Here's a quick summary of the FDA CDRH's Mobile Medical Apps guidance (edited by amazing mHIMSS Mobile Policy and Regulatory Implications Group members: Daisy Wong, Rebecca Kennis, Wendelyn Bradley, Michael Kuriland, and Lee Kim). While I've copy/pasted an early version here, the official HIMSS version is found here. Remember, don't take this as the word of the FDA- it was just us looking at what they said and making some educated analyses.
Guidance Bottom Line:
The FDA will exercise regulatory authority over mobile medical applications intended to perform a medical device function, regardless of the hardware or platform involved. The regulatory requirements manufacturers must meet are determined by the intended use of the mobile medical app.
Who is Responsible:
This guidance is targeted at manufacturers and distributers of mobile medical apps.
- “Manufacturer” encompasses any person or entity that manufactures mobile medical apps in accordance with 21 CFR Parts 803, 806, and 807.
- Includes: Anyone who initiates specifications, designs, labels, or creates a software system or application in whole or from multiple software components. This may include health systems, insurance companies, private software vendors, Health IT startups, physicians, nurses, etc.
- Does not include: Developers who strictly operationalize a manufacturers’ design. These people are likely technology programmers who are hired to make someone else’s application work.
- “Distributor” refers to entities that exclusively distribute mobile medical apps. Distributors are expected to work with manufacturers in correcting/removing products, but are not responsible for seeking FDA approval. Common distributors include the iTunes store, Android marketplace, and Blackberry app world.
What is, Might, and isn’t regulated:
Below is a detailed description of what is, might, and isn’t regulated by the FDA. Regardless of regulatory oversight, manufacturers are encouraged to follow the Quality Systems regulations to prevent harm in the development of all mobile apps.
What is Regulated - Mobile Medical Applications:
A “mobile medical application” or “mobile medical app” is a mobile app that meets the definition of "device" in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and its intended use is:
- As an accessory to a regulated medical device; or
- To transform a mobile platform into a regulated medical device
- Displaying, Storing, or Transmitting: If a mobile medical app allows for the display/storage/or transmission of patient-specific information, such as personal health information (PHI), in its original format, it is a medical device. This category of mobile medical apps are primarily used as secondary displays (and not for primary diagnosis/treatment decisions) and will only require Class I requirements. For example, a PACS Viewer (like Centricity® Radiology Mobile Access 2.0 software[i]) or mobile ECG viewer (like AirstripTM RPM Cardiology[ii] device) would be regulated under this criterion.
- Controlling connected medical devices: If a mobile medical app allows for the control of another medical device, it must adhere to the regulations applicable to the connected device. These mobile medical apps can control the use, function, modes, or energy source of a regulated medical device. For example, an app that controls a blood pressure cuff (like Withings®[iii] blood pressure monitor) or a portable ultrasound app (such as the Mobisante software[iv]).
- Mobile platform transformation: If a mobile medical app transforms a mobile platform into a regulated medical device, it is regulated under the class applicable to its intended use. For example, if a mobile medical app utilizes a phone’s accelelerometer to collect data on Parkinson’s disease such as iTrem software.[v]
- Interpretation of Medical Device Data: If a mobile medical app is intended to analyze or interpret data from a medical device for the purposes of creating alarms, recommendations, or information, is considered an accessory to the first medical device and regulated under the first medical device’s class. This would include patient monitoring apps such as the LifeWatchTM cardiac monitoring system.[vi]
What might be Regulated:
The FDA will exercise regulatory discretion regarding mobile apps that meet the FD&C’s device definition but are not an accessory to a regulated device or intended to transform a mobile platform into a regulated device. Manufacturers may proactively register, list, and seek approval/clearance for mobile apps that might meet the criteria for being mobile medical apps.
Applications that might fall under regulatory oversight include:
- Applications that remind people to manually input information for logging/tracking/graphing, such as the LogFrog DB Diabetes tracking application that reminds users to test their blood and log A1C results.[vii]
- Patient education data viewers, such as the ActiveMDTM Patient education marketing.[viii]
- Organization of personal health information – such as dosages, calories, doctor appointments, lab results, and symptoms. This might include something like iLog Lyme, and application that allows users to log the symptoms of Lyme disease and their medication dosages.[ix]
- Over the counter medication lookup applications that provide the information available on drug labels such as the MEDIlyzerTM application.[x]
What isn’t Regulated:
Non-covered apps include: Electronic versions of reference materials that do not contain patient-specific information; health/wellness applications that do not intend to cure, treat, or diagnose; automated billing, inventory, appointment, or insurance transactions; generic aids (audio recording, note taking, etc); mobile EHRs or PHRs.
If the mobile medical app falls within a specific medical device classification or augments functionality to a specific medical device classification, manufacturers are immediately subject to meet the requirements of that classification (either I, II, or III).
According to the Draft Guidance, these requirements include:
- Class I devices: General Controls
- Establishment registration, and Medical Device listing (21 CFR Part 807);
- Quality System (QS) regulation (21 CFR Part 820);
- Labeling requirements (21 CFR Part 801);
- Medical Device Reporting (21 CFR Part 803);
- Premarket notification (21 CFR Part 807);
- Reporting Corrections and Removals (21 CFR Part 806); and
- Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices (21 CFR Part 812).
- Class II devices: General Controls, Special Controls, and (for most Class II devices) Premarket Notification.
- Class III devices: General Controls and Premarket Approval (21 CFR Part 814).
Section Author: Daisy Wong
To meet the regulatory requirements described above, developers of mobile app should be mindful that preparing, filing, and waiting for FDA approval will take time and may cost a significant amount of money. The amount and types of resources needed and the duration of the approval process is dependent upon the app/device classification per the descriptions in the previous section. In addition, developers should also budget for the maintenance of the certification once approval is obtained.
This guidance provides the “current thinking” of the FDA and is iterative. Indeed, the FDA will monitor mobile apps not covered by this guidance to determine if additional/different guidances are necessary to protect public health. This guidance does not consider wireless safety considerations, clinical decision support software, quality systems software, or mobile medical apps intended to analyze, process, or interpret medical device data from more than one medical device. Separate guidances are forthcoming.
- Mobile Platform: handheld commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity. Examples: smartphones, tablet computers, personal digital assistants, etc.
- Mobile Application (Mobile App): software applications that can be executed on a mobile platform; native and web-based.
- Regulated Medical Device: a product that meets the definition of "device" in section 201(h) of the FD&C Act and that has been classified or otherwise approved or cleared by the FDA. Regulated Medical devices usually profess an ability to diagnose, cure, mitigate, treat, or prevent disease, or are intended to affect the structure or any function of the body of man.
- General Controls: include requirements regarding good manufacturing practice, labeling, registering all establishments with the FDA, listing all devices to be marketed and submitting a premarket notification [510(k)] before marketing a device.
- Special Controls: may include special labeling requirements, mandatory performance standards and postmarket surveillance.
- Premarket Approval: Premarket approval (PMA) is the FDA process of scientific and regulatory review to evaluate the safety and effectiveness of Class III medical devices
This summary is based upon the FDA’s Mobile Medical Apps site.
[i] http://www.hospitalemrandehr.com/2011/12/02/centricity-gets-fda-510k-clearance-for-mobile-radiology-app/. Centricity is a registered trademark of General Electric Company.
[ii] http://www.massdevice.com/blogs/massdevice/weekly-wireless-roundup-airstrip-iphone-app-lands-fda-clearance-remote-patient-moni. Airstrip is a trademark of AirStrip Technologies.
[iii] http://mobihealthnews.com/11275/fda-clears-withings-iphone-blood-pressure-cuff/. Withings is a trademark or a registered trademark of Withings SAS France.
[v] Has yet to go for or receive FDA clearance. http://www.gtri.gatech.edu/casestudy/iphone-app-may-support-monitoring-and-research-par
[viii] http://www.activemd.net/design-develop/patient-education-programs.php. ActiveMD is a trademark of ActiveMD Patient Education.