Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

What would be the regulatory requirements if billing software is made part of medical device ? Are there any standards /regulations that need to be followed?

Thanks

Hi Anonymous.

The simplest question here is - "Does the billing software have any medical purpose or is it to allow for simplification of billing activities?"  In other words does the billing software have any link whatsoever to the medical purpose for the device?  If not, and if it does not create any specific new vulnerabilities to the integrity of the data or the device's functioning then FDA likely will not worry about that piece of the software coding.  However, I will caution that you should consider whether this billing software could cause or allow a person to hack into the medical device itself and either obtain, manipulate or delete patient data or control or manipulate the preset controls for the device.  This to me would be a new vulnerability that you would likely be responsible for mitigating/eliminating.

While FDA might not have any specific issues with your software if the above is not applicable, there are other regulations from FTC, FCC, and potentially the banking regulators regarding encryption of payment methods, etc.  You should speak with someone more experience and better versed in these areas to see what you are required to do for these regulatory groups as I cannot speak on this part of the topic from experience.

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States
------------------------------

Original Message:
Sent: 16-Nov-2019 02:24
From: Anonymous Member
Subject: Billing software as part of medical device

This message was posted by a user wishing to remain anonymous

What would be the regulatory requirements if billing software is made part of medical device ? Are there any standards /regulations that need to be followed?

Thanks

This message was posted by a user wishing to remain anonymous

Hi Victor ,

Thanks for your response , the billing package only includes the user (physician )details , no patient details are included. Its a prepaid billing package which  does not allow the user to begin a new treatment after a certain grace period.

Thanks,
Original Message:
Sent: 19-Nov-2019 08:47
From: Victor Mencarelli
Subject: Billing software as part of medical device

Hi Anonymous.

The simplest question here is - "Does the billing software have any medical purpose or is it to allow for simplification of billing activities?"  In other words does the billing software have any link whatsoever to the medical purpose for the device?  If not, and if it does not create any specific new vulnerabilities to the integrity of the data or the device's functioning then FDA likely will not worry about that piece of the software coding.  However, I will caution that you should consider whether this billing software could cause or allow a person to hack into the medical device itself and either obtain, manipulate or delete patient data or control or manipulate the preset controls for the device.  This to me would be a new vulnerability that you would likely be responsible for mitigating/eliminating.

While FDA might not have any specific issues with your software if the above is not applicable, there are other regulations from FTC, FCC, and potentially the banking regulators regarding encryption of payment methods, etc.  You should speak with someone more experience and better versed in these areas to see what you are required to do for these regulatory groups as I cannot speak on this part of the topic from experience.

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States

Original Message:
Sent: 16-Nov-2019 02:24
From: Anonymous Member
Subject: Billing software as part of medical device

This message was posted by a user wishing to remain anonymous

What would be the regulatory requirements if billing software is made part of medical device ? Are there any standards /regulations that need to be followed?

Thanks

OK.  So if no patient information is entered into the system that still doesn't mean that you are free and clear entirely.  The user's data is still there so it would, in my opinion need to be safeguarded (especially think about California or the EU privacy laws!) and you would still need to ensure that there is no way for someone to hack into the system through your billing code and hijack the treatment that has been initiated/set up by the user.  If there is any way that could happen, I could see some significant questions from FDA at some point (maybe not on initial review but believe me if they hear about people's treatment being manipulated somehow, they will come find you and ask lots of questions!).​

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States
------------------------------

Original Message:
Sent: 19-Nov-2019 17:37
From: Anonymous Member
Subject: Billing software as part of medical device

This message was posted by a user wishing to remain anonymous

Hi Victor ,

Thanks for your response , the billing package only includes the user (physician )details , no patient details are included. Its a prepaid billing package which  does not allow the user to begin a new treatment after a certain grace period.

Thanks,
Original Message:
Sent: 19-Nov-2019 08:47
From: Victor Mencarelli
Subject: Billing software as part of medical device

Hi Anonymous.

The simplest question here is - "Does the billing software have any medical purpose or is it to allow for simplification of billing activities?"  In other words does the billing software have any link whatsoever to the medical purpose for the device?  If not, and if it does not create any specific new vulnerabilities to the integrity of the data or the device's functioning then FDA likely will not worry about that piece of the software coding.  However, I will caution that you should consider whether this billing software could cause or allow a person to hack into the medical device itself and either obtain, manipulate or delete patient data or control or manipulate the preset controls for the device.  This to me would be a new vulnerability that you would likely be responsible for mitigating/eliminating.

While FDA might not have any specific issues with your software if the above is not applicable, there are other regulations from FTC, FCC, and potentially the banking regulators regarding encryption of payment methods, etc.  You should speak with someone more experience and better versed in these areas to see what you are required to do for these regulatory groups as I cannot speak on this part of the topic from experience.

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States

Original Message:
Sent: 16-Nov-2019 02:24
From: Anonymous Member
Subject: Billing software as part of medical device

This message was posted by a user wishing to remain anonymous

What would be the regulatory requirements if billing software is made part of medical device ? Are there any standards /regulations that need to be followed?

Thanks

This message was posted by a user wishing to remain anonymous

Thanks Victor , yes that's a good point !
Original Message:
Sent: 20-Nov-2019 08:34
From: Victor Mencarelli
Subject: Billing software as part of medical device

OK.  So if no patient information is entered into the system that still doesn't mean that you are free and clear entirely.  The user's data is still there so it would, in my opinion need to be safeguarded (especially think about California or the EU privacy laws!) and you would still need to ensure that there is no way for someone to hack into the system through your billing code and hijack the treatment that has been initiated/set up by the user.  If there is any way that could happen, I could see some significant questions from FDA at some point (maybe not on initial review but believe me if they hear about people's treatment being manipulated somehow, they will come find you and ask lots of questions!).​

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States

Original Message:
Sent: 19-Nov-2019 17:37
From: Anonymous Member
Subject: Billing software as part of medical device

This message was posted by a user wishing to remain anonymous

Hi Victor ,

Thanks for your response , the billing package only includes the user (physician )details , no patient details are included. Its a prepaid billing package which  does not allow the user to begin a new treatment after a certain grace period.

Thanks,
Original Message:
Sent: 19-Nov-2019 08:47
From: Victor Mencarelli
Subject: Billing software as part of medical device

Hi Anonymous.

The simplest question here is - "Does the billing software have any medical purpose or is it to allow for simplification of billing activities?"  In other words does the billing software have any link whatsoever to the medical purpose for the device?  If not, and if it does not create any specific new vulnerabilities to the integrity of the data or the device's functioning then FDA likely will not worry about that piece of the software coding.  However, I will caution that you should consider whether this billing software could cause or allow a person to hack into the medical device itself and either obtain, manipulate or delete patient data or control or manipulate the preset controls for the device.  This to me would be a new vulnerability that you would likely be responsible for mitigating/eliminating.

While FDA might not have any specific issues with your software if the above is not applicable, there are other regulations from FTC, FCC, and potentially the banking regulators regarding encryption of payment methods, etc.  You should speak with someone more experience and better versed in these areas to see what you are required to do for these regulatory groups as I cannot speak on this part of the topic from experience.

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States

Original Message:
Sent: 16-Nov-2019 02:24
From: Anonymous Member
Subject: Billing software as part of medical device

This message was posted by a user wishing to remain anonymous

What would be the regulatory requirements if billing software is made part of medical device ? Are there any standards /regulations that need to be followed?

Thanks