Offering health care solutions at consumers' fingertips? What you should know about FDA regulation of mobile medical apps

by DLA Piper
Contact

Over two years after the Food and Drug Administration issued draft guidance on “mobile medical applications,” the agency recently issued its greatly anticipated final guidance. As FDA considered comments from stakeholders during this prolonged review period, many in the industry continued to struggle with understanding the boundaries proposed by FDA and their potential impact on businesses across the health care sector.

The principles outlined in the final guidance remain consistent with those described in the draft guidance. FDA has stated that it is “not expanding [FDA’s] universe” by regulating mobile medical applications (i.e., apps), but rather applying longstanding basic tenets of medical device regulation and–at the core – requirements of the Food, Drug and Cosmetic Act (FDCA). These principles may, however, be unfamiliar to many in the technology space, particularly those who have not previously been involved with FDA-regulated devices.

In response to industry requests for clarity, FDA added a number of specific examples in the final guidance, including examples of mobile apps that would not be considered regulated devices; and those that would technically be considered devices, but to which FDA would apply enforcement discretion.

Below we provide an overview of FDA’s final guidance, including a high-level look at FDA’s intended regulatory approach.

Should I be paying attention?

FDA’s guidance applies to “mobile medical app manufacturers,” so in determining whether the guidance is relevant to you, there is a two-part analysis: (1) what is the exact nature of the product; and (2) what is your role with respect to the design, specification development, manufacture, packaging or labeling.

This same analysis is relevant for any product that is, or might be considered, a “medical device.”  It is especially noteworthy, however, for companies which may be new to the FDA-regulated space and may be unfamiliar with FDA’s broad definitions of “medical devices” and “manufacturers.”

Is the app regulated?

As a starting point, a software application will be subject to FDA regulation if it meets the definition of a “device” in the FDCA.  The statutory definition includes any “instrument, apparatus, implement machine, contrivance . . . or other similar or related article, including a component part, or accessory which is: . . .  intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals.”

The “intended use” is a critical determining factor for whether FDA will deem a technology a “device” subject to regulation. FDA notes that labeling claims, advertising materials and/or oral or written statements by manufacturers or their representatives are instructive when determining the “intended use” of a device. Further, FDA clarifies that “when the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man,” the mobile app is a device.

In defining a “mobile medical app,” the guidance calls out two particular ways that a technology could be deemed within the statutory definition: if it is “an accessory to a regulated medical device” or intended “to transform a mobile platform into a regulated medical device.”

The final guidance separates apps into three broad categories:

  • Category 1: Apps that do not meet the statutory definition of a device, and thus are not subject to FDA oversight
  • Category 2: Apps that may meet the statutory definition of a device, but present such a low risk of patient harm that the FDA is not going to exercise oversight at this time
  • Category 3: Apps that do meet the statutory definition of a device and the above definition of a “mobile medical app,” and that present potential patient risks warranting  FDA oversight at this time


As outlined in the FDA’s guidance, examples of each type of app include:

Apps that do not meet the statutory definition of a device, and thus are not subject to FDA oversight

Examples include:

  • Mobile apps that are intended to provide electronic “copies” of medical textbooks or other reference materials with generic text search capabilities
  • Mobile apps that are intended for health care providers to use as educational tools for medical training or to reinforce training previously received
  • Mobile apps that are intended for general patient education and facilitate patient access to commonly used reference information
  • Mobile apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease
  • Mobile apps that are generic aids or general purpose products

Apps that may meet the definition of a device, but present such a low risk of patient harm that the FDA is not going to exercise oversight at this time

Examples include:

  • Mobile apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment
  • Mobile apps that provide patients with simple tools to organize and track their health information
  • Mobile apps that provide easy access to information related to a patients’ health conditions or treatments (beyond providing an electronic “copy” of a medical reference)
  • Mobile apps that are specifically marketed to help patients document, show or communicate to providers potential medical conditions
  • Mobile apps that perform simple calculations routinely used in clinical practice
  • Mobile apps that enable individuals to interact with personal health record systems or electronic health record systems

Apps that do meet the statutory definition of device and the  definition of a “mobile medical app,” and that present potential patient risks warranting FDA oversight at this time.

 

Examples include:

  • Mobile apps that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or displaying, storing, analyzing or transmitting patient-specific medical device data
  • Mobile apps that transform the mobile platform into a regulated medical device by using attachments, display screens or sensors or by including functionalities similar to those of currently regulated medical devices
  • Mobile apps that become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations

FDA “strongly recommends” that manufacturers of all apps that meet the definition of “device,” including those over which FDA will exercise regulatory discretion (the second category above), follow FDA’s Quality System regulation in the design and development of their apps.

For apps in the third category, another level of analysis is required to determine exactly how FDA will regulate the app, and what specific requirements apply, depending on the classification (e.g., Class I, Class II, Class III), device type and intended use.  For example, an app might be a “Medical Device Data System,” which is a Class I device, or – based on features offered – it might be regulated at a higher level, e.g., as an accessory to a connected device, which then must comply with the controls applicable to that connected device.

Are my operations regulated?

Being deemed a “manufacturer” has significant consequences in terms of FDA compliance, in a variety of areas.  Definitions of “manufacturer” or “manufacture” are detailed in regulations setting out related responsibilities for: medical device reporting when malfunctions, injuries or deaths occur (21 C.F.R. Part 803);  reporting of device corrections or removals (21 C.F.R. Part 806); establishment registration and listing and premarket notification (510(k)) (21 C.F.R. Part 807); and Quality Systems/Good Manufacturing Practice requirements (21 C.F.R. Part 820). 

In the final guidance, FDA provides several examples of a “manufacturer” in the mobile medical app context, clarifying that it includes any person or entity that:

  • Creates, designs, develops, labels, re-labels, remanufactures, modifies or creates a mobile medical app software from multiple components
  • Initiates specifications or requirements for mobile medical apps or procures product development/manufacturing services from other individuals or entities (second party) for subsequent commercial distribution
  • Creates a mobile medical app and hardware attachments for a mobile platform that are intended to be used as a medical device by any combination of the mobile medical app, hardware attachments and the mobile platform or 
  • Creates a mobile medical app or a software system that provides users access to the medical device function through a website subscription, software as a service, or other similar means.

For companies involved in any way with the development, creation or distribution of mobile medical technologies, we recommend careful consideration of the regulatory definitions to proactively assess their applicability and to ensure compliance.

Navigating the FDA landscape can be challenging, especially to companies new to the FDA-regulated space.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:

DLA Piper
Contact
more
less

DLA Piper on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.