Digital Health & SaMD Risk Assessment
Physician and engineer-led assessment for Software-as-a-Medical-Device, AI/ML clinical decision support, and remote patient monitoring. SaMD classification, predetermined change control, CPT reimbursement, and interoperability — in 24–48 hours.
The Problem
Software gets shipped weekly. Clinical validation happens once. AI/ML models drift silently. Reimbursement codes depend on who touches the patient. Cybersecurity is a submission gate, not a deliverable. Diligence that treats SaMD like SaaS misses all of it.
Founders routinely mis-self-classify — calling a Class II SaMD a "wellness app" or putting a CDSS in a non-device bucket. An enforcement letter post-close is not a small problem.
Training cohort not representative, subgroup performance undocumented, no predetermined change control plan, no post-market performance monitoring. FDA now enforces this, not aspires to.
Connected SaMD submissions post-Oct 2023 require SBOM + threat model + postmarket update plan. Refuse-to-accept is the default for gaps.
Revenue models built on 99453/99454/99457 without reading the fine print: time requirements, auto-capture exclusions, and setup-code one-shot limits. The margin is much thinner than the pitch shows.
FHIR R4, HL7v2 compatibility, Epic App Orchard / Cerner Code status, SMART on FHIR. IDN procurement stalls on integration, not clinical value.
Pilot sites aren't representative cohorts. RCT-free evidence still has FDA pathways, but payers and IDNs increasingly want comparative-effectiveness data. Most digital health decks don't have it.
SaMD Classes & Digital Health Pathways
IMDRF SaMD framework classifies software by how it's used and by the severity of the underlying clinical condition. Risk is nonlinear across classes. Our model weights evidence depth accordingly.
Lowest-risk tier. Low-severity conditions, informational role. Often unregulated or 510(k)-exempt. Risk sits in scope creep — slipping toward a higher class without notice.
Directs clinical management in non-serious conditions. Typically 510(k) territory. Clinical validation, cybersecurity, and usability testing dominate the submission.
Drives management in serious or critical conditions. Usually De Novo or 510(k) with heavy clinical evidence. AI/ML validation and PCCP are table stakes.
Highest-risk tier. Diagnosing or treating critical conditions. PMA-level evidence, clinical trials, ongoing performance monitoring, and predetermined change control required.
Digital Health-Specific Score Weights
Same 20-category taxonomy as every vertical. AI/ML validation, cybersecurity, and reimbursement get more room for digital health. Manufacturing gets less. Percentage is relative contribution to the composite score.
| Domain | Weight | What we're looking at |
|---|---|---|
| AI/ML Validation & Monitoring | 22% | Training/validation cohort representativeness, subgroup performance, locked vs adaptive, predetermined change control plan (PCCP), drift detection, post-market performance monitoring |
| Regulatory Pathway & SaMD Class | 18% | SaMD classification rigor, intended-use statement precision, CDSS enforcement-discretion status, 510(k)/De Novo/PMA fit, labeling-to-feature alignment |
| Cybersecurity & Postmarket | 15% | 524B readiness, SBOM completeness, threat modeling, vulnerability disclosure, postmarket patching cadence, HIPAA + state privacy compliance |
| Clinical Evidence & Adoption | 13% | Validation cohort vs training cohort, RCT/pragmatic-trial evidence, usability testing, KOL adoption, clinician-workflow integration |
| Reimbursement & Coding | 11% | CPT codes (RPM/RTM/99453-99458), CMS reimbursement trend, payer PDT policy, pay-for-performance models, employer direct contracting |
| Interoperability & Integration | 9% | FHIR R4 readiness, Epic/Cerner marketplace status, SMART on FHIR, HL7v2 fallbacks, single-sign-on, data-export compliance |
| Commercial & Market Access | 7% | Channel strategy (provider / payer / employer / D2C), IDN contracts, health-system security-review timeline, ROI evidence |
| Financial & Operational | 5% | Burn, LTV/CAC, enterprise contract duration, infrastructure cost per user — provided by buy-side |
Pricing Ladder
Start with a Quick Score to triage. Scale up to a full report when the deal moves. Every tier returns in 24–72 hours with named physician + engineer reviewers.
Want continuous monitoring post-close? Surveillance from $1,500/mo →
Digital Health Intelligence Library
Deep dives on SaMD, AI/ML, and RPM risks diligence teams still get wrong. Written by Arvind and Aswini.
Validation cohort rigor, subgroup performance disclosure, PCCP quality, post-market monitoring. Where the actual bar is, and which 2024-cleared products wouldn't clear today.
Read → AI/MLSubgroup performance, drift detection, locked-vs-adaptive posture, and predetermined change control protocols. The new FDA bar for AI-enabled SaMD.
Read → CybersecuritySBOM, threat model, postmarket update plan. What FDA refuses to accept, and how to assess whether a SaMD target is ready.
Read → RPMAuto-capture exclusions, time-on-device thresholds, setup-code one-shot limits, RTM vs RPM. The models built on 2023 coding rules no longer pencil.
Read → Classification"Wellness app," "decision support," "clinician-reviewed." How to read a software label for regulatory status and what a reclassification event costs.
Read → IntegrationFHIR R4, Epic App Orchard, SMART on FHIR, HL7v2 fallbacks, SSO. The integration work that gates hospital rollout — rarely surfaced in the data room.
Read →Send us the target and a data-room link (or just the intended-use statement and the 510(k) number if cleared). We return a Quick Score in 24 hours — including SaMD-class and AI/ML validation reads.