then look more specifically at the consequences of these recent updates in the context of in vitro diagnostic medical devices.

The existing regulatory framework for medical devices

At a European level, medical devices are regulated by Regulation (EU) 2017/745 (the Medical Device Regulation), which replaced Directive 93/42/EEC (the Medical Device Directive). Belgian national measures to implement the Medical Device Regulation came into effect on 26 May 2021, and consist of the law of 22 December 2020 on medical devices, accompanied by three royal decrees:

  • The Royal Decree of 12 May 2021, which implements the provisions in the Belgian law of 22 December 2020;
  • The Royal Decree of 18 May 2021, which sets out the provisions regarding clinical trials involving medical devices; and
  • The Royal Decree of 28 April 2021, which aligns previous national rules with the Medical Device Regulation.

The new royal decrees for in vitro diagnostic medical devices

On 26 May 2022, Regulation (EU) 2017/746 (the In Vitro Diagnostic Medical Device Regulation) came into force, replacing Directive 98/79/EC (the In Vitro Diagnostic Medical Device Directive) and introducing major updates to the European regulatory framework for in vitro diagnostic medical devices, including changes to the scope of performance studies or clinical studies involving these devices.

The Belgian legislator transposed the In Vitro Medical Device Regulation by means of a law of 15 June 2022 that came into effect on 1 July 2022. The two newly adopted royal decrees mentioned above relate to this law, and they are important additions to the Belgian legislative landscape:

  • The Royal Decree of 25 September 2022 came into effect on 26 October 2022 and sets out the provisions regarding performance studies with in vitro diagnostic medical devices; and
  • The Royal Decree of 13 September 2022 came into effect on 4 November 2022 and aligns previous national rules with the In Vitro Diagnostic Medical Device Regulation.

The consequences of the recent legal changes

The Royal Decree of 25 September 2022 relating to the performance studies on in vitro diagnostic medical devices

This Royal Decree governs the conduct of performance studies involving in vitro diagnostic medical devices, and includes coordinated assessment procedures for performance studies where Belgium is acting as a coordinating Member State.

Certain studies now need to obtain prior authorization from the Federal Agency for Medicines and Health Products (the FAMHP) and are subject to an ethics committee review. These studies include i) performance studies in which surgically invasive sample-taking is done, ii) interventional studies, (iii) performance studies involving additional invasive procedures or other risks for subjects, and (iv) performance studies involving companion diagnostics, and (v) performance studies that assess in vitro diagnostic medical devices even though this is outside the scope of their intended purpose.

Certain other studies, must be notified to the FAMHP, but do not require prior authorization from the FAMHP and are not subject to ethics committee review. These studies include i) PMPF studies conducted to further assess in vitro diagnostic medical devices that already bear the CE marking and that involve submitting subjects to invasive and burdensome procedures additional to those performed under the normal conditions of the use of such device, and ii) performance studies involving companion diagnostics using only left-over samples.

Unlike the In Vitro Diagnostic Medical Device Regulation, the Belgian Royal Decree establishes a separate regime for performance studies involving in vitro diagnostic medical devices which are manufactured and used exclusively in healthcare facilities. 

The Royal Decree also requires that substantial modifications to any regulated studies be notified to the FAMHP for approval and are subject to ethics committee review. Additionally, the FAHMP in collaboration with the Minister for Social Affairs and Public Health or its representative is granted the discretion to revoke or suspend the study, or to require the sponsor of the performance study to modify any aspect, if any imposed requirements are not being met.

The Royal Decree of 13 September 2022 amending and repealing various provisions regarding in vitro diagnostic medical devices

This Royal Decree aims to repeal and amend various royal decrees relevant in the context of in vitro diagnostic medical devices in order to align the Belgian framework with the European level. Notably, this Royal Decree does not only apply to in vitro diagnostic medical devices but also amends various royal decrees applicable to other types of devices, such as medical devices or implantables.

By way of example, the Royal Decree amends and specifies the tasks of materiovigilance contact points, which currently consist of i) immediately notifying the FAMHP and distributors and/or manufacturers or their agents of any serious incidents, ii) participating in investigations carried out by the FAMHP and in work related to the safety of use of devices, or iii) recording and evaluating any serious incident or risk of serious incident due to a device, according to the procedure published on the FAMHP website (see Article 3 of the Royal Decree of 15 November 2017 on the materiovigilance contact point in hospitals and the registrations of medical device distributors).

The Royal Decree further specifies that economic operators should periodically confirm the accuracy of their device’s data, and the FAMHP will notify any economic operator that fails to do so that its activities could be suspended until this obligation is complied with. Furthermore, the Royal Decree clarifies which information should be submitted to the FAMHP when applying for a derogation from the conformity assessment procedures. If the request is justified, the FAMHP may approve such derogation in the interest of public health or patient safety (see Article 8/1 and Article 9 of the Royal Decree of 12 May 2021 implementing the Law of 22 December 2020 regarding medical devices).

The Belgian legislator will undoubtedly continue to make changes to this already dense and complicated regulatory framework in order to get it aligned with European Union legislation. We will continue to follow these developments and our Crowell & Moring MedTech team is here to answer any questions you may have and to provide you with ongoing updates.

President Biden signs Executive Order directing HHS to “consider additional actions to further drive down prescription drug costs”

On October 14, 2022, President Biden signed an Executive Order (EO) directing the Secretary of the Department of Health and Human Services (HHS) to consider new healthcare payment and delivery models the Center for Medicare & Medicaid Innovation (CMMI), part of the Centers for Medicare & Medicaid Services (CMS) and created by the Affordable Care Act, can test to lower drug costs and promote access to innovative drug therapies for Medicare and Medicaid beneficiaries. The EO specifies the HHS Secretary should include models that may lead to lower cost-sharing for commonly used drugs and support value-based payment initiatives that promote high-quality care. The Secretary must submit its report, describing any models selected, within 90 days of the EO’s issuance.  

Continue Reading White House looks to CMMI to test new ways to lower drug prices

On October 21st, the U.S. Food and Drug Administration (FDA) released a draft guidance that, if finalized, will update the agency’s 2018 guidance on its Breakthrough Devices Program (the “Program”). In the draft guidance, the FDA announced that when reviewing the eligibility of medical devices for the Program, the agency will also consider whether a device will help address health care disparities and promote health equity. In other words, FDA intends to specifically consider whether a device may provide for more effective treatment or diagnosis in populations impacted by health and/or health care disparities when determining eligibility for breakthrough status.

The Breakthrough Devices Program was launched in 2018 to provide patients and health care workers with faster and easier access to medical devices that effectively diagnose and treat life-threatening or irreversibly debilitating diseases or conditions. This program allows the FDA to speed up the development, assessment and review of products all while preserving the statutory standards for premarket approval, 510(k) clearance, and De Novo marketing authorization. If this latest draft guidance is finalized after a period of public comment, the agency will incorporate the proposed language into the 2018 guidance.

To address health disparities, FDA proposes adding new section III.B.3.d to the 2018 guidance in which it acknowledges the urgent public health need for innovative technologies that help to reduce barriers to achieving health equity and help to improve health outcomes across diverse populations. . The new section would acknowledge that “[a]ddressing health and health care disparities is not only important for achieving health equity, but also for improving the overall quality of life and health outcomes for all patients.” It thus proposes to take into account whether a device “is designed to address a pathophysiological or clinical characteristic associated with certain populations that could have a clinically meaningful impact for the treatment or diagnosis of the condition in those populations.” If so, the device may “be considered as reasonably expected to offer a more effective treatment or diagnosis” and thus could be eligible for breakthrough status. FDA asserts that the proposed changes “may expedite the availability of certain devices that meet the statutory designation criteria and benefit populations impacted by health and/or health care disparities, thereby promoting and advancing health equity.”

In addition to the considerations for health care disparities, FDA proposed the following other changes to the 2018 guidance:

  • In the Introduction, certain non-addictive medical products to treat pain or addiction may not be eligible for the Breakthrough Devices program.
  • Section III.B.1 Designation Considerations will have added language stating that the FDA will “review all information on a proposed device including its function, potential for technical success, the potential for clinical success, potential for a clinically meaningful impact, and its potential benefits and risks when evaluating whether a device is reasonably expected to provide for more effective treatment or diagnosis”
  • The last section receiving updates is Section III.C Designation Review Process which will describe when the FDA may publicly disclose designation requests that have been “previously publicly disclosed or acknowledged by the sponsor of the Breakthrough Device designation request” and will publicly disclose its Breakthrough Device designation status for its intended use.

FDA will accept comments on the draft guidance through December 18, 2022.

Crowell & Moring and Crowell Health Solutions hosted a HealthTech roundtable with discussions focused on value-based care, health equity, data privacy, artificial intelligence, and other trends in health care technology in the Washington, D.C. office on October 27. The sessions featured numerous experts from health technology companies, advocacy organizations, and trade associations, all of whom have extensive experience advising on health care policy and business issues. Policy makers, thought leaders, health care innovators, and business executives also joined the conversation.

The first panel discussed the successes and challenges in value-based care, advancing health equity, and operationalizing value-based primary care. Panelists discussed current obstacles that health care organizations face in pursuing value-based care in the current operating environment coupled with the stronger profitability of the traditional fee-for-service model.

“We have seen the health care sector’s movement towards value-based care and the increase in the number of accountable care organizations. It will be interesting to observe the future of value-based care at a time when health care organizations are navigating high inflation and workforce shortages,” said Senior Counsel and Crowell Health Solutions COO and Managing Director Janet Walker, who facilitated the first discussion.

Panelists offered their thoughts on the Centers for Medicare & Medicaid Services (CMS) Innovation Center’s October 2021 Strategy Refresh and opined that the Biden Administration must acknowledge current challenges in its push to promote health equity and multi-payer alignment. They spoke about the importance of addressing health equity and the social determinants of health through value-based care, commented on their organizations’ efforts to treat patients across various population groups, and discussed the role of health care technology innovation in improving coordination of care. In addition, panelists spoke about the vital role that the acute care hospital-at-home program played at the onset of the COVID-19 crisis and the need for CMS to extend waivers for the program that were enacted during the public health emergency.

During the second session led by Partner and Crowell Health Solutions President and Managing Director Jodi Daniel, panelists discussed health data privacy issues as well as telehealth, artificial intelligence (AI) and machine learning, and other health technology innovations. “Understanding the challenges, opportunities, and pitfalls regarding data privacy is important. Technology innovation relies on access to data. We must address the patchwork of state laws around data privacy in the United States,” said Jodi Daniel.

Panelists emphasized the need for a more comprehensive data privacy statute at the federal level and discussed the provisions proposed in the American Data Privacy and Protection Act (H.R.8152), which would establish a national data privacy framework. They discussed how the bill would impact the health care industry and interact with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Panelists stated that there needs to be additional data privacy guidance, especially with respect to data not covered by HIPAA, following the release of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

Additionally, panelists stated that federal statute is needed in order for certainty to develop health innovation and spoke about using AI to bridge gaps in health equity and using data that is representative of the entire population. They also discussed the potential for substantial cost savings by reducing diagnostic error through AI and machine learning innovation. 

The Crowell HealthTech Forum was co-organized by Crowell & Moring and Crowell Health Solutions, which is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health care. 

On September 28, 2022, the Food and Drug Administration (FDA) issued Clinical Decision Support Software final guidance. The guidance clarifies the agency’s scope of oversight and regulation of clinical decision support software based on the definition of a device in the Federal Food, Drug, and Cosmetic Act (FD&C Act). It also describes the criteria used to assess whether software functions do not meet the definition of a device.

Clarifying Types of Clinical Decision Support Software

Clinical decision support software (CDS), such as software that is designed to provide diagnostic support, clinical guidelines, and alerts to health care professionals and patients, may be categorized as a regulated device, under the FD&C Act, section 201(h).

However, the 21st Century Cures Act carved out an exception for software that does not meet the definition of “device” and is therefore outside FDA’s regulatory authority.  The new guidance describes FDA’s regulatory approach to CDS software functions and clarifies when CDS software functions do not meet the definition of a device under the FD&C Act, section 520(o)(1)(E) by reviewing the four non-device criteria. Also, the FDA advises that its existing digital health policies, including guidance regarding enforcement discretion, continue to apply to those clinical decision support software functions that do meet the definition of a device.

The final guidance not only responds to comments received from the 2019 publication of the FDA’s Draft Guidance on Clinical Decision Support Software (found here), but also narrows its scope to focus largely on the CDS software functions that do not meet the FD&C Act’s definition of a device. While the 2019 draft guidance discussed such non-device CDS software, it also: (1) explained the FDA’s approach to software that may technically meet the definition of a device but may not require FDA oversight because of the risk analysis outlined in the International Medical Device Regulators Forum (IMDRF) final document; (2) included an explanation of software that does meet the device definition and will likely be the subject of oversight, whether it is CDS or not; and (3) broadly considered health care professionals (HCPs), patients, and caregivers, in contrast to the final guidance, which focuses largely on software used by HCPs.

Defining Non-Device Clinical Decision Support Software

The FDA explains that if CDS software meets all of the following criteria under section 520(o)(1)(E) of the FD&C Act, it is excluded from the definition of a device and is therefore not regulated as a device by the FDA:

  1. It is not intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;
  2. It is intended for the purpose of displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines);
  3. It is intended for the purpose of supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and
  4. It is intended for the purpose of enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.

The FDA interprets each of the four non-device criteria in detail and shares multiple examples for clarification.

Criterion 1

First, for criterion 1, the FDA explains that if software functions use input data such as medical images or signals from in vitro diagnostic devices (IVDs) or patterns or signals from signal acquisition systems, such products continue to be regulated as devices.

  • Medical images include images produced by medical imaging systems such as ultrasounds, x-rays, and more. The definition covers software functions that ultimately use medical images for medical purposes even if the images were not originally intended for such purposes.
  • Signals that either require the use of an IVD or signal acquisition system for medical purposes are also included in the device definition. Examples include electrocardiogram (ECG) leads used with software to generate signals, specimen samples studied using software such as digital pathology, and more.   
  • Patterns include multiple, sequential, or repeated measurements of a signal. For example, assays and instruments that produce signals for continuous glucose monitors (CGMs) generate patterns in the form of repeated glucose measurements.

Importantly, software functions that interpret the clinical relevance of medical images, signals, or patterns do not satisfy criterion 1 because they still acquire, process, and analyze the same input data described above. Thus, they are within the definition of device according to the FDA. However, some activity monitors or other signal acquisition systems that measure physiological parameters are not specifically intended or marketed for a purpose identified in the device definition (i.e., for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease) and are not medical devices.

Criterion 2

Next, the FDA interprets criterion 2 as excluding software functions from the definition of device if they are intended to use medical information, such as patient medical information, peer-reviewed clinical studies, and clinical practice guidelines, as input data, as long as the software also meets the other three criteria described here.

  • Medical information about the patient includes information used to inform clinical decision making between HCPs or between HCPs and patients.
  • Other medical information means information that is “independently verified and validated as accurate, reliable, not omitting material information, and supported by evidence.”

Notably, for the FDA, the distinction between a device and a non-device may come down to the frequency of any given measurement. As the FDA clarifies, one blood glucose lab test is considered medical information under criterion 2, while repeated measures from a continuous glucose monitor constitute a pattern or signal under criterion 1.

Criterion 3

Criterion 3 excludes software from the device definition if it provides patient-specific recommendations to be interpreted by an HCP without explicitly directing the professional’s judgment. Examples of software functions that are intended to support or provide recommendations to an HCP about the “prevention, diagnosis, or treatment of a disease or condition,” include drug formulary guidelines, evidence-based clinical order sets for an HCP, clinical guidelines, reminders for preventative care, and patient data reports such as discharge papers.

The FDA uses two key characteristics to assess whether software is truly used to support an HCP: (1) the level of software automation, and (2) the time-sensitive nature of the HCP’s decision making. High levels of these two characteristics suggest that the software is more likely to replace the HCP’s judgment instead of supporting it, possibly making the HCP more susceptible to automation bias. Specifically, criterion 3 includes software that:

  1. Provides condition-, disease-, and/or patient-specific information and options to an HCP to enhance, inform and/or influence a health care decision;
  2. Does not provide a specific preventive, diagnostic, or treatment output or directive;
  3. Is not intended to support time-critical decision-making; and
  4. Is not intended to replace or direct the HCP’s judgment.

The specificity of information provided by the software, such as the provision of a specific treatment course, plays a critical role in the FDA’s assessment of criterion 3. The more specific the software’s output is, the more likely the FDA will find that it replaces rather than supports the HCP’s decision making. Software that provides risk probability of a health condition is also interpreted as providing too specific an output and fails criterion 3. Additionally, software that provides recommendations to patients and caregivers instead of health care professionals is also classified as a device.

Criterion 4

Finally, in order to meet criterion 4, the software must enable the HCP to independently review the basis of its recommendations. The FDA advises that overall, the software product or its labeling should provide the basis for its findings in plain language so that the HCP may independently evaluate the basis of recommendations. Also, similar analysis of time sensitivity in decision making used in criterion 3 applies to criterion 4.

More specifically, the FDA recommends taking the following measures to meet the fourth criterion:

  1. The software or labeling include the purpose or intended use of the product, including the intended HCP user and intended patient population.
  2. The software or labeling identify the required input medical information, with plain language instructions on how the inputs should be obtained, their relevance, and data quality requirements.
  3. The software or labeling provide a plain language description of the underlying algorithm development and validation that forms the basis for the CDS implementation, including:
    • A summary of the logic or methods relied upon to provide the recommendations (e.g., meta-analysis of clinical studies, expert panel, statistical modeling, AI/ML techniques);
    • A description of the data relied upon so that an HCP can assess whether the data is representative of their patient population (e.g., relevant sub-groups, disease conditions, collection sites, sex, gender, ethnicity) and assess if best practices were followed (e.g., independent development and validation datasets); and
    • A description of the results from clinical studies conducted to validate the algorithm/recommendations so that an HCP can assess the potential performance and limitations when applied to their patients (e.g., sub-populations with untested or highly variable algorithm performance).
  4. The software output provides the HCP user with relevant patient-specific information and other knowns/unknowns for consideration (e.g., missing, corrupted, or unexpected input data values) that will enable the HCP to independently review the basis for the recommendations and apply their judgment when making the final decision.


The FDA’s longstanding oversight of software that meets the definition of a device continues to apply to a subset of clinical decision support software. However, the final issued guidance clarifies the FDA’s interpretation of statutory criteria used to determine that a software function does not meet the definition of a device. The guidance extensively describes the FDA’s interpretative approach, contains a number of factors and considerations that will contribute to a determination as to whether CDS software is a device subject to FDA oversight or not, and contains numerous examples of device and non-device CDS based on the section 520(o)(1)(E)(iii) criteria.

In addition to regulatory engagement and compliance, there are other practical, business, and legal implications of designing, selling, and using CDS software. For example,

  • Will CDS software designers, sellers and users become targets of traditional product liability litigation?
  • If so, will courts will permit these products and their designers, sellers, and / or users to be subject to states’ traditional strict products liability regimes and associated defenses?
  • Can entities in the supply chain for CDS software use contractual provisions such as indemnification to plan for the allocation of liability before a lawsuit is filed? 

As entities are considering this complex regulatory positioning and other relevant guidance regarding FDA oversight and enforcement discretion related to CDS and other software, we are available to advise on how FDA may view a particular product and the steps needed for compliance. We are also following the developing landscape for liability and litigation related to CDS software, and are available to advise entities on how to navigate these issues.