FDA Releases Final Guidance on the Regulation of Mobile Medical Applications

by Foley Hoag LLP

On September 23, 2013, the Food and Drug Administration (FDA) published the final guidance on its regulation of “mobile medical applications (or apps).” The guidance finalizes FDA’s 2011 draft guidance, adding numerous examples to clarify the scope of FDA’s regulation, and maintaining the main definitions without significant modifications. In particular, the final guidance:

  • Clarifies what it regulates: only “mobile medical apps” that meet the definition of “device” and are intended to:
    • be used as an accessory to a regulated medical device; or
    • transform a mobile platform into a regulated medical device.
  • Provides numerous examples of mobile apps that:
    • meet the “device” definition;
    • do not meet the definition of “device”; and
    • FDA will exercise enforcement discretion over, without regard to whether they meet the definition of a “device”.
  • Makes classification-based regulatory requirements applicable to “mobile medical app manufacturers”; and
  • Provides answers to manufacturers’ questions (FAQs).


FDA’s final guidance on Mobile Medical Applications addresses FDA’s regulation of medical mobile apps, a subset of software that meets the FDCA’s definition of a “device.” Software has been regulated by the agency since the 1980s. In 2005, FDA abandoned a planned overarching software policy, electing instead to issue guidance on certain subsets of software. Since 2005, FDA has classified software applications that meet the definition of “device” and identified the regulatory requirements that apply to those apps and their manufacturers. Past examples of app “devices” include the software component of hardware (e.g., electrocardiographic systems) as well as software-only devices (e.g., laboratory information management systems).

In 2011, in response to an increase in new mobile medical apps, FDA published a draft guidance titled “Mobile Medical Applications.” In this draft guidance, FDA proposed to clarify (1) which mobile apps it would regulate as devices under the FDCA, (2) the definition of a mobile medical app manufacturer, and (3) the regulatory requirements applicable to mobile apps. In now finalizing this guidance, FDA kept the draft guidance largely unchanged, but added numerous examples of apps and their place in FDA’s regulatory framework.

The 2013 Final Rule

FDA Will Regulate Mobile Medical Apps and Will Exercise Enforcement Discretion for Some Mobile Apps

As noted above, FDA finalized its proposal to regulate as medical devices only “mobile medical apps,” defined as a mobile app that meets the FDCA’s definition of a “device” in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FDCA)1 and either is intended:

  • to be used as an accessory to a regulated medical device; or
  • to transform a mobile platform into a regulated medical device.

FDA defines a “mobile app” as “a software application that can be executed (run) on a mobile platform (i.e. a handheld commercial off-the-shelf computing platform, with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.” Regardless of the platform, FDA’s oversight of mobile apps is focused on functionality, similar to its oversight of other medical devices.

Based on its definition of a mobile medical app, FDA has designated three types of mobile apps:

  1. mobile apps that are mobile medical apps, and are thus regulated by FDA as medical devices;
  2. mobile apps that are not mobile medical apps, and are thus not regulated by FDA as medical devices, and
  3. mobile apps toward which FDA will exercise enforcement discretion, whether or not they meet the definition of mobile medical apps.
Mobile medical apps regulated as medical devices

FDA will apply its regulatory oversight only to mobile medical apps, because their functionality could pose a risk to a patient’s safety. FDA outlined three types of mobile apps that meet the definition of mobile medical apps, and included examples for each type.

  • Type 1: Mobile apps that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or displaying, storing, analyzing, or transmitting patient-specific medical device data. These apps are subject to the regulations governing the devices to which the apps serve as extensions.
  • Type 2: Mobile apps that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. These apps are required to comply with the device classification associated with the transformed platform.
  • Type 3: Mobile apps that become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations. These types of mobile medical apps are similar to or perform the same function as those types of software devices that have been previously cleared or approved. FDA requests that mobile app manufacturers contact the agency regarding the regulatory requirements that apply to these mobile medical apps.
Mobile apps not regulated as medical devices

FDA also provided a non-exhaustive list of five types of mobile apps that do not meet the definition of mobile medical apps, including specific examples for each type. FDA does not intend to regulate these types of mobile apps:

  • Type 1: Electronic copies of medical textbooks and electronic reference materials. For example, medical dictionaries, electronic copies of medical textbooks and other literatures, library of clinical descriptions for diseases and conditions, and medical abbreviations and definitions.
  • Type 2: Educational tools for medical training or to reinforce training previously received. For example, medical flash cards, quiz apps, interactive anatomy diagrams or videos, surgical training videos, certification preparation apps, and games used in training health professionals.
  • Type 3: Apps intended for general patient education and to facilitate patient access to commonly used reference information, including patient-specific apps. For example, portals for healthcare providers to distribute educational information to patients, apps that guide patients to ask appropriate questions when interacting with healthcare providers, information about gluten-free food products, apps that facilitate communication between patients and clinical trial investigators, tutorials on first-aid and CPR, apps that identify pills based on color and shape, apps that locate nearby medical facilities, and apps that compare costs of drugs in nearby pharmacies.
  • Type 4: Apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. Examples are apps that determine billing codes, enable insurance claims data collection and processing, analyze insurance claims for fraud, generate reminders for scheduled medical appointments, manage shifts for doctors or schedules for hospitals, and apps that provide wait times and electronic check-in for hospital emergency rooms.
  • Type 5: Generic aids or general purpose products. Examples are apps that use a mobile platform as and aid for general rather medical purposes (e.g. magnifying glass, audio recorder, audio amplifier), allow healthcare providers to interact, and apps that provide directions to medical facilities.
Apps for which FDA will exercise enforcement discretion

FDA also provided a non-exhaustive list of mobile apps for which the agency will exercise enforcement discretion, whether or not the apps meet the definition of a mobile medical app. The decision means that FDA would not regulate these mobile apps as medical devices because these types of apps pose low risk to the public. The following are two of the 21 examples provided in Appendix B of the final guidance.

  • Mobile apps that provide reminders, educational information, or motivational guidance to smokers trying to quit, patient recovering from addiction, or pregnant women.
  • Mobile apps that assist in logging, recording, tracking, evaluating, or making decisions related to developing or maintaining general fitness, health, or wellness.

Mobile Medical App Manufacturers and Applicable Regulatory Requirements

Mobile medical app manufacturers

Manufacturers of regulated medical devices must comply with general and special controls that are applicable to each manufacturer’s device. In the final guidance, FDA set its definition of a “mobile medical app manufacturer” as any person or entity that manufactures mobile medical apps in accordance with the definition of a manufacturer in FDA’s regulations.2 The definition includes “anyone who initiates specifications, designs, labels, or creates a software system or application for a regulated medical device in whole or from multiple software components.” Excluded are persons who act as distributors only, such as the owners and operators of the “iTunes App store.”

Medical device class designations

FDA requires that manufacturers of devices comply with certain regulatory controls, based on the device’s classification: Class I (general controls), Class II (general and special controls) or Class III (premarket approval). FDA’s final guidance reaffirms that mobile medical apps may be classified in any of the three risk-based classes. As noted above, each mobile medical app’s classification is determined by its function. When a mobile medical app serves as an extension to a device, the app is subject to the regulatory classification for the device. When a mobile medical app transforms a platform into a medical device, the app is subject to the regulatory classification associated with the transformed platform. For example, a manufacturer of a mobile app that displays radiological images for diagnosis (thus transforming the mobile platform into a picture archiving and communication system (PACS)) is subject to the controls for Class II PACS under 21 C.F.R. § 892.2050.

FDA also finalized its proposal to require manufacturers to meet the controls requirements associated with the applicable device classification. FDA highlighted the Quality System (QS) regulation in particular, recommending that manufacturers of all mobile apps that may meet the definition of a device follow QS in the design and development of their mobile medical apps.

1. FDCA § 201(h) defines “device” as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is — (1) recognized in the official National Formulary, or the United States Pharmacopeia, or any supplement to them, (2) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or (3) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. To determine whether a mobile app meets the definition of a “device,” FDA looks at the intended use of the app. ?

2. Specifically, in 21 C.F.R. Parts 803, 806, 807, and 820.?

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP | Attorney Advertising

Written by:

Foley Hoag LLP

Foley Hoag LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.