FDA Issues Final Guidance on Mobile Medical Apps: “De-Regulatory” Move Helps Clarify Certain Key Questions, But Leaves Others Open

by Ropes & Gray LLP

On September 25, 2013, the Food and Drug Administration (FDA) issued its long-awaited final guidance on health-related software applications intended for use on mobile devices. Under the guidance, FDA will regulate only those mobile apps that both meet the definition of a medical device and could pose a risk to patient safety if they fail to function as intended. FDA can now be expected to focus its resources on promoting and enforcing regulatory compliance for the subset of mobile medical apps it intends to regulate.

Importantly, the guidance does not address other significant questions such as how FDA intends to regulate clinical decision-making support tools and electronic health records. Under the FDA Safety and Innovation Act (FDASIA), the FDA, in consultation with the National Coordinator for Health Information Technology and the Federal Communications Commission, is required to publish a report by January 2014, describing a risk-based regulatory framework for health IT. Topics not covered by the current guidance may be addressed in this upcoming report.

Mobile Medical Apps Subject to FDA Regulatory Oversight

Under the final guidance, a mobile app is a software application that can be run on a mobile platform, such as a smart phone, tablet, or other portable computer, or a web-based software application tailored to a mobile platform. A mobile medical app is a mobile app that meets the definition of a device in the Federal Food, Drug, and Cosmetic Act and is intended to be an accessory to a regulated medical device or to transform a mobile platform into a regulated medical device. The final guidance groups mobile medical apps into three primary categories:

  • Apps that are extensions of other medical devices by connecting to such devices for the purpose of controlling the devices or displaying, storing, analyzing, or transmitting patient-specific medical device data. Mobile apps that control a medical device, such as apps that control inflation of a blood pressure cuff or delivery of insulin through a pump, are subject to the device requirements applicable to the device being controlled. Mobile apps that display, store, analyze, or transmit patient-specific medical device data, such as a remote display of EEG data or radiological images from a Picture Archiving and Communications (PACS) server, or perform similar display functions meeting the definition of a medical device data system (MDDS), are subject to regulations associated with such devices.
  • Apps that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Apps that use the mobile platform to perform device functions, for example by attaching a blood glucose strip reader to the platform, using a built-in accelerometer to monitor sleep apnea, or displaying radiological images for diagnostic purposes, will transform the mobile platform into a regulated device. Such devices will be required to comply with the device classification associated with the transformed platform.
  • Apps that become regulated medical devices by performing patient-specific analyses and providing patient-specific diagnoses or treatment recommendations. This category includes apps that perform “sophisticated analysis” of patient-specific data or “interpret data” from another medical device, such as dosage calculators for radiation therapy, Computer Aided Detection (CAD) software, and image processing software. FDA states that these apps are similar to software devices that have been previously cleared or approved for non-mobile platforms, but does not attempt to address how all such apps will be regulated. Instead, FDA encourages manufacturers of mobile medical apps that perform patient-specific analyses to contact FDA to discuss what, if any, regulatory requirements may apply to their devices. This category of mobile medical app is likely to present the greatest challenges in determining whether a given mobile app is to be regulated by FDA and, if so, in what manner.

Mobile Apps That FDA Will Not Regulate

Unlike the draft guidance on mobile medical apps issued in 2011, the final guidance contains an in-depth discussion of apps that will not be the focus of FDA’s regulatory oversight, either because they are not medical devices or because FDA intends to exercise enforcement discretion with respect to that type of app. In appendices to the final guidance, FDA provides examples intended to help industry understand whether a particular mobile app is regulated by FDA.

Mobile apps that FDA does not consider to be medical devices include:

  • Electronic medical dictionaries, textbooks, and other reference materials;
  • Educational tools used by health care providers for medical training;
  • Patient education and awareness tools;
  • Apps that automate general office operations in a health care setting; and
  • General purpose apps, such as a magnifying glass app or audio recording app not specifically intended for medical purposes.

Mobile apps that may be medical devices, but for which FDA intends to exercise enforcement discretion include:

  • Apps that provide supplemental clinical care through coaching or prompting to help patients manage their health in their daily environment. Examples include medication reminder apps intended to improve adherence, even though medication reminders have traditionally been regulated as Class I devices;
  • Apps that provide patients with simple tools to organize and track health information;
  • Apps that provide easy access to information related to patients’ health conditions or treatments, such as drug-drug interaction search tools;
  • Apps marketed to help patients document or communicate to providers potential medical conditions, such as videoconferencing portals specifically for medical use;
  • Apps that perform simple calculations routinely used in clinical practice, such as body mass index; and
  • Apps that enable users to interact with personal health record or electronic health record systems.

Implications for FDA and Mobile App Developers

In the past, FDA has been criticized for imposing new, burdensome regulatory requirements for health-related software under the guise of a purportedly “de-regulatory” action. This was the case with FDA’s MDDS regulation published in 2011, which FDA characterized as down-classifying such devices from Class III to Class I, when most developers of such systems had long understood that they were not subject to FDA regulation at all. In the mobile medical app guidance, by contrast, FDA has taken steps that are more clearly de-regulatory by stating explicitly that it does not intend to regulate mobile apps to the full extent of its statutory authority and by giving specific examples of apps that the agency will not regulate.

For apps that will be regulated, FDA provides guidance on which of several potentially involved parties will be responsible for complying with FDA regulations. For example, the guidance confirms that manufacturers of mobile platforms that are not marketed for use as medical devices, entities that distribute but do not design or manufacture mobile medical apps (e.g., the iTunes App store or the Android market), and software developers who provide design and development services to software authors are not “manufacturers” subject to direct FDA regulation. The guidance also suggests that the parties can define the responsible entities by contract, at least in certain circumstances.

Now that the guidance is final, FDA is likely to increase its focus on promoting and enforcing compliance by mobile medical app manufacturers. Software developers are now on clear notice that, for certain types of software, they must comply with applicable requirements, such as premarket notification or approval, establishment registration and device listing, labeling requirements, medical device reporting, correction and removal reporting, and the Quality System Regulation (QSR). Even prior to issuance of the final guidance, FDA had taken regulatory action consistent with the principles in the guidance, as Ropes & Gray previously reported. Mobile app manufacturers should carefully review the final guidance, as well as FDA’s webpage on mobile medical applications, to determine how FDA intends to regulate their mobile apps and take the necessary steps to ensure that they are in compliance with applicable requirements.

Mobile app manufacturers may also be interested in FDA’s statement that it “strongly recommends” that they follow the QSR when developing any health-related mobile apps, even those for which FDA will exercise enforcement discretion. Although FDA’s statement is arguably gratuitous, plaintiffs in products liability actions might seek to seize on this statement to argue that a software manufacturer’s quality systems were inadequate, leading to device failures resulting in injuries. Mobile app manufacturers should therefore carefully consider the quality assurance and quality control processes, systems, and documentation that they will employ when developing software that can affect patient or consumer health but is not FDA-regulated.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.