FDA Regulation of Digital Health Tools and Medical Software

The FDA's authority over digital health tools and medical software has expanded substantially as smartphones, cloud platforms, and machine learning algorithms have become embedded in clinical workflows. This page covers how the FDA defines software subject to regulation, the mechanisms by which that oversight is applied, the most common regulatory scenarios encountered by developers and health systems, and the decision boundaries that determine whether a given product requires clearance, approval, or no submission at all.

Definition and scope

The FDA's jurisdiction over software is grounded in the Federal Food, Drug, and Cosmetic Act (FD&C Act), as amended by the 21st Century Cures Act of 2016 (Pub. L. 114-255). That statute explicitly excluded certain low-risk software functions from the definition of a medical device while preserving FDA authority over software that performs clinical diagnostic or therapeutic functions. The result is a tiered regulatory landscape governed primarily by two FDA guidance documents: the 2019 Digital Health Policy Navigator framework and the 2022 Clinical Decision Support Software guidance (FDA, Clinical Decision Support Software Guidance, September 2022).

Software as a Medical Device (SaMD) — a term adopted by the International Medical Device Regulators Forum (IMDRF) — refers to software intended to perform one or more medical purposes without being part of a hardware medical device. The FDA has adopted the IMDRF's SaMD definition and applies it to determine whether a software product falls under the device provisions of the FD&C Act. A mobile application that analyzes electrocardiogram data to detect atrial fibrillation, for example, qualifies as SaMD; a hospital scheduling tool does not.

Congress removed 4 categories of software from the device definition under 21 U.S.C. § 520(o): administrative support software, certain electronic health record functions, general wellness software, and software that qualifies as a lower-risk clinical decision support (CDS) tool (FD&C Act § 520(o), as amended).

How it works

The FDA's Center for Devices and Radiological Health (CDRH) manages software-based device oversight using the same risk-based classification structure applied to physical devices. Software products that qualify as medical devices are assigned to Class I, II, or III based on the risk they pose to patients, which determines the premarket pathway required.

The regulatory process for most SaMD products proceeds as follows:

1. Determine device status — Apply the 21st Century Cures Act exclusions and the Clinical Decision Support Software guidance to confirm whether the software meets the statutory definition of a device.
2. Classify the device — Identify the applicable product code and device classification under 21 C.F.R. Parts 862–892. Most standalone diagnostic software falls into Class II.
3. Select the premarket pathway — Class II software typically requires a 510(k) clearance submission; higher-risk Class III software requires Premarket Approval (PMA); novel low-to-moderate risk software without a predicate may use the De Novo pathway.
4. Apply software-specific guidance — CDRH's Guidance for the Content of Premarket Submissions for Device Software Functions (2021) defines what documentation must address software architecture, hazard analysis, and verification and validation testing (FDA, Premarket Submissions for Device Software Functions, November 2021).
5. Post-market obligations — Cleared or approved software is subject to adverse event reporting, complaint handling under 21 C.F.R. Part 820, and cybersecurity patch management requirements codified in the Consolidated Appropriations Act of 2023 (Pub. L. 117-328, Section 3305).

For AI and machine learning-based SaMD, the FDA issued a discussion paper in 2019 and an action plan in January 2021 outlining a proposed predetermined change control plan framework, which would allow approved algorithms to update iteratively without a new 510(k) submission for each change (FDA, Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device Action Plan, January 2021).

Common scenarios

Three scenarios account for the majority of FDA digital health regulatory interactions:

Scenario 1 — Direct-to-consumer diagnostic apps. A mobile application that uses the device's camera to measure blood oxygen saturation and displays a clinical reading intended to inform treatment decisions is SaMD. It requires a premarket submission and has been the subject of multiple 510(k) clearances, including clearances for pulse oximetry apps reviewed by CDRH under product code DQO.

Scenario 2 — AI-powered image analysis software. Software that analyzes radiological images and flags findings for physician review is regulated as SaMD. The FDA had authorized more than 950 AI/ML-enabled medical device submissions as of the agency's 2024 AI-enabled device listing (FDA, Artificial Intelligence and Machine Learning (AI/ML)-Enabled Medical Devices), the majority of which passed through 510(k) clearance.

Scenario 3 — Clinical decision support tools. A CDS tool that identifies drug-drug interactions and requires clinician review before acting on recommendations may qualify for the non-device CDS exclusion under 21 U.S.C. § 520(o)(1)(E). If the tool instead makes autonomous treatment recommendations without a clinician in the interpretive loop, it falls outside the exclusion and is regulated as a device.

Decision boundaries

The most consequential regulatory boundary is between non-device CDS and device-grade SaMD. The FDA's 2022 CDS guidance identifies 4 criteria that determine whether a CDS tool is excluded from device regulation:

• The software is not intended to acquire, process, or analyze a medical image or signal from an in vitro diagnostic device.
• It displays, analyzes, or prints medical information that is not intended to replace clinical judgment.
• The basis for the software's recommendations is transparent and the clinician does not rely primarily on the software's output.
• The intended use is not for a serious or immediately life-threatening condition or disease.

All 4 criteria must be satisfied for the non-device exclusion to apply. Failure to meet even one criterion moves the product into FDA device jurisdiction.

A second critical boundary separates general wellness products from regulated devices. A fitness tracker measuring step count and sleep patterns is a general wellness product under the FDA's 2016 General Wellness Policy guidance. The same device claiming to diagnose obstructive sleep apnea crosses into regulated SaMD territory.

Cybersecurity represents a third boundary active since the passage of the Consolidated Appropriations Act of 2023: any device containing software submitted after March 29, 2023 must include a software bill of materials (SBOM) and a plan for post-market cybersecurity patches as a condition of acceptance of premarket submissions (FDA Cybersecurity Guidance, March 2023).

For a broader orientation to how digital health oversight fits within FDA's overall device and product authority, the FDA Authority reference index provides a structured entry point across regulatory domains.