The purpose of this lesson is to familiarize you with the processes related to bringing medical software devices to market and ensuring postmarket compliance. The terminology is important when communicating with clients and regulatory consultants.
Please carefully read the article A Brief Introduction to the United States Medical Software Regulations, for Developers and the articles linked therein. Also peruse the various articles at this FDA website (many of which are linked to by the Innolitics article).
To learn as much as possible from these exercises, write your responses before revealing the provided answers. If any exercises seem irrelevant, you can skip them and instead write a justification as to why they are unimportant. These justifications will help us improve the lesson for future students.
What government agency is responsible for regulating medical devices? Trace its place in the hierarchy of governmental agencies and departments up to the executive branch.
The agency responsible for regulating medical devices is the Center for Devices and Radiological Health (CDRH). The CDRH is under the Food and Drug Administration (FDA), which is in turn under the cabinet-level department of Health and Human Services (HHS).
What is considered a medical device?
Here is a single sentence summary: a medical device is an item intended to treat or diagnose disease or affect the structure or function of the body that does not achieve its effect through chemical action.
A more detailed definition is given in Section 201(h) of the Food, Drug, and Cosmetic Act.
What is considered software as a medical device (SaMD)? What are other types of software (non-SaMD) that are related and used in medical devices?
Quoting the FDA, SaMD is,
Software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.
Related to SaMD are:
What are the kinds of pathways towards marketing a device in the United States and what are the differences between them?
Premarket prefixes many phrases, and it is important to distinguish to what each phrase refers.
What are the differences between
A premarket submission refers to a request for review by the FDA for clearance, approval, or classification, referring to the appropriate market pathway for the device, i.e., 510(k), PMA, or De Novo, respectively. E.g., if a 510(k) submission is successful, it would be called cleared by the FDA but not approved, and a successful PMA would be called approved. Lastly, a 510(k) submission in full is called a premarket notification 510(k).
What is the intended purpose of a quality management system (QMS)?
A quality system is used to show that a postmarket device continues to meet requirements.
In the context of medical devices, what are the differences between regulations, guidance documents, and standards? Write an example of each one.
FDA guidance documents are not legally binding but describe current best practices towards conforming to FDA regulations, which are legally binding federal laws. On the other hand, standards provide a common language that can be used to show a device has certain properties or meets certain criteria. So, standards can ease the process by which a device is demonstrated to follow a guidance document or conform to a regulation.
What act protects protected health information (PHI)?
The Health Insurance Portability and Accountability Act (HIPAA)
How does HIPAA define a covered entity? Is Innolitics a covered entity? Are our clients typically covered entities?
HIPAA defines covered entities as entities belonging to one of the three categories listed below.
An example in the health care provider category would be a medical doctor, and an example under the health plan category is a health insurance company. You can find the rest by following the link in the references below.
Innolitics is not a covered entity, and Innolitics’ clients are usually not covered entities.
What is a business associate and how does one interact with covered entities?
Quoting the HHS,
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
To make a crude analogy, a covered entity is the front-end while business associates are the backend services with respect to PHI. HHS demands that both of these conform to HIPAA regulations.
Open the lesson page in the GitHub editor.
Remove any exercises or learning material that are not useful to the intended audience. Find ways to shorten and clarify the writing. Add generally useful exercises, responses, or learning material. Your improvements will make our training program great!
Create a new branch and pull request and assign it to your lesson mentor. The available lesson mentors are included in the YAML front matter of the lesson. They will set up a time to review your suggested changes and to talk through your exercises for the lesson.
After the review add your self to the "completed" property in the lesson's YAML front matter and merge in your changes!