In February of 2015, the U.S. Food and Drug Administration (“FDA”) issued guidance
for mobile medical applications (“apps”). The FDA will not regulate most commonly used
mobile apps on the market, however, because of the rapid growth of the market,
the guidance sets forth guidelines describing what kinds of apps it will regulate
and provides examples of how it will do so.
The FDA is taking a “tailored, risk-based approach” to
determine which applications it will regulate, focusing oversight on mobile
apps functioning as “medical devices,” defined by section 201(h) of the Federal
Food Drug and Cosmetic Act, and whose functionality poses a risk to
patients. This approach is consistent
with the FDA’s general approach of considering functionality over platform. The guidance explains: “if a mobile app is
intended for use in performing a medical device function (i.e. for diagnosis of
disease of other conditions, or the cure, mitigation, treatment, or prevision
of disease) it is a medical device, regardless of the platform on which it is
run.”
The FDA will regulate
apps that are intended to be used as an accessory to a regulated medical
device, that transform a mobile platform into a regulated medical device, and
that perform patient-specific analysis and provide diagnosis or treatment
recommendations. Some examples of common
apps that fit into these regulated categories include those that facilitate diagnosis
from a display of patient specific data, control medical devices, convert a
smartphone into an electrocardiography machine, collect motion information to
monitor sleep apnea, and plan radiation therapy treatment. The FDA will not regulate apps that allow
patients to track their health information or provide them with information
related to medical conditions. On the
health care provider side, the FDA will not regulate apps that merely automate
simple tasks or enable access to health record systems.
Regulated apps must conform to the regulatory requirements
for medical devices. The guidance cites the
respective requirements
for establishment registration and medical device listing, investigational
device exemptions, labeling, premarket submission for approval or clearance,
quality system regulation, medical device reporting (or adverse event
reporting), and correcting problems. The
FDA has also issued guidance on cybersecurity for mobile medical apps that fall within its definition of
“medical device.”
The relief this guidance provided to companies who produce apps
that do not fall within the FDA’s definition of “medical device” may be
premature. Though the FDA has chosen not
to regulate this class of mobile apps, the Federal Trade Commission will pay
special attention to the privacy and cybersecurity
concerns they present. These
cybersecurity concerns arise when apps collect large amounts of data and share
it with third parties, allowing them to infer the private health status of app users. This privacy risk is especially concerning
for apps not regulated by the FDA or covered by the federal Health Insurance
Portability and Accountability Act. Reduction
of these risks and exposure to liability for them may be avoided through
education, awareness, and risk-mitigation strategies on the technical level of
data collection occurring in such mobile apps.
Leah
Sibbio is a student at the University of Chicago School of Law. Leah
completed her undergraduate degree at the University of Pittsburgh in
economics.