Is Your Health Application Regulated by the FDA?
The proliferation of mobile apps in healthcare has prompted the FDA to clarify its enforcement priorities. Does your medical app fall into one of the regulated categories?
In its most recent update to Policy for Device Software Functions and Mobile Medical Applications; Guidance for Industry and Food and Drug Administration Staff, the U.S. Food and Drug Administration (FDA) responded to the rapidly advancing healthcare technology field’s need for updated guidance. The FDA “recognizes the extensive variety of actual and potential functions of software applications (apps) and mobile apps, the rapid pace of innovation, and their potential benefits and risks to public health.”
The FDA notes that mobile platforms have become “more user-friendly, computationally powerful, and readily available.” The increasing complexity of mobile apps has prompted the FDA to shed more light on the regulations that address the FDA’s top priority: patient safety. By examining software through a lens of risk to patient health and safety, the regulations direct tech companies’ attention to improving health care, reducing potential medical mistakes, and protecting patients.
In General, What Does the FDA Regulate?
Whether the FDA labels technology as a device software function, mobile application, mobile medical application, regulated medical device, or any similar sounding name, enforcement is based on “the level of regulatory control necessary to assure safety and effectiveness.” Again, the FDA determines the level according to the risk the technology presents to the public.
Note that while the Policy generally guides software manufacturers and healthcare tech firms as to what is regulated, compliance with the regulations does not have a formula. Nothing in the guidance establishes a legally enforceable responsibility, and each page is marked “nonbinding recommendations.” As a result, compliance with the FDA regulations will look different for every technology. Thus, simply recreating compliance steps used for another technology or business will not ensure that your technology will meet its regulatory requirements.
In addition to outlining the types of medical apps and devices that fall under FDA regulatory enforcement, the Policy provides just as many “examples of software functions for which FDA intends to exercise enforcement discretion (meaning that FDA does not intend to enforce requirements. . .)”
“We intend to apply this oversight authority only to those software applications whose functionality could pose a risk to patient safety if the software application were to not function as intended.”
Mobile Medical Apps:
A mobile medical app is one that incorporates device software functionality and is intended to:
- be used as an accessory to a regulated medical device; or
- transform a mobile platform (e.g., smartphone) into a regulated medical device.
Intention, in short, is demonstrated by labeling claims, advertising materials, or oral and written statements by manufacturers or their representatives.
When the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure of any function of the body of man, the app is a device.
Regulated Medical Devices:
The FDA regulates devices such as glucose monitors, apnea monitors, breathing frequency monitors, oximeters, otoscopes, perinatal monitoring systems, medical image digitizers, and many others. The extent of regulation varies depending on the device class and any applicable exemptions. Appendix D of the FDA Policy provides examples of the current regulations.
The general Device Class Regulations include:
Class I devices:
General Controls, including:
- Establishment registration, and Medical Device listing;
- Quality System (QS) regulation;
- Labeling Requirements;
- Medical Device Reporting;
- Premarket Notification;
- Reporting Corrections and Removals; and
- Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices.
Class II devices:
General Controls (as described for Class I), Special Controls, and (for most Class II devices) Premarket Notification.
Class III devices:
General Controls (as described for Class I), and Premarket Approval.1
Mobile Medical App Manufacturers:
Those considered mobile medical app manufacturers by the FDA Guidance must register their establishments, list their products with the FDA, and/or submit a premarket application. Such Manufacturers include:
- A person or entity that creates, designs, labels, re-labels, remanufactures, modifies, or creates a mobile medical app software system from multiple components.
- A person or entity that initiates specifications or requirements for mobile medical apps or procures product development/manufacturing services.
- The Policy provides many examples of who is not considered a manufacturer, including:
- Software “developers”
- Those who solely distribute or market a platform they do not intend to be used for medical device functions
- Entities that exclusively distribute apps (e.g., App Store)
- Those who manufacturer apps solely for research, teaching, and analysis
Where the FDA Intends NOT to Enforce Regulations.2
The FDA does not intend to enforce requirements—that is, they will “Exercise Enforcement Discretion”—for software functions that:
- Help patients/users self-manage their disease or conditions without providing specific treatment or treatment suggestions; or
- Automate simple tasks for health care providers.
While some items that fall within this category may be software functions/mobile apps, the FDA still intends to “exercise enforcement discretion” because they pose a low risk to patients.
- Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment. Example: medication schedule prompting.
- Apps that provide easy access to information related to patients; health conditions or treatments (beyond providing an electronic “copy” of a medical reference). Example: best practice guidelines and drug-allergy lookup tools for clinicians.
- Apps that are specifically marketed to help patients communicate with healthcare providers by supplementing and augmenting the data or information. Example: being able to submit a photo of a skin rash to supplement a verbal discussion of a patient’s symptoms.
- Apps that perform simple calculations routinely used in clinical practice. Example: Delivery date estimator or APGAR score calculator.
What the FDA Intends to Regulate.3
For which software functions does the FDA intend to enforce requirements? There are three main categories.
Extensions of Medical Devices
The FDA regulates software functions that are an extension of one or more medical devices by connecting to such device(s) to control the device(s) or analyze medical device data.
Take the example of an app that allows a smartphone to control a blood pressure cuff’s inflation and deflation. The app software extends the functionality of the smartphone to connect the device/phone to the cuff, giving it the ability to control the cuff. The software, therefore, becomes an extension of the regulated medical device.
In this case, the device software functions (the app) should comply with the regulations applicable to the connected medical device to address any associated risks.
Mobile Platforms Transformed Into Medical Devices
Software can transform a mobile platform into a regulated medical device by using attachments, display screens, or sensors, or by including functionalities similar to those of currently registered medical devices.
For example, picture software that allows a blood glucose strip reader attached to a mobile platform to function as a glucose meter. The app (software function) allows the smartphone (mobile platform) to work with the attachment to transform the smartphone into a medical device (blood glucose meter).
The software should therefore comply with the device classification associated with the transformed platform (glucose meter). In other words, whatever regulations apply to glucose meters, the phone + app + attachment tuned glucose meter device would need to meet the same requirements.
Software Providing Patient-specific Analysis, Diagnosis, or Treatment
Some software functions become a regulated medical device by performing patient-specific analysis and providing patient-specific diagnosis or treatment recommendations.
The FDA considers these types of software to run the same level of risk to patients regardless of the platform on which they run.
This category would include, for instance, software that performs sophisticated analysis or interprets data (electronically collected or manually entered) from another medical device such as radiation therapy treatment planning software.
For regulatory guidance on these particular types of technology, the FDA encourages direct contact with them to discuss which regulations may apply.
Appendix E of the Policy provides an overview of some of the device regulatory requirements. After classifying your specific health application, Jackson LLP can guide you through the FDA’s requirements. We can help determine what regulations you need to satisfy and how best to go about compliance.
The Regulations Listed in the FDA’s Policy include:
- Establishing registration and medical device listing
- Investigational device exemption requirements— before a study can begin, the FDA and an institutional review board (IRB) must approve clinical studies of devices of significant risk
- Labeling requirements
- Premarket submission for approval or clearance
- Quality system regulation
- Medical device reporting; adverse event reporting
- Voluntary corrections
Health App Compliance Doesn’t End With the FDA
Be mindful that responsibility regarding your health applications is not limited to the FDA classification, registration, and regulations. HHS’ Office of Civil Rights (OCR) offers guidance to mobile health (mHealth) developers and others interested in the intersection of health information technology and HIPAA privacy and security protections. Once you’ve established your regulatory compliance infrastructure, take in that information, and visit our blog post regarding Your Legal Obligations for Notifying Affected Parties in a data breach.
Because there is no one way to comply with the FDA regulations despite this Policy and guidance, the FDA suggests reaching out to them directly:
“If you are developing a software function that meets the definition of a device (such as a mobile medical app) with an entirely new intended use, we encourage you to contact FDA to discuss what regulatory requirements may apply.”
However, the FDA will not provide information on what actions will lead you to satisfactory compliance with the regulations or whether your established compliance plan will actually satisfy the requirements. With or without a personalized list of regulations from the FDA, you’ll want to seek out experienced professionals that have worked within and beyond the FDA regulations relevant to your technology. Such professionals can guide you to full compliance with your first efforts and beyond.
We recognize the pace at which the industry—and your technology—is moving. Jackson LLP shares your values that prompt compliance is essential to your technology hitting the market at the right time.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.
1. Appendix E of the Policy provides a brief summary of the above requirements. Additional information from the FDA is available at fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance under “Overview of Medical Device Regulation” and “How to Study and Market Your Device.”