Clinical Decision Support Software: FDA Regulation and Exemptions
The 21st Century Cures Act (Section 3060) excludes certain clinical decision support (CDS) software functions from the device definition if the software meets all four statutory criteria. Those criteria require the software to avoid image or signal analysis, display or analyze medical information, support recommendations to a healthcare professional, and enable the professional to independently review the basis for the recommendation. All four criteria must be met. If any criterion is not met, the software function may remain a device. FDA's January 2026 final guidance explains how the agency interprets these criteria.
Key Takeaways
Key Takeaways
- The Cures Act CDS exclusion requires all four criteria to be met conjunctively — failing any single criterion means the software may be regulated as a medical device.
- Criterion 1 excludes all software that processes medical images, IVD signals, or physiological signals, regardless of whether the other three criteria are met.
- Criterion 4 (transparency) requires the software to show the healthcare professional the basis for its recommendation so they can exercise independent clinical judgment.
- Software modifications (adding image analysis, removing recommendation basis, expanding to patient-facing use) can cause previously exempt CDS to lose its exemption status.
The Regulatory Problem CDS Addresses
Clinical decision support software occupies a regulatory gray zone within the broader SaMD regulatory landscape. Many CDS applications provide information to healthcare professionals that could influence clinical decisions, but the software does not directly diagnose or treat patients. Before the 21st Century Cures Act, the regulatory status of CDS software was uncertain, creating compliance challenges for both developers and healthcare institutions.
The challenge: if all software that provides clinical information is regulated as a medical device, the regulatory burden would extend to electronic health record (EHR) systems, clinical guidelines databases, drug interaction checkers, and many other widely used health IT tools. Conversely, if no CDS is regulated, high-risk autonomous diagnostic software could avoid regulatory oversight.
The Cures Act attempted to draw a line between CDS that should be regulated (because it replaces or supplants clinical judgment) and CDS that should be exempt (because it supports clinical judgment while maintaining the healthcare professional's independent role).
The 21st Century Cures Act, Section 3060
Section 3060 of the 21st Century Cures Act (Public Law 114-255, December 13, 2016) amended Section 520(o) of the FD&C Act to exclude certain software functions from the definition of a medical device. The CDS exclusion is one of several software function exclusions created by the Cures Act.
The Four Criteria
For CDS software to qualify for the Cures Act exclusion, it must meet ALL FOUR of the following criteria:
Criterion 1: The software function is NOT intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system.
Criterion 2: The software function IS intended for the purpose of displaying, analyzing, or printing medical information about a patient or other medical information (such as clinical evidence, clinical guidelines, or patient-specific information from a patient's health record).
Criterion 3: The software function IS intended for the purpose of supporting or providing recommendations to a healthcare professional about prevention, diagnosis, or treatment of a disease or condition.
Criterion 4: The software function IS intended for the purpose of enabling such healthcare professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such healthcare professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient without independently reviewing the basis for such recommendations.
Critical Interpretation Points
All four criteria are conjunctive. The software must satisfy every criterion. Failing any single criterion means the software does not qualify for the CDS exclusion and may be regulated as a medical device.
Criterion 1 is a negative requirement. The software must NOT process medical images or IVD signals. This criterion excludes all radiological AI, pathology AI, and IVD data interpretation software from the CDS exemption, regardless of whether the other three criteria are met.
Criterion 4 is the "transparency" requirement. The software must enable the healthcare professional to understand why the recommendation was made, so the professional can exercise independent clinical judgment. Software that provides a recommendation without explaining the underlying logic or data does not meet this criterion.
FDA Guidance on CDS
The January 2026 Final Guidance
FDA issued the final guidance "Clinical Decision Support Software: Guidance for Industry and Food and Drug Administration Staff" in January 2026. That document describes FDA's current interpretation of the statutory CDS criteria and includes examples of software functions that may fall inside or outside the section 520(o)(1)(E) exclusion.
Criterion 1: Not Acquiring, Processing, or Analyzing Images or Signals
FDA interprets "acquire, process, or analyze" broadly:
Acquiring: Capturing or receiving a medical image or signal directly from a device or imaging system. Software that receives raw DICOM data from a CT scanner is acquiring a medical image.
Processing: Performing any computational operation on a medical image or signal, including filtering, enhancement, compression, segmentation, or registration. Software that applies a noise reduction filter to an ultrasound image is processing a medical image.
Analyzing: Interpreting or extracting clinical information from a medical image or signal. Software that identifies regions of interest in a pathology slide is analyzing a medical image.
What counts as a "medical image": FDA interprets "medical image" broadly to include radiological images (X-ray, CT, MRI, ultrasound, PET), pathology images (histology, cytology), dermatological images (clinical photographs used for diagnosis), ophthalmologic images (fundus photos, OCT), and any other visual representation of anatomical or physiological data acquired for clinical purposes.
What counts as a "signal from an IVD device": Output data from in vitro diagnostic devices, including quantitative test results, waveforms, and raw analytical signals.
What counts as a "signal from a signal acquisition system": Physiological signals such as ECG, EEG, EMG, pulse oximetry, and other electronic monitoring data.
Consequence: Any software that processes images or signals fails Criterion 1, regardless of the software's other characteristics. This single criterion excludes all AI/ML-based image analysis, all signal interpretation software, and all IVD data analysis software from the CDS exemption.
Criterion 2: Displaying, Analyzing, or Printing Medical Information
This criterion requires that the software work with "medical information," which FDA interprets to include:
- Patient-specific clinical data from health records
- Clinical evidence (published literature, meta-analyses)
- Clinical practice guidelines
- Drug formulary information
- Laboratory reference ranges
- Population health data and epidemiological information
The software must actively display, analyze, or present this information, not simply store or transmit it (storage and transmission are covered by a separate Cures Act exclusion).
Criterion 3: Supporting or Providing Recommendations to Healthcare Professionals
This criterion requires that:
- The software provides recommendations (not just data)
- The recommendations are directed to healthcare professionals (not patients or non-clinical users)
- The recommendations relate to prevention, diagnosis, or treatment
Healthcare professional limitation: CDS software directed at patients or non-clinical users does not meet Criterion 3, even if the information provided is identical to what would be provided to a healthcare professional. Software intended for patient self-diagnosis is not CDS-exempt.
Recommendation vs. directive: The software must provide recommendations that the healthcare professional considers, not directives that automate clinical decisions. Software that automatically adjusts a drug dose without clinician review is not "supporting or providing recommendations."
Criterion 4: Enabling Independent Review of the Basis
This is the most complex and nuanced criterion. FDA's guidance identifies several key elements:
"Independently review the basis": The healthcare professional must be able to understand WHY the software made the recommendation. The software must provide enough information for the professional to evaluate the recommendation's validity using their own clinical judgment and knowledge.
What constitutes sufficient basis:
| Sufficient | Insufficient |
|---|---|
| Software shows the clinical guideline or evidence source supporting the recommendation | Software provides a recommendation without citing any source |
| Software displays the patient data points that triggered the recommendation | Software provides a recommendation based on undisclosed algorithmic logic |
| Software shows the logic chain from data inputs to recommendation | Software provides a "black box" output with no explanation |
| Software provides a risk score with the underlying risk factors identified | Software provides a risk score without identifying contributing factors |
"Not the intent that such healthcare professional rely primarily on": The software must not be designed so that the healthcare professional is expected to follow the recommendation without independent evaluation. Features that suggest primary reliance include:
- Automatic execution of recommendations without confirmation
- User interface designs that make it difficult to override recommendations
- Workflow integration that assumes acceptance of recommendations
- Marketing claims suggesting the software replaces clinical judgment
Time-Critical CDS
FDA's guidance addresses time-critical CDS specifically. Some CDS operates in time-critical clinical situations where delaying action to review the basis for a recommendation could harm the patient (e.g., sepsis alerts, critical lab value notifications, drug allergy alerts).
FDA's position: time-critical CDS is not automatically excluded from the Cures Act exemption, but the practical reality of time pressure may make it difficult to satisfy Criterion 4. If the clinical situation does not allow time for independent review, the software is designed for primary reliance rather than supported decision-making.
FDA has indicated that some time-critical CDS can still meet Criterion 4 if the basis for the recommendation is presented concurrently and can be rapidly assessed (e.g., a drug allergy alert that displays the specific allergy from the patient record alongside the recommendation to change the medication).
Examples: Exempt vs Non-Exempt CDS
Exempt CDS (Meets All Four Criteria)
| Software Function | Why Exempt |
|---|---|
| Drug-drug interaction checker that displays the interacting drugs, severity, and clinical guideline reference | C1: No image/signal processing. C2: Displays medical information. C3: Recommends to HCP. C4: Shows specific drugs and guideline source. |
| Clinical guideline engine that recommends screening intervals based on patient demographics and risk factors, with guideline citations | C1: No image/signal. C2: Analyzes patient data against guidelines. C3: Recommends to HCP. C4: Cites specific guideline and shows risk factor inputs. |
| Dosing calculator that recommends drug dose based on weight, renal function, and published dosing guidelines, showing the calculation | C1: No image/signal. C2: Analyzes patient data. C3: Recommends dose to HCP. C4: Shows calculation method and source guideline. |
| Lab result notification system that flags abnormal values and links to clinical reference ranges | C1: Displays lab results, does not process IVD signals directly. C2: Displays medical information. C3: Supports HCP. C4: Shows reference ranges and patient values. |
Non-Exempt CDS (Fails One or More Criteria)
| Software Function | Why Non-Exempt | Criterion Failed |
|---|---|---|
| AI that analyzes chest X-rays and recommends follow-up | Processes medical images | Criterion 1 |
| Software that interprets ECG waveforms and identifies arrhythmias | Processes signals from acquisition system | Criterion 1 |
| Pathology AI that analyzes histology images and provides cancer staging | Processes medical images | Criterion 1 |
| Sepsis prediction algorithm that provides a risk score without showing contributing factors | Does not enable independent review of basis | Criterion 4 |
| Software that automatically adjusts ventilator settings based on patient data | Not providing recommendations to HCP; taking autonomous action | Criterion 3 (and possibly 4) |
| AI that provides disease risk predictions based on undisclosed proprietary algorithms | Black box output, no basis for independent review | Criterion 4 |
| Symptom checker app intended for patient self-diagnosis | Not directed to healthcare professionals | Criterion 3 |
| Drug dosing software that automatically programs an infusion pump | Autonomous action, not recommendation to HCP | Criterion 3 and 4 |
Borderline Cases
| Software Function | Analysis | Likely Status |
|---|---|---|
| EHR-integrated sepsis alert that shows SIRS criteria values and recommends further evaluation | Displays basis (vital signs, lab values, SIRS criteria). Time-critical but basis is reviewable. | Potentially exempt if design enables rapid review |
| Genomic variant interpretation software that classifies variants and recommends treatment, showing evidence | If processing raw sequencing data (signal), fails C1. If receiving pre-processed variant calls, may be exempt. | Depends on input data type |
| Radiology worklist prioritization software that reorders cases but does not interpret images | If it processes images to prioritize (even without providing diagnosis), fails C1. If it uses metadata only (patient demographics, order information), may be exempt. | Depends on whether images are processed |
Implications for Software Developers
Self-Assessment Framework
Developers should systematically evaluate each criterion:
Step 1 (Criterion 1): Does the software receive, process, or analyze any medical image, IVD signal, or physiological signal?
- If yes: STOP. The software is not CDS-exempt. Proceed with device regulatory pathway.
- If no: Continue to Step 2.
Step 2 (Criterion 2): Does the software display, analyze, or print medical information about a patient or other medical information?
- If yes: Continue to Step 3.
- If no: The software may qualify for a different Cures Act exclusion (data display, EHR, etc.) but does not qualify as CDS-exempt.
Step 3 (Criterion 3): Does the software support or provide recommendations to a healthcare professional about prevention, diagnosis, or treatment?
- If yes: Continue to Step 4.
- If no: Not CDS. May be a general health information tool (potentially exempt under a different exclusion) or may be a device.
Step 4 (Criterion 4): Does the software enable the healthcare professional to independently review the basis for the recommendation?
- If yes, and the software is not designed for primary reliance: CDS-exempt.
- If no, or if the software is designed for primary reliance: Not CDS-exempt. May be regulated as a device.
Documentation Requirements
Even though CDS-exempt software is not regulated as a medical device, developers should maintain documentation of their CDS exemption analysis:
| Documentation Element | Purpose |
|---|---|
| Intended use statement | Clearly defines the software's purpose and users |
| Criterion-by-criterion analysis | Documents how each Cures Act criterion is met |
| User interface design rationale | Documents how the UI enables independent review (Criterion 4) |
| Marketing and labeling review | Ensures marketing claims are consistent with CDS exemption |
| Change impact analysis | Evaluates whether software changes affect CDS exemption status |
When CDS-Exempt Status Changes
Software that initially qualifies as CDS-exempt can lose that status through modifications:
| Modification | Impact on CDS Status |
|---|---|
| Adding image analysis capability | Fails Criterion 1; no longer exempt |
| Removing the ability to view recommendation basis | Fails Criterion 4; no longer exempt |
| Expanding to patient-facing use | Fails Criterion 3; no longer exempt |
| Automating actions based on recommendations | May fail Criterion 3 or 4; no longer exempt |
| Changing from recommendation to directive | May fail Criterion 4; no longer exempt |
FDA's Evolving Position on CDS
Areas of Ongoing Discussion
FDA has acknowledged that the Cures Act CDS criteria create interpretive challenges. Areas where FDA's position continues to evolve include:
Machine learning-based CDS: Software that uses ML algorithms to generate recommendations may struggle with Criterion 4 if the ML model is not inherently interpretable. FDA has indicated that for ML-based CDS, the basis for the recommendation must be presented in a way the healthcare professional can evaluate, even if the underlying algorithm is complex.
Population health analytics: Software that analyzes population-level data to recommend resource allocation or care management strategies may or may not meet the CDS criteria, depending on whether it provides patient-specific recommendations to healthcare professionals.
Genomic decision support: Software that interprets genetic variants and recommends treatments occupies a complex space. If the software processes raw sequencing data, it may fail Criterion 1. If it receives pre-processed variant calls and provides guideline-based treatment recommendations with cited evidence, it may qualify as CDS-exempt.
Congressional and Stakeholder Interest
There is ongoing debate about whether the Cures Act criteria appropriately balance innovation and safety. Some stakeholders argue that Criterion 1 is too restrictive (excluding beneficial image-based CDS from exemption), while others argue that Criterion 4 is too permissive (allowing complex algorithms that healthcare professionals cannot meaningfully evaluate).
FDA has noted that it continues to monitor the CDS landscape and may update its guidance as technology evolves and real-world experience accumulates.
Relationship to Other Cures Act Exclusions
The CDS exclusion is one of several software function exclusions under Section 520(o). Other relevant exclusions include:
| Exclusion | Section | Scope |
|---|---|---|
| Administrative support | 520(o)(1)(A) | Scheduling, billing, inventory |
| Healthy lifestyle | 520(o)(1)(B) | General wellness, fitness |
| Electronic patient records | 520(o)(1)(C) | EHR that stores but does not interpret data |
| Data transfer/display | 520(o)(1)(D) | PACS viewers, data format converters |
| CDS (four criteria) | 520(o)(1)(E) | CDS meeting all four criteria |
Software that does not qualify for the CDS exclusion may still qualify for one of the other exclusions. The exclusions are independent and should each be evaluated separately.
Key Regulatory References
| Document | Source | Year |
|---|---|---|
| 21st Century Cures Act, Section 3060 (Public Law 114-255) | U.S. Congress | 2016 |
| Clinical Decision Support Software: Guidance for Industry and FDA Staff | FDA | 2026 (final) |
| Policy for Device Software Functions and Mobile Medical Applications | FDA | 2019 (updated 2022) |
| Section 520(o) FD&C Act (as amended by Cures Act) | U.S. Code | Current |
| Digital Health Policy Navigator: Step 6 (CDS) | FDA | Current |
References
Sources
- Clinical Decision Support Software | FDA
- Policy for Device Software Functions and Mobile Medical Applications | FDA
- Step 6: Is the Software Function Intended to Provide Clinical Decision Support? | FDA
- 21 U.S.C. 360j(o) | Legal Information Institute
- 21st Century Cures Act, Pub. L. 114-255 | Congress.gov