We explore the factors tech companies and app developers need to consider and the risks associated with being regulated as a software medical device both under the current system and under the revised regime coming into effect in May 2020.

Can an app be a software medical device?

A software medical device, which can include an app, is generally intended to be used for the purpose of diagnosis, prevention, monitoring, treatment or alleviation of disease. The app’s functionality is central to determining whether the app falls within the definition of a medical device or if it is simply a consumer app. The analysis does not end here and the intention of the manufacturer or claims about the health benefits of the app, usually set out in the manufacturer’s advertising, marketing, etc., are also relevant. If an app makes claims to produce health benefits, it will be regulated accordingly.

An app that does not offer functionality to achieve the above medical purposes, and makes no claims to, will not be considered a software medical device. For example, apps for general health and wellbeing that record lifestyle habits such as smoking and exercise are generally not considered as medical devices e.g. a Fitbit wearable which records your heart rate, sleep pattern and step count.

In reality it can be difficult to determine if an app or a standalone piece of software is a medical device. While comprehensive guidance has not been developed at an EU level, the Food and Drug Administration (the FDA), the US authority on these matters, has published a list of categories of health apps that do not qualify as medical devices. For example mobile apps that are intended to provide access to electronic “copies” of medical textbooks or other reference materials with generic text search capabilities are not considered medical devices. Under the FDA list, mobile apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease are not considered a medical device. An example of this is an app that generates reminders for scheduled medical appointments or blood donation appointments.

Is this a binary decision for app manufacturers?

Careful consideration needs to be given to an app’s functionality and associated advertising and marketing claims before launching in the EU market. Even if the app does not fall within the definition of a medical device, manufacturers still need to asses if the app could be considered an “accessory” to a medical device. Accessories also fall under the regulatory framework and carry their own regulatory requirements.

What are the consequences of an app being a software medical device?

If an app falls within the definition of a software medical device, it is subject to onerous obligations regarding safety, compliance and post market surveillance. This level of compliance can be costly and resource heavy. For example:

  1. The app will be subject to a Conformity Assessment Procedure. This is a process that all manufactures must complete to prove that their device has met the requirements under the Medical Device Directive. At present, if the app is a Class I device (definition below), the majority of software medical devices owners can self-certify they have met these requirements.

  2. Risk Management Assessment - medical devices must comply with the highest level of health and safety standards. App developers would have to create a risk assessment procedure that will help identify, monitor and prevent risks associated with their software.

  3. Data protection - app developers must adhere to all data protection laws. We recommend that all manufacturers consider data protection at the early stages of design to avoid compliance problems down the line.

  4. Labelling - all manufacturers should ensure that instructions for safe use, taking into account the knowledge of potential users, are displayed. This is not a requirement for Class I, products. Labelling must also conform with language requirements. In Ireland, labelling in English is sufficient.

  5. Post Market Surveillance - it is important that an efficient post market surveillance system is put in place by manufacturers. The Health Products Regulatory Authority, provides helpful tips that can assist manufactures in the creation of a post market surveillance system.

What will change under the Medical Devices Regulation?

The rules governing software medical devices in the EU will change in May 2020. The new rules, known as the Medical Devices Regulation (MDR), will:

  • Expand the definition of a medical device. The new definition will now also include devices, both hardware and software, designed for the purposes of prediction and prognosis. Many providers of digital health apps will now fall within the scope of these rules. The distinction between medical purpose software and “wellness” software or apps is retained under the MDR. Therefore, apps intended to monitor general fitness and well-being will not be considered to be a medical device.

  • Create new rules for determining risks classification under the MDR, including Rule 11, which specifically addresses software. There is a material risk that certain app manufacturers will be reclassified under the MDR. This may result in more significant obligations and all app manufacturers are advised to review the new classifications and resulting obligations closely. The new classifications under the MDR are:

    • Class IIa governs software intended to provide information that is used to make decisions with diagnostic or therapeutic purposes

    • Class III governs such decisions where impact may cause death or irreversible deterioration in person’s state of health

    • All other apps not classed by the rule will be classed as Class I

  • Restrict significantly the ability of app manufacturers to self-certify. This will mean assessments will need to be carried out by Notified Bodies before they can be sold on the EU market. Further concern is likely to also arise given the current shortage of Notified Bodies in the EU who have to date received their MDR certification. To date as of August 2019, only four Notified Bodies, which currently does not include the Irish notified body, the National Standards Authority of Ireland (NSAI), are currently designated to perform assessments under the MDR. The European Commission has predicted that the total number of notified designated bodies by the end of 2019 will be twenty (20). It remains to be seen whether this goal will be achieved.

  • Create additional obligations for app manufactures to achieve conformity, including the need for app manufacturers to:

    • consider the mobile platform through which the app will be available as well as screen size, when assessing the provisions of information to consumers

    • meet minimum requirements in respect of hardware and IT security measures, including protection for the device against unauthorised access and hacking

    • provide detailed information on software verification validation to Notified Bodies as part of the conformity assessment on the testing the device has undergone

  • Impose an obligation app manufacturers to ensure a unique identifier (UDI) for the software or app is accessible to the consumer through the app, and updated, as required, following software updates.

Conclusion

Any app developer that provides apps relating to fitness, wellbeing, health and medical treatment needs to be aware of the impact of the MDR on their business. The impact is likely to be most acute for those who are subject to current rules but who benefit from the ability to self-certify. It is anticipated that there will be a significant number of apps migrating from Class I to Class IIa. With only four Notified Bodies designated to certify under the MDR at present, and only 20 expected to be designated by the end of the year, this shortage of Notified Bodies and backlog in terms of obtaining a conformity assessment is likely to be a significant concern for software medical device manufacturers.

All app developers need to ensure regulatory compliance, whether it is under the MDR or general consumer legislation. Unlawfully placing an app on the market that is an unregulated medical device or in breach of consumer protection legislation can lead to significant enforcement action and associated reputational damage.