Author: Ken Block, Ken Block Consulting
Last fall, the US Food and Drug Administration (FDA) issued their final guidance document regarding the regulation of Mobile Medical Applications (Apps) as medical devices. This document, available on the FDA website, confirmed many aspects of this subject that had been contained in the draft version issued almost three years ago – but also contained several surprises.
Essentially, a mobile app is stand-alone software that is marketed by an organization independently from any hardware platform. The platform (PC, mobile phone, tablet, remote server offering “cloud” access, etc.) is where the software application is eventually hosted and may have no ownership/marketing relationship to the software. Over the past few years, as mobile apps usage has been expanding in nearly every market type and country, some companies have wondered whether FDA will regulate any mobile apps. Other companies have wondered whether FDA has any authority over mobile apps.
However, these questions have actually been answered by FDA policies and actions over the past three decades. In the mid-1980s, senior FDA management testified to Congress on the topic of Information Technologies in the Health Care System, during which the following statement was issued (an early FDA policy directly applicable to products that encompass mobile apps): "Medical software products that are marketed separately from a computer (generally referred to as stand alone software) and used with a computer to form a system which operates as a medical device will be treated as a medical device."
Thus historically, when any software has met the US regulatory definition of a medical device and has been marketed to US customers, then it has been long-standing FDA policy that such products be treated as medical devices. This has been true regardless of whether the marketed software was distributed on floppy disk or CD, distributed on the internet as downloadable software – or distributed on a mobile phone app store. Numerous FDA guidance documents over the years have reinforced the authority and policy of FDA to regulate stand alone software, of which Mobile Medical Apps are merely one type.
Final Guidance Highlights
The final FDA guidance on Mobile Medical Apps, the most recent of these policy documents, clearly restates the long-standing stance that FDA has the authority to regulate such software regardless of the operating hardware platform. In other words, software meeting the FDA definition of a medical device may be embedded in hardware, hosted on a mobile device, remotely accessed via web-based “cloud” service, or made available to some healthcare provider or patient through some other means. As always in the US market, the intended use of the app remains of primary regulatory significance. Developing a mobile app with possible medical implications means that FDA regulations must be examined regarding that area of use before distributing or marketing that software product in the US. There are Mobile Medical Apps which may be regulatory class 1, 2 or 3 and have regulatory pathways to market of Pre-Market Approval (PMA) application, 510(k) application (Premarket Notification), De Novo petition or 510(k) exempt (requirement for device listing, but no FDA application or petition, before marketing may begin).
As one surprise to some readers of this recent guidance document, FDA announced that certain mobile apps that meet the US market definition of medical device will not be actively regulated by FDA due to their low potential risk to patient health. In FDA terminology, the US government will use “enforcement discretion” to allow these lower risk software devices on the market without imposing the FDA medical device regulations upon these software products. This new “enforcement discretion” category of software apps – which clearly are medical devices per historical FDA policy and regulatory definition – will instead be treated similarly to “health and fitness” products that are marketed for non-medical uses. This means that for the first time in recent history, certain medical devices will be allowed commercially on the US market without any company regulatory requirements for – or FDA enforcement of – such standard medical device elements as quality management system, FDA registration, device listings, adverse event reporting, and so on. For this new category of “enforcement discretion” products, there will be no threat of an FDA inspection while this new FDA policy stays in effect. Some companies will definitely see positive market opportunities in this new category of non-enforced devices.
Another guidance document surprise came through the FDA applying the same “enforcement discretion”en masse to physicians and groups of practicing physicians who develop Mobile Medical Apps and use them for patient care within their practices. In personally communicating with the FDA staff responsible for the new guidance document, the author confirmed that this provider caveat will equally apply to healthcare groups that may contain multiple hospitals and clinics, hundreds of physicians and perhaps many thousands of patients. This surprising development gives practitioners and their larger healthcare systems the flexibility of developing their own healthcare solutions (where device regulations would not be enforced by FDA), as well as purchasing commercially developed solutions by others (where regulations may be fully enforced by FDA, depending on the product).
However, if that same physician or group practice were to make their internally developed Mobile Medical App available to others (for example by licensing the solution to other hospital systems), then the developing physician/practice/system would become a medical device manufacturer due to the “marketing” aspects of the US medical device regulations. The emphasis upon internal use (within the provider treatment sphere) vs. outside use (beyond that sphere of provider control) in determining whether this new provider caveat applies was made clear in the author’s communication with FDA. In fact, the author is currently working with one hospital system in the US who is not only developing a Mobile Medical App that will be used for patients within their system, but also licensed to other physicians and healthcare provider entities. As an eventual medical device manufacturer, the hospital is establishing the necessary quality system elements so that the software can be developed and marketed per full FDA regulations, including an upcoming 510(k) application.
Determining Regulatory Status
How does an organization determine whether an app is unregulated (not covered by FDA medical device regulations), regulated but not currently enforced (“enforcement discretion”), or fully regulated and enforced by FDA? Examples in the area of diabetes will be used below to help illustrate some differences among these categories.
First, the recent final Mobile Medical Apps guidance document makes clear that those apps that do not meet the FDA definition of medical device are not under FDA regulatory authority. These unregulated apps include categories such as electronic versions of medical reference materials, educational tools for healthcare providers, general patient educational materials, general purpose office software used within healthcare facilities, and general non-medical products. FDA provides numerous examples of such unregulated apps. As a specific example, an app that did only the following items for diabetes patients could be marketed in the US healthcare market directly to diabetes patients, but would be unregulated by FDA because the app would not meet the definition of a medical device:
Similarly, apps which are developed and marketed for “health and fitness” reasons are also unregulated by FDA, because the intended use is not as a medical device. One specific example would be a pedometer app that tracks the amount of walking activity per day, and is marketed as a general health product. As with any general fitness product (for example treadmills and heart rate monitors marketed to walkers and runners), some percentage of users will have the condition of diabetes. However, as long as the app developer does not promote the pedometer app for diabetes (or other specific medical conditions), then such a pedometer app promoted for general fitness would remain unregulated by FDA.
Some organizations wondering about FDA regulation of apps will be healthcare providers (surgeons, physicians, dentists, etc.), group practices, clinics, hospitals, healthcare systems and similar entities. As explained earlier, Mobile Medical App products (and the entities) developed or modified by such entities will now be free of FDA enforcement for using such apps – as long as that use remains within their respective spheres of practice. Logically, under this new scheme, a clinic could develop an app for diabetes that provides patient-specific prompting for insulin treatment based on user history, user health condition, immediate symptoms – and any other criteria determined by that facility to be within the sphere of patient treatment. Some non-enforced provider-developed Mobile Medical Apps may have commercial viability beyond the provider care network. For example, the disease outcome may appear to improve through use of the provider-developed app, and the provider organization sees an opportunity to help others. In that case, full FDA regulations would apply (FDA application would be necessary for the diabetes management system, the provider would need to register with FDA, etc.) before the app could be marketed to – or used by – anyone outside that hospital system.
Next is the new “enforcement discretion” category that has been created by the recent final guidance, where software that actually meets the FDA definition of medical device will not be enforced by FDA because of the low risk posed to patients. There are several areas listed by FDA in the guidance (health information tracking, disease self-management, patient documentation of health conditions, and others), and time should be spent absorbing the entire guidance document to understand this category and these areas better. One such app type that will likely see explosive growth is helping patients self-manage their disease. However, the app must not provide “specific treatment or treatment suggestions” to remain in the “enforcement discretion” category. FDA provides some examples that can be applied to diabetes where the following apps would meet the definition of medical device (disease treatment), yet FDA would not enforce the medical device regulations for such Mobile Medical Apps:
In the Appendix B portion of the final guidance document, FDA provides a list of numerous examples of other “enforcement discretion” apps that can enter the US market without FDA enforcement. FDA warns readers that the list is not definitive, and that FDA should be contacted if your organization is unsure whether an app will be regulated by FDA at this time.
Finally, despite the new frontier of non-enforced medical devices (those within “enforcement discretion” and provider caveat) opened up by the recent FDA guidance document, the remaining regulatory landscape is not the Wild West. FDA has taken a risk-based approach to deciding which apps will be the “focus of FDA’s regulatory oversight” - words used in the guidance document to emphasize the exhaustive category of Mobile Medical Apps that will have all US medical device regulations applied such as company establishment registration, device application as applicable such as 510(k), device listing, Quality System Regulation (21 CFR 820), recall, Medical Device Reporting (MDR), and so on. Mobile Medical Apps that are encompassed by this “focus” of FDA: 1) meet the standard US regulatory definition of a medical device, 2) are intended to either be accessories to existing medical devices or essentially become medical devices themselves via the combination of software and mobile platform (i.e., “transform a mobile platform into a regulated medical device”), and 3) are not contained within the “regulatory discretion” category or provider caveat created by the guidance document. As with any other medical device type on the US market, each regulated Mobile Medical App will have one or more specific FDA product codes that apply, and one or more corresponding FDA regulations (“CFR” sections) that apply.
Please note that FDA did not create any new device classification or product code for Mobile Medical Apps, either in the draft or the final guidance document on these types of products. Instead, the regulatory classification and FDA product code are applied to each product that correspond to the intended use of that app. For example, full FDA medical device regulations would apply to an app that can electronically or wirelessly access the data on a patient’s blood glucose meter then graph those readings in formats that can be customized by each patient on their mobile device. Such an app would be considered by FDA to be an accessory to a blood glucose test system, which is conducting patient-specific diabetes management. The applicable FDA product code is NBW (Over the Counter Blood Glucose Test System) and classification is 21 CFR 862.1345 (Glucose Test System). Per the NBW product code requirements, a 510(k) application must be sent to FDA and cleared by the FDA review team, prior to the marketing or distribution of this type of Mobile Medical App to any US patients. In other words, your organization would not be developing “just” an FDA regulated Mobile Medical App, but instead an FDA regulated “Over the Counter Blood Glucose Test System Accessory” Mobile Medical App.
The table below summarizes the FDA regulatory status for the specific examples above:
Because of the explosive growth of non-traditional products in the healthcare sector, it was a significant development that FDA announced specific regulatory intentions to address software/services/apps in the mobile/cloud market space. Understanding FDA enforcement of your product is key to determining your organization’s US regulatory and market strategies.
With more than 40 pages containing background, rationale, caveats, explanations and examples, the final FDA guidance in Mobile Medical Apps has much more content than can be summarized here. Readers are encouraged to review the entire FDA document, and are welcome to contact the author with any questions.
Kenneth L. Block, RAC
Ken Block is a FDA regulatory expert with experience in FDA strategy for mobile apps, quality systems, FDA inspections, software validation, and new device applications. His company has offices and staff in both the Tokyo and Dallas metropolitan areas