21st Century Cures Act – SCPR SW Impact Analysis

What the 21st Century Cures Act Means for Software Manufacturers

The 21st Century Cures Act (“Cures Act”), was signed into law by the President on December 13, 2016 (Public Law No. 114-255). This article focuses on section 3060 of the new law; namely “Clarifying Medical Software Regulation.” Other sections of the act address medical devices and pharmaceuticals in general.

Section 3060 of the Cures Act

Section 3060 provides for the exclusion of some types of software from the definition of a medical device. The Food and Drug Cosmetic Act has been amended to not include the following as devices:

(A) for administrative support of a health care facility, including processing and maintenance of financial records, claims or billing information, appointment schedules, business analytics, information about patient populations, admissions practice and inventory management, analysis of historical claims data to predict future utilization or cost-effectiveness, determination of health benefit eligibility, population health management, and laboratory workflow.

(B) for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;” and

(C) to serve as electronic patient records, including patient-provided information, to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart, so long as” such records “were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such professionals” and the software “is not intended to interpret or analyze patient records, including medical image data, for the purpose of the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition.

(D) for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device,” unless the software “is intended to interpret or analyze clinical laboratory test or other device data, results, and findings.

(E) unless the function is intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system, for the purpose of –

  1. displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines)
  2. supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and
  3. enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.


SW Impact Analysis

While FDA has not typically regulated those products applicable to group A and C above, FDA has previously stated that those items in Group B are likely under enforcement discretion. The Cures Act has essentially removed that enforcement discretion so that group B products can no longer be considered devices and as such, they are no longer under enforcement discretion.

Those products in group D appear to include products meeting the definition of a Medical Device Data System (MDDS) which FDA has previously stated it does not intend to regulate. Additionally, this group appears to include LIS systems. LIS systems have been regulated by FDA as a class I device which is 510(k) exempt. It is important to note that LIS systems that simply import, store and allow for the retrieval of laboratory data are now exempt from FDA quality system regulations, if the LIS provides for the interpretation of results, it is still under FDA’s purview. For example, if the LIS obtains results from an IVD and contains an algorithm for interpretation when multiple results are required (reactive + reactive = positive), it is still regulated by FDA.

Those products in group E are commonly referred to as “Clinical Decision Support” software which are now exempt. However, the main exclusion still allows FDA to regulate devices that analyze data from x- rays, MRIs, Cat scans, etc. as well as IVD devices.

While there is still a level of ambiguity on what FDA considers Clinical Decision Support software, that ambiguity may be clarified in the future. In fact, the Cures Act allows FDA to determine software that can be excluded by the above definitions, and therefore regulate them. For FDA to determine that software be excluded from the device definition, FDA must publish a notification and proposed order in the Federal Register, and must include its rationale and evidence on which it is relying for the conclusion that such software should be regulated. The notice must allow for at least 30 days of public comment before issuing a final order or withdrawing the proposed order.

The Cures Act additionally requires the Secretary of Health and Human Services to publish a report, within two years of enactment of the Cures Act and every two years thereafter, that includes input from industry, consumers, patients, health plans, and other “stakeholders with relevant expertise.” The report must include information about any risks and benefits associated with the software functions provided in the Cures Act, and “summarizes findings regarding the impact of such software functions on patient safety, including best practices to promote safety, education, and competency related to such function.”

While the Cures Act has further clarified the regulatory nature of some software products/devices, others, such as Clinical Decision Support software may need further clarification in the future.

Note: This analysis represents the current opinion of SoftwareCPR regarding interpretation of this Act. We are not a law firm and are not providing a legal opinion, nor can we be sure how FDA and the courts will interpret the various provisions of this Act in the future.

See our other posts about the Cures Act: Medical Device Section 21st Century Cures Act21st Century Cures Act – Medical Device SummaryFDA Calls for Comment on Non-Device Software Functions.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.