FDA’s Revised CDS Guidance: Opportunities and the Path Forward for EHR Developers

By the EHRA Artificial Intelligence, Public Policy Leadership & Value-based Care and Quality Programs Workgroups

In January 2026, the FDA released revised guidance on Clinical Decision Support (CDS) software, clarifying the scope of the FDA’s oversight of CDS software intended for use by health care professionals, including software identified as artificial intelligence (AI). While the guidance includes some genuine improvements over the previous iterations released in 2022 and 2023, the EHR Association has identified concerns about ambiguous new standards, regulatory overreach, and the potential to negatively affect both innovation and patient care.

Positive Shifts in the 2024 CDS Guidance

The revised guidance takes three meaningful steps forward. 

First, the enforcement discretion policy for single-recommendation CDS is the most helpful aspect of the updated guidance. Many CDS tools, such as risk scores based on clinical guidelines, will fall into this enforcement discretion, which is a practical improvement upon prior positions that multiple options must always be presented to the clinician. Examples in which a single option is appropriate or even necessary include those that reflect care pathways, insurance coverage, and evidence-based practice. 

Second, it no longer differentiates between AI and non-AI CDS. This technology-neutral approach is beneficial because it regulates CDS based on the software’s intended use and risk to patients. It promotes innovation, creates consistent expectations across technologies, and keeps the regulatory framework adaptable as AI continues to evolve. 

Third, it introduces the concept of “independent review” in alignment with the “human in the loop” model. It is a concept we support as a reasonable safeguard for higher-risk CDS functions regardless of AI involvement.

Third, it introduces the concept of “independent review” in alignment with the “human in the loop” model. It is a concept we support as a reasonable safeguard for higher-risk CDS functions regardless of AI involvement.

Ambiguity, New Terms, and Regulatory Overreach

Despite these improvements, the EHR Association membership has three major concerns with the FDA’s recent guidance:

  • “Automation Bias” exceeds statutory authority. The term “automation bias” does not appear in the 21st Century Cures Act as a trigger for the FDA device jurisdiction. The statute requires that a clinician be able to independently review the basis for a recommendation, and the FDA has assumed that providers are unable to do so in a time-critical situation and will instead experience “automation bias.” We are concerned that the FDA is inventing new regulatory concepts without statutory authority and then applying them to EHRs. Notably, the guidance appears to treat even a well-designed, easily interpreted alert as evidence of automation bias, an unreasonable standard that penalizes good design and fails to reflect the numerous factors behind alert logic.
  • “Time Criticality” is vague and overbroad. Like “automation bias,” the term “time criticality” does not appear in the 21st Century Cures statute. The guidance reaffirms that CDS for “critical or life-threatening conditions” requiring action within 24 hours are considered “time-critical” and therefore subject to device regulation.  In emergency departments and other busy clinical environments, 24 hours is a very long window, particularly as many CDS tools trigger every shift or more frequently. This guidance would also pull decades-old, low-risk CDS tools into burdensome device regulation. The FDA compounds the problem in the guidance by listing examples (e.g., citing sepsis and stroke) without clear criteria for what else is in scope.
  • Innovation and existing tools are at risk. Hundreds of long-implemented CDS algorithms could now be classified as medical devices. Many would not be candidates for clinical trials, meaning they would simply be removed from the market. For example, the prospect of removing support for customers’ ability to tailor patient deterioration tools to their patient populations could reduce clinical relevance, introduce patient safety risks, and increase alert fatigue.

The guidance may also inadvertently increase the compliance burden for providers that develop and maintain their own CDS or that configure independently purchased third-party CDS to reflect their organizational policies, as it appears to place responsibility on providers in those circumstances. In the case of third-party CDS delivered via EHRs, the responsibility for compliance is also unclear and warrants careful consideration by regulators.

The guidance may also inadvertently increase the compliance burden for providers that develop and maintain their own CDS or that configure independently purchased third-party CDS to reflect their organizational policies, as it appears to place responsibility on providers in those circumstances.

Aligning with Congressional Intent as Expressed in the 21st Century Cures Act

Congress explicitly carved out most CDS from the medical device definition in the Cures Act, denying the FDA broad authority over these tools. This is affirmed in Patients and Family First: Building the Future of the FDA, released in February by the Senate Health, Education, Labor, and Pensions (HELP) Committee, detailing legislative and regulatory reforms to modernize the FDA. The landmark report in particular rejected the FDA’s authority to categorize CDS tools as medical devices, except in limited circumstances. 

However, the FDA’s 2022 and 2026 guidance both conflict with that statutory boundary, leading the Senate HELP Committee to call for the FDA to operate within the bounds Congress established. It’s a call we fully support.

Ramp Up FDA-ONC Coordination

The majority of EHR developers are already regulated under ONC’s certification program, which governs CDS configuration and transparency. This is precisely the protection the FDA’s guidance seeks to ensure. Yet the two frameworks are increasingly out of alignment. 

The most recent illustration of this disconnect is the HTI-5 proposed rule, which moves away from the DSI transparency framework even as the FDA uses transparency as a device-classification criterion. Without coordination, developers face contradictory obligations. 

The most recent illustration of this disconnect is the HTI-5 proposed rule, which moves away from the DSI transparency framework even as the FDA uses transparency as a device-classification criterion. Without coordination, developers face contradictory obligations. 

The HELP Committee’s report echoes this sentiment, calling on the FDA to “strengthen coordination with key agencies, like the Office of the National Coordinator for Health Information Technology (ONC), and collaborate with manufacturers to ensure compliance with evolving requirements” as it continues implementing new device authorities granted by Congress.

Distinguishing Between CDS vs. CDM

One critical area of concern for the EHR Association is the FDA guidance’s conflation of CDS — which presents information for a clinician to act on — with autonomous Clinical Decision Making (CDM), where software acts without human review. These are fundamentally different. An EHR does not automatically send a prescription to a pharmacy; a clinician reviews any system recommendation and makes the decision. The provider is always in the loop. Treating informational CDS as equivalent to autonomous systems misrepresents how EHRs work and leads to inappropriate device classification.

Recommendations to the FDA

There are some practical realities of CDS development that the FDA must further consider with its guidance. CDS content creation is not monolithic and may come from EHR developers, third-party publishers, and provider organizations. 

Additionally, the ability for provider organizations or individual users to customize CDS is essential to meeting organizational and clinical needs. The FDA’s current approach may force health IT vendors to remove customers’ ability to tailor CDS to their organizational and clinical needs, which, in turn, could increase alert fatigue and reduce the clinical relevance of the information presented.

To address the concerns outlined above, we recommend:

  • Removing or revising non-statutory, arbitrary concepts like “time criticality” and “automation bias,” and reaffirming the congressional carveouts for CDS.
  • Aligning FDA and ONC frameworks to avoid duplicative, conflicting obligations for EHR developers.
  • Formally recognizing the differences between informational CDS and autonomous decision-making systems and more appropriately addressing the latter through separate AI-specific guidance.

Finally, while examples from the FDA are very welcome and help us to understand the agency’s thinking, focusing guidance too narrowly on granular examples can lead to industry confusion about other possible scenarios. Instead, we ask that the FDA increase the provision of consistent, prospective criteria that apply equally to functionally similar tools. While illustrative examples like sepsis and stroke offer useful context, example-based classification will not be able to keep pace with the rapid expansion of AI and ML use cases in clinical settings. Tools that do not map to today’s cited conditions will leave developers and providers without clear guidance on regulatory scope. We also suggest that it is very important to allow sufficient time for industry and stakeholder input before the publication of final guidance documents. Thus, we urge the FDA to also anchor classification in durable, function-based criteria that can scale with the technology rather than reflect a present-day snapshot of its current applications.

We also suggest that it is very important to allow sufficient time for industry and stakeholder input before the publication of final guidance documents. Thus, we urge the FDA to also anchor classification in durable, function-based criteria that can scale with the technology rather than reflect a present-day snapshot of its current applications.

A Call for Practical, Aligned, Innovation-Supporting Oversight

We support appropriate oversight of software that genuinely functions as an autonomous medical device. But the FDA’s January 2026 guidance, as written, overreaches. It mischaracterizes well-designed, clinician-reviewed CDS as device software, contradicts Congressional intent, and puts at risk tools that patients and providers depend on every day.

The EHR Association is committed to working with the FDA, ONC, and Congress to build a regulatory framework that protects patients while supporting the innovation the healthcare system needs. We urge the FDA to significantly revise this guidance before taking further enforcement action.

Leave a comment

Share your thoughts on this topic!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 197 other subscribers
  • Contact Us

    Kasey Nicholoff
    staff @ ehra.org

    Amanda Patanow
    Communications and Media
    ehracomms @ npccs.com