This is our third installment in our series about the legal issues involved in launching a health app, which the U.S. Food and Drug Administration (“FDA”) refers to as “mobile apps.” The goal of this post is to provide you with a basic understanding of FDA’s evolving approach to mobile apps so that you can make informed decisions about the legal consequences of your app’s functionality.

Back to Basics

Anyone involved in the development of a mobile health app should keep handy the FDA definition of a “medical device,” which Section 201(h) of the Federal Food, Drug, and Cosmetic Act, defines as:

“… an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is …intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals…”

There is no exception in this definition for mobile apps, and as we will see below, FDA believes it is within its authority to regulate mobile apps as medical devices. We can therefore extract from the definition of medical device a general principle that developers should keep in mind:

If a mobile app is intended for use in performing a medical device function (i.e., for diagnosis of disease or other conditions, or the cure, mitigation, treatment or prevention of disease) it is a medical device and therefore subject to FDA oversight.”

This is true regardless of the platform. Health apps running on iOS, Android, or any other platform can trigger FDA oversight. The reality is that thousands of mobile apps made available on the various app stores are, in fact, mobile medical apps that are turning their users’ phones into medical devices that must comply with FDA regulations.

Risk-Based Regulatory Classification

Medical devices, including mobile apps, are classified into the following three categories based on their risk profile:

  • Class I (general controls; lowest risk);
  • Class II (special & general controls); and
  • Class III (premarket approval; highest risk).

The classifications and controls necessary for many Class I, II, and III devices are described in regulations that are specific to each device type. In the context of mobile apps, if the intended use or function of the app falls within the scope of an already defined device regulation, the app will be classified as a medical device. As a result of such classification, the app must meet all of the controls and application requirements for that device type. Take for example an app developer that claims its app can score a user’s cognitive function based on a battery of cognitive tasks. This type of app will fall within the existing class of “computerized cognitive assessment aids,” which are regulated as Class II devices. (For those interested, see 21 C.F.R. § 882.1470). This classification requires a 510(k) application to be submitted to FDA prior to commercialization.

You might be wondering what happens to mobile apps that don’t fit into an existing regulation. Fortunately, FDA has issued final Guidance for Mobile Medical Applications (“Guidance”) that helps answer this and other questions.

The Guidance: Our Lodestar for Understanding Mobile App Regulation

At this point, the Guidance represents the primary tool that developers can use to determine the extent to which FDA will regulate their app. The Guidance defines a “mobile medical application” to mean a mobile app that meets the definition of device (see discussion in the Back to Basics section, above) and either is intended to be used as an accessory to a regulated medical device, or is intended to transform a mobile platform into a regulated medical device.

Mobile apps that control the inflation or deflation of a blood pressure cuff or control the delivery of insulin on an insulin pump are two examples of apps that are accessories to regulated medical devices. The other category of mobile medical apps—those apps that transform mobile platforms into medical devices—is best exemplified by apps that use the platform’s built-in sensors or other technology for medical device functions, such as attachment of a blood glucose strip reader to a smartphone.

As stated in its Guidance, FDA intends to only apply their oversight to those mobile medical apps with functionality that could pose a risk to a patient’s safety if the app were to not function as intended. To assist developers, the Guidance distinguishes between apps that will be subject to the normal regulatory oversight and those apps where the FDA believes it is appropriate to exercise enforcement discretion given the low risk of patient safety

Mobile Medical Apps That Are Subject to Traditional Regulatory Oversight

FDA’s Guidance provides examples of mobile medical apps that will not receive enforcement discretion and will therefore be subject to the FDA’s traditional regulatory paradigm. One category of apps is particularly applicable to many of the health apps currently being developed. This category includes apps that perform “patient-specific analysis and provide patient-specific diagnosis, or treatment recommendations.” The Guidance provides examples, including apps that use patient-specific parameters to create a dosage plan for radiation therapy, and Computer-Aided Detection (CAD) software that assists providers in detecting abnormal tissue, such as cancerous breast tissue. These types of high risk mobile apps will be subject to the traditional regulatory pathway for approval for devices, which will require the developer to:

  1. Register with FDA as a medical device manufacturer;
  2. Submit a 510(k) for Class II devices or a PMA for Class III devices;
  3. Establish a quality management system compliant with good manufacturing practices; and
  4. Make itself available for FDA inspection.

Quality management systems must include processes for complaint handling, corrective actions, documentation control and other compliance-related activities. Developing a quality system that complies with FDA regulations requires experienced personnel or regulatory consultants and takes constant resources and effort to maintain compliance.

Mobile Medical Apps That Are Subject to Enforcement Discretion

The FDA’s Guidance provides a number of categories of mobile apps for which the FDA intends to exercise enforcement discretion. These include mobile apps that:

  • Help patients (i.e., users) self-manage their disease or conditions without providing specific treatment or treatment suggestions;
  • Provide patients with simple tools to organize and track their health information;
  • Provide easy access to information related to patients’ health conditions or treatments;
  • Help patients document, show, or communicate potential medical conditions to health care providers;
  • Automate simple tasks for health care providers;
  • Enable patients or providers to interact with Personal Health Record (PHR) or Electronic Health Record (EHR) systems; or
  • Intended to transfer, store, convert format, and display medical device data in its original format from a medical device.

Some mobile apps in the above categories may be considered mobile medical apps, and others might not. For those mobile apps that are devices, FDA intends to exercise enforcement discretion because they pose a low risk to patients.

21st Century Cures Act

As a result of the 21st Century Cures Act (the “Act”), the definition of “device” will exclude software that:

  • Provides administrative support of health care facility (inc. lab workflow, appointment schedulers).
  • Maintains or encourage a healthy lifestyle, unrelated to diagnosis, cure, mitigation, prevention, or treatment of disease or condition.
  • Relate to electronic patient records that transfer, store, convert formats, or display patient information (do not “interpret or analyze”) and that are created, stored, transferred, reviewed by professional or staff.
  • Transfers, stores, converts formats or display lab test or device data.
  • Meets all of the following: (i) displays, analyzes or prints medical information about a patient or other medical information (such as practice guidelines); (ii) supports or provides recommendations to a healthcare professional (i.e., clinical decision support) about prevention, diagnosis or treatment of a disease or condition; and (iii) enables the health professional to independently review the basis for such recommendations rather than primarily rely on it when making diagnostic and treatment decisions.

In general, the first four software categories exempted under the Act align with FDA’s approach in its Guidance of exercising enforcement discretion for apps that do not directly relate to the diagnosis or cure of specific diseases or conditions. The fifth category will become increasingly important to developers that provide clinical decision support (“CDS”) to healthcare professionals. Many companies have been waiting for FDA to issue CDS software guidance since 2015, but FDA did not release such guidance before the Act limited FDA’s ability to regulate CDS software. However, FDA may still regulate and issue guidance for any CDS software that does not meet all of the criteria described in the fifth category above.

FDA amended its Guidance to note this revised definition and to announce its plans to revise the Guidance to “represent [their] current thinking on the topic.” Unfortunately, the agency has yet to produce such regulations.

Commentary

It is important to keep in mind that health apps intended for a medical or wellness purpose, as well as the companies that develop such apps, are fully subject to FDA medical device regulations unless the app’s functionality falls under the enforcement discretion of the Guidance or has been exempted from regulation by the 21st Century Cures Act. Apps that satisfy the definition of a medical device yet fail to meet either one of these regulatory “off ramps” will be subject to the same types of FDA regulations that traditional manufacturers face. These obligations are time-consuming and expensive, even for a well-financed start up. It is therefore important for developers to analyze each function of their app to determine whether it causes the app to move out of FDA’s enforcement discretion and into the traditional regulatory framework. Those in this space should be on the lookout for new FDA rulemaking on these issues.

Stay tuned next week for our next post in this series which will explore regulation of health apps by the Federal Trade Commission (FTC).