On September 23, 2013, the Food and Drug Administration (FDA) published the final guidance on its regulation of “mobile medical applications (or apps).” The guidance finalizes FDA’s 2011 draft guidance, adding numerous examples to clarify the scope of FDA’s regulation, and maintaining the main definitions without significant modifications. In particular, the final guidance:

• Clarifies what it regulates: only “mobile medical apps” that meet the definition of “device” and are intended to:
  • be used as an accessory to a regulated medical device; or
  • transform a mobile platform into a regulated medical device.
• Provides numerous examples of mobile apps that:
  • meet the “device” definition;
  • do not meet the definition of “device”; and
  • FDA will exercise enforcement discretion over, without regard to whether they meet the definition of a “device”.
• Makes classification-based regulatory requirements applicable to “mobile medical app manufacturers”; and
• Provides answers to manufacturers’ questions (FAQs).

Background

FDA’s final guidance on Mobile Medical Applications addresses FDA’s regulation of medical mobile apps, a subset of software that meets the FDCA’s definition of a “device.” Software has been regulated by the agency since the 1980s. In 2005, FDA abandoned a planned overarching software policy, electing instead to issue guidance on certain subsets of software. Since 2005, FDA has classified software applications that meet the definition of “device” and identified the regulatory requirements that apply to those apps and their manufacturers. Past examples of app “devices” include the software component of hardware (e.g., electrocardiographic systems) as well as software-only devices (e.g., laboratory information management systems).

In 2011, in response to an increase in new mobile medical apps, FDA published a draft guidance titled “Mobile Medical Applications.” In this draft guidance, FDA proposed to clarify (1) which mobile apps it would regulate as devices under the FDCA, (2) the definition of a mobile medical app manufacturer, and (3) the regulatory requirements applicable to mobile apps. In now finalizing this guidance, FDA kept the draft guidance largely unchanged, but added numerous examples of apps and their place in FDA’s regulatory framework.

The 2013 Final Rule

FDA Will Regulate Mobile Medical Apps and Will Exercise Enforcement Discretion for Some Mobile Apps

As noted above, FDA finalized its proposal to regulate as medical devices only “mobile medical apps,” defined as a mobile app that meets the FDCA’s definition of a “device” in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FDCA)¹ and either is intended:

• to be used as an accessory to a regulated medical device; or
• to transform a mobile platform into a regulated medical device.

FDA defines a “mobile app” as “a software application that can be executed (run) on a mobile platform (i.e. a handheld commercial off-the-shelf computing platform, with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.” Regardless of the platform, FDA’s oversight of mobile apps is focused on functionality, similar to its oversight of other medical devices.

Based on its definition of a mobile medical app, FDA has designated three types of mobile apps:

1. mobile apps that are mobile medical apps, and are thus regulated by FDA as medical devices;
2. mobile apps that are not mobile medical apps, and are thus not regulated by FDA as medical devices, and
3. mobile apps toward which FDA will exercise enforcement discretion, whether or not they meet the definition of mobile medical apps.

Mobile medical apps regulated as medical devices

FDA will apply its regulatory oversight only to mobile medical apps, because their functionality could pose a risk to a patient’s safety. FDA outlined three types of mobile apps that meet the definition of mobile medical apps, and included examples for each type.

• Type 1: Mobile apps that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or displaying, storing, analyzing, or transmitting patient-specific medical device data. These apps are subject to the regulations governing the devices to which the apps serve as extensions.
• Type 2: Mobile apps that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. These apps are required to comply with the device classification associated with the transformed platform.
• Type 3: Mobile apps that become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations. These types of mobile medical apps are similar to or perform the same function as those types of software devices that have been previously cleared or approved. FDA requests that mobile app manufacturers contact the agency regarding the regulatory requirements that apply to these mobile medical apps.

Mobile apps not regulated as medical devices

FDA also provided a non-exhaustive list of five types of mobile apps that do not meet the definition of mobile medical apps, including specific examples for each type. FDA does not intend to regulate these types of mobile apps:

• Type 1: Electronic copies of medical textbooks and electronic reference materials. For example, medical dictionaries, electronic copies of medical textbooks and other literatures, library of clinical descriptions for diseases and conditions, and medical abbreviations and definitions.
• Type 2: Educational tools for medical training or to reinforce training previously received. For example, medical flash cards, quiz apps, interactive anatomy diagrams or videos, surgical training videos, certification preparation apps, and games used in training health professionals.
• Type 3: Apps intended for general patient education and to facilitate patient access to commonly used reference information, including patient-specific apps. For example, portals for healthcare providers to distribute educational information to patients, apps that guide patients to ask appropriate questions when interacting with healthcare providers, information about gluten-free food products, apps that facilitate communication between patients and clinical trial investigators, tutorials on first-aid and CPR, apps that identify pills based on color and shape, apps that locate nearby medical facilities, and apps that compare costs of drugs in nearby pharmacies.
• Type 4: Apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. Examples are apps that determine billing codes, enable insurance claims data collection and processing, analyze insurance claims for fraud, generate reminders for scheduled medical appointments, manage shifts for doctors or schedules for hospitals, and apps that provide wait times and electronic check-in for hospital emergency rooms.
• Type 5: Generic aids or general purpose products. Examples are apps that use a mobile platform as and aid for general rather medical purposes (e.g. magnifying glass, audio recorder, audio amplifier), allow healthcare providers to interact, and apps that provide directions to medical facilities.

Apps for which FDA will exercise enforcement discretion

FDA also provided a non-exhaustive list of mobile apps for which the agency will exercise enforcement discretion, whether or not the apps meet the definition of a mobile medical app. The decision means that FDA would not regulate these mobile apps as medical devices because these types of apps pose low risk to the public. The following are two of the 21 examples provided in Appendix B of the final guidance.

• Mobile apps that provide reminders, educational information, or motivational guidance to smokers trying to quit, patient recovering from addiction, or pregnant women.
• Mobile apps that assist in logging, recording, tracking, evaluating, or making decisions related to developing or maintaining general fitness, health, or wellness.

Mobile Medical App Manufacturers and Applicable Regulatory Requirements

Mobile medical app manufacturers

Manufacturers of regulated medical devices must comply with general and special controls that are applicable to each manufacturer’s device. In the final guidance, FDA set its definition of a “mobile medical app manufacturer” as any person or entity that manufactures mobile medical apps in accordance with the definition of a manufacturer in FDA’s regulations.² The definition includes “anyone who initiates specifications, designs, labels, or creates a software system or application for a regulated medical device in whole or from multiple software components.” Excluded are persons who act as distributors only, such as the owners and operators of the “iTunes App store.”

Medical device class designations

FDA requires that manufacturers of devices comply with certain regulatory controls, based on the device’s classification: Class I (general controls), Class II (general and special controls) or Class III (premarket approval). FDA’s final guidance reaffirms that mobile medical apps may be classified in any of the three risk-based classes. As noted above, each mobile medical app’s classification is determined by its function. When a mobile medical app serves as an extension to a device, the app is subject to the regulatory classification for the device. When a mobile medical app transforms a platform into a medical device, the app is subject to the regulatory classification associated with the transformed platform. For example, a manufacturer of a mobile app that displays radiological images for diagnosis (thus transforming the mobile platform into a picture archiving and communication system (PACS)) is subject to the controls for Class II PACS under 21 C.F.R. § 892.2050.

FDA also finalized its proposal to require manufacturers to meet the controls requirements associated with the applicable device classification. FDA highlighted the Quality System (QS) regulation in particular, recommending that manufacturers of all mobile apps that may meet the definition of a device follow QS in the design and development of their mobile medical apps.