FDA Issues Final Guidance on Mobile Medical Apps: “De-Regulatory” Move Helps Clarify Certain Key Questions, But Leaves Others Open

On September 25, 2013, the Food and Drug Administration (FDA) issued its long-awaited final guidance on health-related software applications intended for use on mobile devices. Under the guidance, FDA will regulate only those mobile apps that both meet the definition of a medical device and could pose a risk to patient safety if they fail to function as intended. FDA can now be expected to focus its resources on promoting and enforcing regulatory compliance for the subset of mobile medical apps it intends to regulate.

Importantly, the guidance does not address other significant questions such as how FDA intends to regulate clinical decision-making support tools and electronic health records. Under the FDA Safety and Innovation Act (FDASIA), the FDA, in consultation with the National Coordinator for Health Information Technology and the Federal Communications Commission, is required to publish a report by January 2014, describing a risk-based regulatory framework for health IT. Topics not covered by the current guidance may be addressed in this upcoming report.

Mobile Medical Apps Subject to FDA Regulatory Oversight

Under the final guidance, a mobile app is a software application that can be run on a mobile platform, such as a smart phone, tablet, or other portable computer, or a web-based software application tailored to a mobile platform. A mobile medical app is a mobile app that meets the definition of a device in the Federal Food, Drug, and Cosmetic Act and is intended to be an accessory to a regulated medical device or to transform a mobile platform into a regulated medical device. The final guidance groups mobile medical apps into three primary categories:

• Apps that are extensions of other medical devices by connecting to such devices for the purpose of controlling the devices or displaying, storing, analyzing, or transmitting patient-specific medical device data. Mobile apps that control a medical device, such as apps that control inflation of a blood pressure cuff or delivery of insulin through a pump, are subject to the device requirements applicable to the device being controlled. Mobile apps that display, store, analyze, or transmit patient-specific medical device data, such as a remote display of EEG data or radiological images from a Picture Archiving and Communications (PACS) server, or perform similar display functions meeting the definition of a medical device data system (MDDS), are subject to regulations associated with such devices.
• Apps that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Apps that use the mobile platform to perform device functions, for example by attaching a blood glucose strip reader to the platform, using a built-in accelerometer to monitor sleep apnea, or displaying radiological images for diagnostic purposes, will transform the mobile platform into a regulated device. Such devices will be required to comply with the device classification associated with the transformed platform.
• Apps that become regulated medical devices by performing patient-specific analyses and providing patient-specific diagnoses or treatment recommendations. This category includes apps that perform “sophisticated analysis” of patient-specific data or “interpret data” from another medical device, such as dosage calculators for radiation therapy, Computer Aided Detection (CAD) software, and image processing software. FDA states that these apps are similar to software devices that have been previously cleared or approved for non-mobile platforms, but does not attempt to address how all such apps will be regulated. Instead, FDA encourages manufacturers of mobile medical apps that perform patient-specific analyses to contact FDA to discuss what, if any, regulatory requirements may apply to their devices. This category of mobile medical app is likely to present the greatest challenges in determining whether a given mobile app is to be regulated by FDA and, if so, in what manner.

Mobile Apps That FDA Will Not Regulate

Unlike the draft guidance on mobile medical apps issued in 2011, the final guidance contains an in-depth discussion of apps that will not be the focus of FDA’s regulatory oversight, either because they are not medical devices or because FDA intends to exercise enforcement discretion with respect to that type of app. In appendices to the final guidance, FDA provides examples intended to help industry understand whether a particular mobile app is regulated by FDA.

Mobile apps that FDA does not consider to be medical devices include:

• Electronic medical dictionaries, textbooks, and other reference materials;
• Educational tools used by health care providers for medical training;
• Patient education and awareness tools;
• Apps that automate general office operations in a health care setting; and
• General purpose apps, such as a magnifying glass app or audio recording app not specifically intended for medical purposes.

Mobile apps that may be medical devices, but for which FDA intends to exercise enforcement discretion include:

• Apps that provide supplemental clinical care through coaching or prompting to help patients manage their health in their daily environment. Examples include medication reminder apps intended to improve adherence, even though medication reminders have traditionally been regulated as Class I devices;
• Apps that provide patients with simple tools to organize and track health information;
• Apps that provide easy access to information related to patients’ health conditions or treatments, such as drug-drug interaction search tools;
• Apps marketed to help patients document or communicate to providers potential medical conditions, such as videoconferencing portals specifically for medical use;
• Apps that perform simple calculations routinely used in clinical practice, such as body mass index; and
• Apps that enable users to interact with personal health record or electronic health record systems.

Implications for FDA and Mobile App Developers

In the past, FDA has been criticized for imposing new, burdensome regulatory requirements for health-related software under the guise of a purportedly “de-regulatory” action. This was the case with FDA’s MDDS regulation published in 2011, which FDA characterized as down-classifying such devices from Class III to Class I, when most developers of such systems had long understood that they were not subject to FDA regulation at all. In the mobile medical app guidance, by contrast, FDA has taken steps that are more clearly de-regulatory by stating explicitly that it does not intend to regulate mobile apps to the full extent of its statutory authority and by giving specific examples of apps that the agency will not regulate.

For apps that will be regulated, FDA provides guidance on which of several potentially involved parties will be responsible for complying with FDA regulations. For example, the guidance confirms that manufacturers of mobile platforms that are not marketed for use as medical devices, entities that distribute but do not design or manufacture mobile medical apps (e.g., the iTunes App store or the Android market), and software developers who provide design and development services to software authors are not “manufacturers” subject to direct FDA regulation. The guidance also suggests that the parties can define the responsible entities by contract, at least in certain circumstances.

Now that the guidance is final, FDA is likely to increase its focus on promoting and enforcing compliance by mobile medical app manufacturers. Software developers are now on clear notice that, for certain types of software, they must comply with applicable requirements, such as premarket notification or approval, establishment registration and device listing, labeling requirements, medical device reporting, correction and removal reporting, and the Quality System Regulation (QSR). Even prior to issuance of the final guidance, FDA had taken regulatory action consistent with the principles in the guidance, as Ropes & Gray previously reported. Mobile app manufacturers should carefully review the final guidance, as well as FDA’s webpage on mobile medical applications, to determine how FDA intends to regulate their mobile apps and take the necessary steps to ensure that they are in compliance with applicable requirements.

Mobile app manufacturers may also be interested in FDA’s statement that it “strongly recommends” that they follow the QSR when developing any health-related mobile apps, even those for which FDA will exercise enforcement discretion. Although FDA’s statement is arguably gratuitous, plaintiffs in products liability actions might seek to seize on this statement to argue that a software manufacturer’s quality systems were inadequate, leading to device failures resulting in injuries. Mobile app manufacturers should therefore carefully consider the quality assurance and quality control processes, systems, and documentation that they will employ when developing software that can affect patient or consumer health but is not FDA-regulated.

If you would like to discuss the foregoing or any other related matter, please contact any member of Ropes & Gray’s FDA Regulatory team or your usual Ropes & Gray advisor.