I am not upset at FDA, I am an advocate of Safety. I was introduced to the FDA mechanisms 16 years ago. Maybe I was lucky and had good teachers, but I think it was also the fact that I understand the basics of “Risk Assessment and Management”. When one learns of concept domains that are fundamental risk domains, one learns that there is no shortcuts to addressing that concept domain. I am often explaining that there are many risk domains that must be managed: Safety, Security, Privacy, and Effectiveness. There are frameworks, like for security/privacy there is NIST 800-53, but these just try to get the bulk of concerns out of the way using standards based solutions. These frameworks always are backfilled with risk assessment and management frameworks, such as NIST 800-30 for security.
23andMe was approached by FDA many years ago, 23andMe had plenty of time to learn the proper way to address the Safety risk domain. My experience as a customer of 23andMe is very positive. I am very confident that everything that 23andMe have told me about my health has been done in a very respectful and cautious way. I have spoken to others that are 23andMe customers and gotten the same feedback from them. As an example there are some new studies that they are very careful to walk you through a cautious page that is very clear about the sureness or lack of sureness. As a more visible proof, go to the 23andMe web site right now and see an example of their insistence on informed consent.
Given my experience with 23andMe, and my 16 years of working for a company that is FDA regulated, I struggle with understanding what the current problem is. That said, in my 16 years working for a company that is FDA regulated, I also know that the ‘confidential’ letters that come from the FDA are very detailed and require very specific and auditable actions. Thus there must be one of these letters that 23andMe needs to respond to. We don't know the content, and it can take time to resolve all the issues. I am hopeful that 23andMe will come out of this stronger and with the FDA approval. I certainly hope so.
mHealth innovation vs SafetyThere is much concern that FDA will quash innovation in mHealth. If one only looks at the negative that FDA brings, that of process rigor and paperwork, I can understand the worry. BUT one must look at what this process rigor and paperwork brings relative to protecting patient safety. Safety really must be a high priority. There is much anger about the NY train crash, much press questions asking why there was not automated safety systems, yet a year ago had someone brought up the question of extra money to outfit the trains with automated control systems there would have been outrage.
I just started Bruce Schneier’s latest book “Carry On: Sound Advice from Schneier on Security”. In the first chapter he covers the paradox of how humans when faced with a loss situation will choose large loss with high-risk over a sure small risk. This is referred to as the Prospect Theory. It is not the typical logical approach, but does seem to be proven out as a human approach. It shows why it is hard to use a 'security' feature as a reason to buy one product over another. It is also why it is hard to use a 'safety' feature as a reason. Too often this means fear is used, which is an equally noneffective approach.
mHealth developers should be allowed to develop applications, but they should not be allowed to cause patient harm through negligence. This is all that FDA regulates. One can follow FDA with little overhead. The alternative is to wait for the FDA to force a visible issue like 23andMe; or for a train wreck to happen for which blood is on your hands.