The development and use of mobile technologies and devices is expanding at an incredibly fast pace and is changing, and in fact revolutionizing, the way patients and healthcare providers interact. Mobile medical technologies or “mHealth” technologies and applications can allow patients to better manage their own health and wellness, and provides patients and providers with greater access to patient data and information. Developers, providers, patients, hospitals and health systems and ancillary health care service providers, among many others, are rapidly creating, adopting and using varying levels of mHealth technology to improve care, outcomes and patient experiences across the diverse spectrum of health care delivery. However, existing in a highly regulated space may prove to be a challenge for mHealth technology developers and entrepreneurs. Developers will need to determine how, and if, a wide array of laws and regulations apply to their technology, and how to comply with the applicable regulations. Examples of laws, issues and regulations that developers should give consideration to, include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA), various individual State data protection and privacy laws, regulations impacting reimbursement, and the oversight, classification and registration requirements of the U.S. Food and Drug Administration (FDA).
The task of determining which laws and regulations apply to new mHealth technologies may prove to be a challenge (and an expense) in that regulators and agencies are working within the boundaries of laws and regulations that were not necessarily designed for the current, ever developing and changing technological world. While the FDA and regulatory agencies are looking at these regulatory issues, questions still remain as what regulations apply to mHealth technologies. For example, queries may exist, depending upon the mHealth technology in question, as to how HIPAA applies to the collection and use of sensitive personal data. mHealth technologies that utilize new manners of data collection and storage, encryption measures, and that contain restrictions on who can access data, raise questions as to how HIPAA’s requirements apply and how such requirements may be complied with. Additionally, and as evidence of the uncertainty of the application of regulations, trade groups and entities have sought guidance from the FDA on, and have even urged Congress to create legislation clarifying, which mHealth technologies are, and which are not, subject to FDA oversight.
The FDA initially addressed this issue via the “Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff” issued in September of 2013 (the Final Guidance). The FDA stated its intent take a hands off approach to certain mHealth technologies that pose little to no threat to patient safety, and stated that it is reserving oversight to “mobile medical applications,” The Final Guidance defined “mobile medical applications” as a mobile application that meets the definition of device under Section 201(h) of the Federal Food Drug and Cosmetic Act (FD&C Act) and which is either intended: (i) to be used as an accessory to a regulated medical device, or (ii) to transform a mobile platform into a regulated medical device. The FDA stated that the intend use of the mobile application (or “app”) determines if the app meets the definition of a “device” under the FD&C Act.
The FDA regulates mobile medical apps using the same classification standards it uses for regulated medical devices, with such classification system using a risk based approach. Medical devices are classified as a Class I, Class II or Class III device, with regulatory control and oversight increasing from Class I to Class III. Device classification defines the regulatory requirements for a device type (for example, most Class II devices require a Premarket Notification – 510(k), while most Class III devices require a Premarket Approval).
While the FDA recognizes that many mobile medical apps may meet the regulatory definition of a “device”, it recognizes that many may pose minimal to no risk to patients. For such apps the FDA states it will exercise enforcement discretion and will not expect developers to submit premarket review applications or register and list their apps with the FDA. Seemingly following this same principle, the FDA issued a new draft guidance in June 2014 entitled “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices- Draft Guidance for Industry and Food and Drug Administration Staff (Draft Guidance). The Draft Guidance informs developers that the FDA does not intend to enforce compliance with the regulatory controls that apply to medical device data systems (MDDS), medical image storage devices, and medical image communications devices, due to the low risk they pose to patients and the importance they play in advancing digital health. The FDA down-classified MDDS from a Class III device to a Class I device. With this change, the FDA proposed edits to the Final Guidance to conform to the Draft Guidance.
Most recently, in October 2014, the FDA finalized recommendations in a guidance document for medical device manufactures for managing cybersecurity risks to better protect patients’ safety and health information. In the guidance the FDA identifies concerns about cybersecurity vulnerabilities. The guidance is intended to supplement the FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices,” and applies to premarket submissions for devices that contain software or programmable logic as well as software that is a medical device. Developers of mobile medical apps subject to FDA oversight and review should also comply, as applicable, with the newly issued guidance.
The continued issuance of guidance documents by the FDA, and outcries for clarifying legislation and guidance by industry highlights potential regulatory hurdles developers of mHealth technologies may face in bringing technologies to market. Developers should be cautious and take care to ascertain what regulations and laws may apply to the contemplated technologies, and should work to ensure the developed technology complies appropriately.