The squeezing of healthcare budgets, the increasing desire for patients to be more in control of their healthcare provision, the impact of ever smaller, more powerful and inexpensive computing, coupled with increasing interconnectedness provided by wireless technology – the Internet of Things – has given rise to the phenomenon of Connected Health, also commonly referred to as mHealth or Health Tech.
The concept of Connected Health covers a variety of forms, from mobile phone apps that provide direct medical support or connect to other medical devices, to patient monitoring devices, personal guidance systems, medication reminders provided by SMS and telemedicine provided wirelessly. Since Connected Health is a relatively new field in medical technology, questions have arisen as to how the sector is regulated.
Over the past few years, mHealth has become one of the fastest growing markets. A recent Deloitte research paper has predicted that global revenues for mHealth market will grow from US$ 2.3bn in 2013 to US$ 21.5bn by 2018, with the European market being the largest mHealth market by 2018 (US$ 7.1bn) posting 61% annual growth.
According to the International Telecommunication Union (cited in PwC report Emerging mHealth: Paths for growth), by late 2011 there were almost six billion mobile phone subscriptions in the world with a very high proportion of smart phone penetration. With this existing infrastructure in place and so much computing power in people's hands, health apps no doubt represent one of the most lucrative sources of revenue in the mHealth sector. The nature of health apps varies widely, ranging from pregnancy support apps (which have virtually flooded the app market) to truly innovative diagnosis apps, such as CRADLE, an app that checks for early signs of retinoblastoma in babies simply by analysing photos taken on a smart phone.
It is, however, important to understand that Connected Health covers so much more than just apps and should not always be associated with wearable technology; take for instance, Proteus Digital Health's smart ingestible pill that can monitor whether or not a patient has taken their medication as well as other biometric data. Telemedicine is a huge area of untapped potential which may change the way we view medicine. By way of example, such devices can be as subtle as AliveCor's mobile phone case that doubles as a portable ECG monitor to products as large as the new medical booth developed by H4D (a French company) which enables patients in remote areas to measure their vital signs and contact a GP via an internet connection at any time of the day.
In terms of target users, a report by the Economist Intelligence Unit found that Connected Health applications are most attractive to those with poorly managed chronic diseases and those who pay more than 30% of their household income towards healthcare. This section of the public is also the most willing to pay for mHealth solutions. Equally interesting is that mHealth appears to be most popular in emerging markets, where smart phone penetration is high but where hospitals are not always easily accessible, providing a great emerging market opportunity and test-bed.
Although there is clearly great scope for development, Connected Health is a highly regulated sector in the UK (and the wider European Union) and any manufacturer or developer should be aware of the essential rules. Among these, the rules relating to medical devices and data protection will be of particular significance.
On 26 September 2012, the European Commission published new legislation in the form of two draft Regulations to govern the regulation of medical devices and in vitro diagnostic medical devices in Europe. The Regulations are intended to replace the Directives which currently provide the regulatory framework. To read more on regulatory plans, see our article, 'Where is the new medical devices legislation?'.
For the time being, however, the regulation of medical devices in the European Economic Area (EEA) is currently the product of three directives (The Active Implantable Medical Devices Directive (90/385/EEC), the In Vitro Diagnostic Medical Devices Directive (98/79/EC) and the Medical Devices Directive (93/42/EEC)) (MDD) which have been implemented in the UK by the Medical Devices Regulations 2002 (MDR). Two of the Directives cover specific medical devices, namely active implantable devices and in vitro diagnostic medical devices, whereas the third covers all other types of medical devices.
What is a "medical device"?
As a general rule (and subject to limited exceptions, for example for custom made devices), medical devices cannot be marketed in the EEA without a CE mark, regardless of the category they fall under. As such, it is crucial to determine whether a certain product amounts to a medical device.
A medical device is "any instrument, apparatus, appliance, software, material or other articles, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of:
- diagnosis, prevention, monitoring, treatment or alleviation of disease;
- diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap;
- investigation, replacement or modification of the anatomy or of a physiological process,
- control of conception; and
- which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means".
One preliminary point is that the term "device" is somewhat misleading as standalone software may be considered a medical device (and therefore will include relevant smart phone apps). Also noteworthy is that a product will be seen as a medical device if it is intended as one by the manufacturer. Intention is construed in light of the data supplied by the manufacturer on the labelling, in the instructions and/or promotional materials.
In light of the definition, simple tracking devices such as pedometers, calorie counters or BMI calculators are most likely not medical devices as they are not used in any form of diagnosis or treatment. Also unlikely to be medical devices are, for instance, apps which amount to nothing more than medical dictionaries, providing information without any input from users. However, once data is collected and processed in some way in order to make some recommendation or diagnosis, the product will satisfy the definition. Devices which support a decision (e.g. by calculating heart rate, monitoring the status of a disease or determining what/when medicine is required), will be considered medical devices.
There are, of course, grey areas and each device should be assessed on its own characteristics. For instance, heart rate, blood pressure and/or temperature may be measured for medical reasons (e.g. to prevent heart problems) as well as recreational purposes (e.g. to measure athletic performance).
The manufacturer is responsible for deciding whether a certain product is a medical device. However, if the product ought to bear a CE mark but the manufacturer has mistakenly decided it should not, the relevant national authorities can require the product to be taken off the market. Manufacturers should, therefore, give careful consideration to this point from an early stage.
What requirements apply to a medical device?
CE marking of a medical device attests compliance with the relevant regulatory requirements ("relevant essential requirements"), which will differ depending on the type of device. Devices are divided into four classes (I, IIa, IIb and III) according to their invasiveness, duration of contact with the body, affected body part and associated level of risk. As such, completely non-invasive devices that measure heart rate will fall in class I, whereas slightly more invasive devices that pierce the skin such as continuous glucose monitors (which monitor the glucose level in the interstitial fluid) will fall in class IIa. Due to their relatively non-intrusive nature, it is unlikely that mHealth devices would fall in classes IIb or III.
Regardless of the class, there are a number of general essential requirements which apply across the board. Medical devices must not, when used as intended, compromise the health and safety of the users, provided that any risks associated with using the device are acceptable when weighed against the benefits to the user. However, depending on the nature of the product, specific requirements relating to design and construction may apply. There are specific requirements for devices equipped with an energy source which will no doubt concern virtually every mHealth device. These include:
- if the device is powered by an internal battery, means of determining the state of the power supply;
- if the device is powered by an external power supply, an alarm in case of power failure;
- if the device monitors clinical parameters, an alarm if situations arise which could lead to death or severe health deterioration;
- measures to avoid the creation of electromagnetic fields; and
- measures to avoid, as far as possible, the risk of accidental electric shocks.
Conformity assessment and CE marking
Once the manufacturer decides that the relevant essential requirements have been complied with, it must follow the conformity assessment procedure – which is again different depending on the class of medical device.
The conformity assessment procedure requires the manufacturer to make a declaration of conformity which in the case of class I devices that are non-sterile or do not have a measuring function can be self-certified. In all other cases the manufacturer needs the certification of a notified body following an audit in order to declare conformity. In order to prove compliance, the manufacturer will need to produce appropriate technical documents in support. Clinical trials may be required for certain, high risk devices and, if so, specific agreement by the relevant national health authority (the Medicines and Healthcare Product Regulatory Agency (MHRA) in the UK) must be obtained. The rules on this point are quite convoluted: Article 11 of the MDD (conformity assessment procedures) requires each class of product to comply with certain annexes of the MDD. However, the manufacturer may choose between different combinations of annexes (and only some of them concern clinical trials).
Finally, a medical device manufacturer must put vigilance procedures in place in order to ensure that any adverse reactions can be reported.
After this long and arduous journey, the CE mark may be applied to a product and marketed across the EU.
The conformity assessment process for active implantable medical devices as well as for class III and implantable medical devices requires that a clinical investigation is undertaken unless it is duly justified to rely on existing data. Any such justification will have to be based on a proper clinical evaluation.
Depending on clinical claims, risk management outcome and on the results of the clinical evaluation, clinical investigations may also have to be performed for non-implantable medical devices of classes I, IIa and IIb.
Indeed, conducting some form of clinical trial, even if not absolutely necessary for putting the device on the market, although potentially expensive to conduct, may increase consumer trust in the device and thereby encourage adoption or provide a competitive advantage. However, any clinical investigation must:
- be part of the clinical evaluation process;
- follow a proper risk management procedure to avoid undue risks;
- be compliant with all relevant legal and regulatory requirements;
- be appropriately designed; and
- follow appropriate ethical principles.
The relevant national health authority (in the UK the MHRA) must be informed of any planned clinical trial at least 60 days before starting the trial, and may then only conduct the planned trial if the health authority does not object.
In addition to the product requirements described above, a manufacturer placing class I medical devices on the market is required to register itself with the MHRA if it has a registered place of business in the UK (or with an equivalent national authority if it is registered elsewhere in the EEA). Manufacturers based outside the EEA selling such medical devices within the EEA must appoint an authorised representative, who will then file the required registration with the relevant national authority. For all other devices the manufacturer will need to apply the number of the notified body that certified the device together with the CE mark, but registration with the relevant health authority is not required for such devices.
Once the medical device is successfully on the market, an additional regulatory obstacle is posed by the issue of data collected from users. Since most of this information relates to directly/indirectly identifiable individuals, it will amount to personal data and the manufacturer, as data controller, will be subject to data protection obligations laid down by the Data Protection Directive (Directive 2002/58/EC).
These require that any processing of personal data must respect certain safeguards, for example the requirements that personal information may only be processed for specific purposes (purpose limitation) and should not be transferred to a destination outside the EU which does not offer an adequate level of protection (international transfers).
Information relating to health enjoys a higher level of protection and may not be processed unless certain conditions are satisfied, in particular that the data controller has the specific and informed consent of the user for such processing.