New FDA MDDS Regulation: Fix or Folly?

Dennis Rubenacker

FDA promulgated the Medical Device Data System (MDDS) regulation in the Federal Register on February 15, 2011 to address the regulatory status of systems and software that, for example, interface data output from medical devices as a conduit to lab information and hospital information systems, which may include medical device data in patient electronic health records (EHR).

As defined in 21 CFR Part 880.6310, the new MDDS standard regulates medical devices, not used in connection with active patient monitoring, that transfer, store, or convert a data format to a preset specification, or display medical device data without controlling or altering the functions or parameters of any interfaced medical devices. Components of an MDDS may include software, electronic, or electrical hardware, communications medium (including wireless hardware, modems, and interfaces), and communications protocols. While an MDDS is exempt from 510(k) clearance requirements, manufactures are not exempt from 21 CFR Part 820, the Quality System Regulation, or other medical device-related FDA regulations such as a 21 CFR Part 803 requirements for medical device reporting.

From a historical perspective, in 1989, FDA published a draft guidance document, “FDA Policy for the Regulation of Computer Products,” that provided guidance to determine whether a computer- or software-based product could be a medical device, which became known as the FDA “Draft Software Policy.” The policy never became an official guidance, and regulation of MDDS type systems and software continued to be confusing and appeared to be subjective in many cases. In theory, some larger manufacturers of systems that interfaced medical device data, potentially as a marketing advantage, may have used the 510(k) process to demonstrate substantial equivalency to alternative intended uses, contrary to what the current MDDS regulation states. At the same time, smaller competitive manufacturers seemed to ignore any FDA regulatory implications related to their MDDS like products.

Thus, FDA has decided to fix the uncertainty surrounding the regulatory status of MDDS type products with the new MDDS regulation. At first blush, the regulation does that, as larger and smaller companies that supply systems intended to interface medical device data per the MDDS regulation are required to register with FDA as an establishment subject to FDA inspection and list devices since the May 18, 2011 deadline. In addition, by April 18, 2012, all MDDS manufacturers are required to implement a compliant quality system per 21 CFR Part 820 and begin reporting adverse events per the 21 CFR Part 803 regulations.

Now comes the folly. FDA has decided the MDDS regulation also covers healthcare facilities that incorporate custom interfaces, for example, from medical devices to patient EHR type systems, which meet the MDDS definition. In many cases, the customized interfaces may be implemented by the healthcare facility’s IT staff or their retained consultants, with the potential scope of applicability including hospitals, clinics, group physician practices, dentists, optometrists, and chiropractors. These systems most likely are not typically marketed in interstate commerce and are under the purview of the healthcare facility as used in the practice of medicine.

The MDDS regulation itself does not specifically address healthcare facilities and is very open in scope. FDA guidance, as included in the preamble to the MDDS regulation in the Federal Register and as subsequently provided on the FDA Website for the MDDS regulation, specifically requires all healthcare facilities that implement custom MDDS type interfaces to register their establishments as medical device manufacturers subject to FDA inspection per the Quality System Regulation and medical device reporting requirements. Although potentially a multitude of healthcare facilities have implemented custom MDDS systems, only a few have registered as medical device manufacturing establishments since the May 18, 2011 deadline.

A scenario is likely that most healthcare facilities are unaware of their FDA regulatory responsibilities, especially small clinics or private practices that may have customized interfaces between medical devices and their patient EHR systems. If they are aware, the culture of providing healthcare versus manufacturing medical device type products is potentially foreign and daunting. Do healthcare facilities really have an organization structure to support the establishment of a full quality system to address management responsibility, corrective and preventive action, production and process control, and maintaining records such as the device master record, device history records, design history file, complaint files, and medical device reporting? Will a dental hygienist be the management representative, and will a dentist be the management with executive responsibility?

Another puzzling scenario may be the daunting task for FDA to schedule the multitude of potential inspections of healthcare facilities that incorporate customized MDDS type systems. With continual limited budget and resources, FDA historically has appeared to have difficulty in ever meeting its mandate to inspect each medical device manufacturer every two years. How will adding inspection authority over the potentially very high number of healthcare facilities with low risk MDDS type devices affect the FDA inspection coverage of all of the other devices including the higher risk medical devices? Also, how will FDA address penalizing those healthcare facilities that do not register as an FDA establishment or list their interfaces, since those healthcare facilities would be most likely violating the Food, Drug & Cosmetic Act as related to adulterated devices in use? Would FDA then shut down hospitals or private physician and dental practices that utilize customized MDDS systems that do not comply?

To summarize, FDA has implemented the MDDS regulation as a potentially prudent fix that will require manufacturers of MDDS products actually marketed and sold in interstate commerce to register with FDA as medical device manufacturers and list their medical devices, and establish a quality system for compliance to the FDA medical device Quality System Regulation and medical device reporting requirements. On the other hand, it will certainly be interesting over time to see how the FDA folly of requiring the same from all healthcare facilities that implement their own customized MDDS type interfaces turns out.

Dennis Rubenacker is co-founder and senior partner of Noblitt & Rueland, which provides consulting and training services for medical device and IVD manufacturers. Rubenacker specializes in software validation, FDA electronic recordkeeping, design control, risk assessment, software development, and software quality management for the medical device industry. He has extensive experience dealing with product development, software development, software quality assurance, and software verification and validation for IVD and medical device instrumentation and automated processes. His medical product line experience includes clinical chemistry analyzers, immunoassay analyzers, microbiology analyzers, glucose monitors, and OTC diagnostic devices. Rubenacker has assisted international companies ranging in size from less than $1 million in sales to Fortune 100 companies. He received his BS in electrical engineering with highest honors from the University of Illinois and is a member of the Institute for Electrical and Electronic Engineers, RAPS, OCRA, and ASQ. He can be contacted via e-mail at