Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance).  The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.

In issuing the Guidance, which is non-binding, the FDA acknowledged the significant role that digital health applications—such as activity trackers and heart rate monitors—play in today’s society and the potential benefits and risks of these apps.  Specifically, the FDA stated that the purpose of the Guidance is “to inform manufacturers, distributors, and other entities about how the FDA intends to apply its regulatory authorities to select software applications intended for use on mobile platforms (mobile applications or ‘mobile apps’) or on general-purpose computing platforms.”

In discussing the FDA’s enforcement authority with respect to mobile apps, the Guidance first focused on mobile apps that meet the definition of a medical device under 201(h) of the Food, Drug & Cosmetics Act (FD&C Act) and are intended “to be used as an accessory to a regulated medical device; or to transform a mobile platform into a regulated medical device.”  Specifically, the FDA has indicated its intent to exercise enforcement power as to three distinct types of software functions, one of which is specifically directed at mobile applications:

Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Software functions that use attachments, display screens, sensors or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform.

Examples of these regulated software functions that work with mobile apps include attachable blood glucose readers or attachable ECG electrodes, as well as sensors on a mobile platform that, with the requisite software, transform the mobile device into a medical diagnostic tool.

More interesting, though, are the types of healthcare apps for which the FDA does not intend to enforce requirements under the FD&C Act, even though the FDA acknowledges that these apps likely fall within the FDA’s regulatory purview.  Examples include:

• patient self-management apps;
• apps that automate simple tasks for healthcare providers;
• apps that provide prompts or coaching to assist a patient in managing their health;
• apps that provide information related to a patient’s condition;
• apps used to help capture patient data for health care providers; and
• apps that perform simply calculations routinely used in clinical practice.

Presumably the FDA decided to exercise its enforcement “discretion” (i.e., “meaning that the FDA does not intend to enforce requirements under the FD&C Act”) with respect to these non-diagnostic apps because they are considered a lower risk to patient health and safety.

The Guidance is silent as to the privacy and data security issues raised by digital health applications, many of which collect and use very sensitive personal data.  Cybersecurity, for medical devices, was addressed at length by the FDA last October.  Because the mobile apps at issue are medical devices, the previous advice given by the FDA last year likely will govern (for those apps over which the FDA intends to exercise regulatory authority).

We will continue to monitor this Guidance and any significant public comments that address the privacy and data security issues raised by digital health applications.