FDA Guidance for Mobile Medical Applications

In February of 2015, the U.S. Food and Drug Administration (“FDA”) issued guidance for mobile medical applications (“apps”).  The FDA will not regulate most commonly used mobile apps on the market, however, because of the rapid growth of the market, the guidance sets forth guidelines describing what kinds of apps it will regulate and provides examples of how it will do so.

The FDA is taking a “tailored, risk-based approach” to determine which applications it will regulate, focusing oversight on mobile apps functioning as “medical devices,” defined by section 201(h) of the Federal Food Drug and Cosmetic Act, and whose functionality poses a risk to patients.  This approach is consistent with the FDA’s general approach of considering functionality over platform.  The guidance explains: “if a mobile app is intended for use in performing a medical device function (i.e. for diagnosis of disease of other conditions, or the cure, mitigation, treatment, or prevision of disease) it is a medical device, regardless of the platform on which it is run.”

The FDA will regulate apps that are intended to be used as an accessory to a regulated medical device, that transform a mobile platform into a regulated medical device, and that perform patient-specific analysis and provide diagnosis or treatment recommendations.  Some examples of common apps that fit into these regulated categories include those that facilitate diagnosis from a display of patient specific data, control medical devices, convert a smartphone into an electrocardiography machine, collect motion information to monitor sleep apnea, and plan radiation therapy treatment.  The FDA will not regulate apps that allow patients to track their health information or provide them with information related to medical conditions.  On the health care provider side, the FDA will not regulate apps that merely automate simple tasks or enable access to health record systems.

Regulated apps must conform to the regulatory requirements for medical devices.  The guidance cites the respective requirements for establishment registration and medical device listing, investigational device exemptions, labeling, premarket submission for approval or clearance, quality system regulation, medical device reporting (or adverse event reporting), and correcting problems.  The FDA has also issued guidance on cybersecurity for mobile medical apps that fall within its definition of “medical device.”

The relief this guidance provided to companies who produce apps that do not fall within the FDA’s definition of “medical device” may be premature.  Though the FDA has chosen not to regulate this class of mobile apps, the Federal Trade Commission will pay special attention to the privacy and cybersecurity concerns they present.  These cybersecurity concerns arise when apps collect large amounts of data and share it with third parties, allowing them to infer the private health status of app users.  This privacy risk is especially concerning for apps not regulated by the FDA or covered by the federal Health Insurance Portability and Accountability Act.  Reduction of these risks and exposure to liability for them may be avoided through education, awareness, and risk-mitigation strategies on the technical level of data collection occurring in such mobile apps.

Leah Sibbio is a student at the University of Chicago School of Law. Leah completed her undergraduate degree at the University of Pittsburgh in economics.