Let’s Limit the Use of Enforcement Discretion in FDA Policymaking

I sat in a meeting recently in which FDA staff accused us in industry of speaking out of both sides of our mouths. On the one hand, FDA had heard people in industry criticize the concept of enforcement discretion. On the other hand, they also periodically hear many of the same people in industry requesting enforcement discretion for their products. The suggestion obviously was that we were being hypocritical.

After the meeting I gave the subject a good bit of thought, and at least in my own mind I’ve concluded there’s a vocabulary problem. I think people mean different things when they use the phrase “enforcement discretion.” There is one version of enforcement discretion which I think nearly everyone in industry very much supports, and another which many in industry very much dislike. I’ll explain, but first some background.

The Use of Enforcement Discretion in FDA Medical Device Policymaking

Over the last several years, enforcement discretion has become FDA’s policymaking tool of choice when defining in guidance what gets regulated and what does not. But before that, enforcement discretion was for the most part limited to, in a word, enforcement.

In the enforcement context, enforcement discretion as a concept is as old as the law itself. Since the law began in a formal way, people charged with enforcing the law have been able to exercise their inherent discretion not to enforce the law in every case. In some cases, enforcers are unwilling to push the written law as far as it could be pushed, for example to throw a 10-year-old kid in jail because he stole a car to get away from extremely abusive parents. A prosecutor can conclude that the legislative body did not intend to criminalize that unique set of facts. We’ve all heard of instances where prosecutors have declined to pursue a case because they think fundamentally it’s not fair in that very specific factual case, even though a law was clearly broken. Every time a policeman sees someone driving faster than the posted speed limit – if they don’t issue a ticket – they are exercising enforcement discretion.

But in the policymaking context, enforcement discretion is a relatively new tool at FDA. And it has become a popular one at least in the Center for Devices and Radiological Health. A very large part of the 2015 Mobile Medical Applications guidance is predicated on the decision to put certain software apps that may meet the definition of a medical device in enforcement discretion if the risk is low. The agency took a similar approach in the guidance on 2016 General Wellness: Policy for Low Risk Devices.

Part of what makes this approach necessary is that FDA on the one hand takes a very aggressive interpretation of the congressional statute to be very expansive, and then, in almost the same breath, declares that its own interpretation is too expansive and includes too many low risk devices. In other words, in many cases, FDA creates the need for its own so-called enforcement discretion by being overly expansive in it’s an interpretation of congressional directives.

To be fair, another part of what makes this necessary is the extraordinarily wide range of risk that exist within most general labels given to types or categories of medical technologies. For example, the general labels “health information technology” and “mobile medical apps” are extraordinarily broad, and include a wide range of risk profiles. As explained more below, Congress necessarily legislates using broad terms in brief language, and relies on the agency for more detailed definitions of its oversight.

In some cases, FDA has used enforcement discretion in essence to revoke an existing regulation, as the agency did in the context of Medical Device Data Systems. Even though FDA promulgated a very specific regulation to place such products in class I and regulated them, in a Federal Register Notice on February 15, 2011, in a February 9, 2015 guidance FDA said it would not enforce its own regulation. In the MDDS guidance, FDA says that the MDDS products meet the statutory definition of a medical device, but FDA doesn’t plan to enforce its requirements against those products because it turns out they are very low risk. By the time Congress took up the 21st Century Cures Act in 2017, FDA had still not even started the process to revoke the outdated regulation.

Why Extended Use of Enforcement Discretion Is a Terrible Idea for Policymaking

But here are the problems with enforcement discretion as a tool of policymaking in the medical device law realm when used – for example in the case of Medical Device Data Systems – to effectively overrule FDA’s own regulation without any intention of revoking the regulation. 

Government doesn’t like it when industry cuts corners, and I would submit that government should not cut them either. Yet that is exactly what FDA has been doing.

FDA decided to use enforcement discretion to avoid the cost and other compliance burdens of following the Administrative Procedures Act. Instead of going through rulemaking to revoke regulations that the agency no longer thought were appropriate, the agency would instead simply publish a guidance declaring its intention to ignore its own regulation. But the agency would leave those regulations on the books.

FDA’s approach significantly chills innovation, and causes many other problems. Here are a few of the bigger problems.

• It’s mixing messages.

Watching FDA try to explain this approach in webinars and other public settings has been almost painful. The agency has tried to walk the fine line of, on the one hand, saying that it has no intention of enforcing the law, while on the other hand saying that it’s exercise of enforcement discretion doesn’t change the law or make the conduct legal. Further, FDA would routinely say that they thought folks should voluntarily follow these requirements, even though the agency has no intention of enforcing them. In my conversations with folks in industry, it seems very few understand what FDA is trying to say.

• It’s equivocal.

Even for those who’ve gone to law school and understand the nuances FDA is trying to communicate, the bottom line is FDA’s equivocating. They are saying on the one hand at least for now they’re willing to take this step, but on the other hand they might change their minds at any time. It is not decisive.

• It’s confusing.

In the new and encouraging world of digital health where great strides are being made to advance the public health, FDA policymakers should be making FDA regulation more accessible to people who come from the traditional IT industry. FDA should not speak in an inscrutable language that is only at best understandable by lawyers and very experienced regulatory professionals.

Those who might be novices in interpreting FDA requirements often do not have sophisticated research skills when it comes to navigating the FDA’s website and all of the information contained on it. It’s this demographic that makes it so important that the information contained on FDA’s website be consistent and clear.

If an IT engineer goes to the FDA website and stumbles upon the MDDS regulation, that engineer would leave the website with the unambiguous understanding that MDDS is FDA regulated. If they never see the FDA guidance, they will have an incorrect understanding of FDA’s present intention. While the 21st Century Cures Act fixed this, FDA’s plan apparently was to continue indefinitely with an out of date regulation and a guidance that claimed at least in some sense to undo it.

• It’s illegal.

FDA’s motivation appears to be to try to bypass the Administrative Procedures Act. FDA wanted to remove a regulation without going through the legally required process for removing a regulation. And they wanted to have a quick and easy way to bring a regulation back if they later felt that they had made a mistake. FDA’s approach is simply not legal.

• It’s a legal quagmire.

Regulations on the books are unambiguously binding. They are the law of land, and would be enforced by any court asked to hear a case. In contrast, a guidance document is not binding, and is not be binding even when put in final form. As every guidance document states, not only is it not binding on industry, but the agency is not obliged to follow it either.

In the future, the agency could choose to ignore the guidance and enforce the regulation. To be sure, such a move would bring political criticism, but it would be legal. So FDA is asking industry to accept the legal risk of violating a clear regulation on the basis of a nonbinding guidance document. That’s not right.

• It disrespects the rule of law.

I can’t tell you what kinds of discussions this topic spawned within companies. Nearly every major company has a compliance policy program that says that the company is committed to following the law. So when the company is committed to following the law, what does it mean to have a law on the books as well as a nonbinding guidance document that says that the law will not be enforced? FDA for its part was still saying that the law is the law, just that it didn’t choose to enforce the law on anyone, not just select cases.

Company compliance programs don’t say “we will follow all laws that the government chooses to enforce.” The documents typically simply say that they will follow all laws. Further, if the law is left on the books, large companies can certainly expect it to be thrown in their face by plaintiffs lawyers in the event of product liability.

So companies are left wondering whether they are supposed to change their compliance programs to only apply to laws that are enforced? Obviously that’s a very slippery slope, and the rule of law is soon lost.

• It favors the unethical over the ethical.

The bottom line is enforcement discretion served only to help companies that were willing to skirt the law. Law-abiding companies were put at a distinct competitive disadvantage. 

This is an unlawful form of government, and it’s what led industry to then seek clarification and certainty from Congress in the form of 21st Century Cures Act with regard to things like medical device data systems.

The Problem that Needs To Be Solved

Before talking about better approaches, it’s important to have a clear understanding of what FDA was trying to solve through the use of enforcement discretion. To pick an example, one of the greatest issues retarding innovation in the realm of clinical decision support (CDS) software is the uncertainty surrounding the scope of FDA regulation of CDS.

The statutory definition of a medical device includes the following key passage:

“…intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals…”

There is some legitimate ambiguity about whether CDS qualifies as a medical device under that definition. In fact, I’ll be a bit more affirmative. It’s likely that some CDS does meet the definition of a medical device, and some does not.

I’ve heard FDA people joke, rightly so, that the medical device definition is so broad that an ambulance qualifies as a device. I’m not talking about the equipment in the back of an ambulance, but the steering wheel, the front seat, and the tires would all qualify as a medical device. The vehicle itself is intended for use in the treatment of disease or other conditions.

Resolving this ambiguity is absolutely essential to ensuring that innovation in the CDS space can flourish. The question is, does fixing this problem require “enforcement discretion.”

The task of defining the scope of FDA’s regulatory requirements is admittedly a difficult one that historically has required a blending of “definitions of kind” and “definitions of degree.” Typically, in defining what is a medical device worthy of FDA regulation, we begin with definitions of kind – labels that define a kind of product. In this regard, we start to talk about a product that is used in “diagnosis,” or perhaps a product used in “treatment” or in “prevention.” But those labels of kinds of products are always broad and never satisfactory when it comes to specifically defining what merits regulation. Inevitably, within each labeled category are often widely divergent degrees of risk.

So historically, after Congress selects a “kind” of product for FDA to regulate, it then looks to FDA to layer in a division between regulated and unregulated that is based on risk, a “definition of degree.” Congress generally shies away from trying to articulate risk-based degrees because it simply requires too much explanation to be done in a statute. Statutes are high level, agency regulations are supposed to fill in the necessary details. Further, the risk-based assessments require a level of expertise that Congress does not have, and which FDA hopefully does. So Congress looks to FDA to create that additional layer of a risk-based test for the agency to express in the regulations and guidance documents that might be quite lengthy.

This form of governance has worked well in the past. An example of this is the 2012 FDASIA legislation through which Congress directed FDA to adopt a risk-based approach to discerning which health information technology warrants regulation under the medical device definition, and which does not. That was in no way a simple task, and required detailed discussions by experts as well as lengthy analysis of the kind Congress couldn’t do.

A Better Approach

Instead of using enforcement discretion, FDA can adopt a risk-based approach through two different procedural avenues:

1. Interpret ambiguous statutory or regulatory provisions through guidance. 

Words are often ambiguous, susceptible of multiple meanings. It is very important that stakeholders know how FDA interprets a given statutory or regulatory requirement. Guidance that more fully explains ambiguous terms – in this case as it relates to the scope of FDA oversight defined in statutes and regulations – is perfectly appropriate. This isn’t enforcement discretion. This is simply an agency articulating how it interprets a given ambiguous term. Let’s call this a clarifying guidance.

2. Lawfully changing the agency’s regulations through the correct administrative process.

FDA has the statutory authority to limit the scope of its requirements through rulemaking. It can exempt any product it deems appropriate from any and all requirements. FDA can place a medical device in class I, and exempt it from quality system, registration, and any other requirements found in its regulations. Furthermore, obviously FDA can revoke regulations such as MDDS that it considers to be outdated.

While this means that a product would still be a medical “device” because it meets the statutory definition, it would remove the regulatory burden, with the exception that companies would still be responsible for any adulteration or misbranding generally of those articles. If a company, for example, cheated and made boastful and unsupported claims about its device, FDA could bring an enforcement action.

But that’s no different consequence than the agency’s present version of enforcement discretion. Enforcement discretion is limited to, for example, compliance with quality system requirements and MDR reporting.[1] Enforcement discretion doesn’t remove a product from the medical device category – only Congress can do that. Even in FDA’s present conception of enforcement discretion, it merely makes certain specific regulatory requirements in a sense optional. It did not make the articles un-medical devices.

FDA hasn’t wanted to pursue rulemaking because it claims it is too burdensome. But that’s obviously a statement of relative priorities. Obviously FDA has the money, it just doesn’t want to spend it on that function. So the agency’s claim ought to invite scrutiny with regard to how it spending its money, if the agency truly suggests that it doesn’t have the financial resources necessary to do a very simple and basic rulemaking.

To be clear, there is a proper use of enforcement discretion in policymaking, but only as a temporary measure while formal rulemaking is underway with full agency commitment to follow through. In that case, it can be useful, appropriate and beneficial to all stakeholders to affect policy more immediately, and not expend agency resources on enforcement while a regulation is actively being removed. It’s the lack of a public agency commitment to rulemaking that is the problem. In the case of MDDS, FDA never did revoke that regulation or make any moves in that direction and that’s what made 21st Century Cures necessary.

Conclusion

As I mentioned, in an FDA meeting the agency accused industry of being hypocritical. On reflection, I came to the conclusion that there was a vocabulary problem. Enforcement discretion seems to come in two flavors, one good and one bad.

1. The good one is what I called above clarifying guidance. FDA has been doing this for perhaps most of its 100 year history, and nearly every stakeholder I’ve met believes it is a good thing. The agency simply goes on record to explain how it interprets ambiguous words in the statute or regulation.
2. The bad form of enforcement discretion is when FDA uses a guidance document or other informal vehicles to override an explicit FDA regulation. FDA’s guidance document declaring that MDDS was in enforcement discretion in face of the explicit class I regulation is an example. When FDA doesn’t want to enforce one of its regulations anymore, the proper procedural path is to revoke the regulation, not paper over it with a guidance document predicated on notion of enforcement discretion. From here on out, I will try to remember to only use the term enforcement discretion to refer to this objectionable activity. And I oppose enforcement discretion (again, acknowledging the benefit of temporary enforcement discretion pending the final revocation of a rule or adoption of a new rule).

It’s interesting, and ironic, but the issue of FDA needing to keep its classifications up-to-date was expressly debated in 2012 as a part of the FDASIA legislative process. Industry had been complaining to FDA that the classification regulations were incomplete and out of date, and FDA was defending itself on the basis that the rulemaking required was too burdensome. So Congress, with FDA and industry support, adopted section 608 of FDASIA to expressly relieve that problem and provide an expedited basis for updating the classification regulations.

So let’s be clear, Congress specifically directed FDA to use the new process found in section 608 FDASIA process to keep its classification regulations up-to-date. But despite that FDA has been expanding its use of enforcement discretion in guidance documents, even to the point of expressly contradicting a classification regulation. If FDA still believes notwithstanding section 608 the classification process is still too burdensome, we can all discuss with Congress ways to expedite that process even further. But this pattern of allowing the classification regulations to become outdated or simply not using the classification regulations when that vehicle is the most suitable has to stop.

FDA should keep on using clarifying guidance, and use regulations to exempt medical devices that do not merit regulatory oversight, instead of applying the shortcut of enforcement discretion to contradict FDA’s own written regulations with no effort to update those regulations.

[1] FDA's Feb 9, 2015 guidance applying enforcement discretion to MDDS specifically said on page 8:

The FDA does not intend to enforce compliance with the regulatory controls that apply to the following devices:

a) MDDS subject to 21 CFR 880.6310,

b) Medical image storage devices subject to 21 CFR 892.2010, and

c) Medical image communications devices subject to 21 CFR 892.2020.

This means that for devices that meet the definitions in the regulations listed above, the FDA does not intend to enforce compliance with the regulatory controls, including registration and listing, premarket review, postmarket reporting, and quality system regulation for manufacturers of these types of devices.