At the eHealth Week conference last week, the European Commission presented the latest draft of the EU guidelines on the assessment of mHealth apps. As set out in our previous post, this guidance establishes a broad framework that forms the basis to improve the use, development, recommendation and evaluation of mHealth apps, and facilitate decision-making of whether or not an app should be reimbursed.

The second draft is still a discussion document of how the assessment of apps should take place and what criteria should be used. As such, there is still much to be decided. The second draft also contains substantial commentary on the existing/future regulatory environment that covers apps, which will also be applicable to app developers.

The guidance identifies nine key criteria that form the basis for the assessment: reliability, desirability, credibility, safety, security, transparency, usability, effectiveness, and stability. The guidance itself follows the same format as the previous version, and is divided into three phases: (i) Initial validation and assessment of the app; (ii) Risk assessment to determine the level of scrutiny required, and (iii) Scrutiny, which sets out a series of questions, taking account of the technology platform and the medical aspects of the app. While additional detail and explanation have been added to this draft, there are still many questions to be addressed. In particular, the criteria for risk assessment are still being “worked out”.

The draft clarifies that medical devices are not covered by the guidance, and that all apps that do not meet the definition of a medical device are low risk. The guidance, therefore, seeks to cover the so-called “grey zone” of apps that fall just below the lowest category of medical devices (Class 1), through to apps such as appointment booking apps that nevertheless involve exchange of potentially sensitive personal information.

The discussion at the conference focused on a number of “open issues”: the scope of the guidelines, the way they need to mesh with other legislation and guidance, users' perspectives and needs and what form they should take. Stakeholders now have until 31 August to comment on the current draft, and a third version is expected to be published in mid-October. The fourth and final draft will then be published by the end of December, with the guidance expected to come into force in early 2017.