Regulatory Explainer: Why and How is FDA Regulating Mobile Apps?
Regulatory Focus' ongoing series of Regulatory Explainers takes complicated regulatory topics and makes them simple enough for anyone to understand.
In our latest Regulatory Explainer, we are taking a look at how the US Food and Drug Administration (FDA) regulates mobile medical applications-better known to most as "mobile apps"-and why that's so controversial.
In Brief, What's This Issue About?
In the US, the Food and Drug Administration (FDA) regulates many products to ensure that they are safe and effective, including medical devices such as wheelchairs and pacemakers. However, the definition of "medical device" also includes software, and in recent years FDA has moved to regulate software found on mobile phones, what most people refer to as "mobile apps."
Critics have raised the point that strict regulation of medical mobile apps could stifle innovation in the sector, while others have pointed to spurious or faulty apps to make the point that regulation is sorely needed.
What's a Mobile App?
FDA defines a mobile app as "a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the-shelf computing platform, with or without wireless connectivity, or a web-based software application that is tailored to a mobile platform but is executed on a server."
These apps run on "mobile platforms," which FDA defines as "commercial off-the-shelf computing platforms, with or without wireless connectivity, that are handheld in nature," such as smartphones, tablet computers or other portable computing devices.
Mobile Apps Can be Medical Devices? What is a Medical Device, Anyway?
Under the Federal Food, Drug and Cosmetic Act (FD&C Act), the backbone of healthcare product regulation in the US, medical devices are defined as:
"An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes."
Under 21 CFR 801.4, products which are labeled using claims reserved for devices may also be regulated as devices. For example, a flashlight is ordinarily not a medical device, but if it was labeled with claims that it its light could cure acne, it would be a medical device.
How Does that Relate to Mobile Apps?
Because many medical mobile applications are intended to be used "in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease," they are regulated as medical devices.
Let's use a few hypothetical examples to illustrate the point more clearly.
Imagine you download an app to your smartphone that allows you to take a photo of a patch of skin that contains what you fear might be a cancerous melanoma. The app, it claims, will run the photo of the suspected melanoma through an advanced algorithm to determine if it is likely a melanoma, or if it is just a mole. This would be regulated as a device, as it is intended to diagnose a condition (skin cancer).
Imagine another device, one which asks you to put on headphones. It then administers a series of high-pitched beeps, which then prompt you to press a button when you hear them. The intent of the device is to measure hearing loss. Again, this would be a medical device because its intent is to diagnose.
The above two examples of mobile medical apps are based on real devices and are admittedly useful in concept, and perhaps also in practice.
But now imagine a third device, one which purports to treat acne by emitting pulses of light from the phone. While it sounds enticing, many apps like these don't work, even as they claim to cure or treat a medical condition, making them medical devices under the FD&C Act.
Why Regulate Mobile Apps?
As FDA has explained, mobile medical apps can pose risks to public health.
"For example, interpretation of radiological images on a mobile device could be adversely affected by the smaller screen size, lower contrast ratio, and uncontrolled ambient light of the mobile platform," it wrote in 2013. To put it plainly: the attributes of a device can have a major impact on human health in both obvious and subtle ways.
In other cases, a mobile app which has not been sufficiently validated can lead consumers to undergo medical procedures they might otherwise avoid, or avoid medical procedures they might otherwise undergo.
For example, a false positive in the melanoma app we hypothesized earlier might result in a patient undergoing a needless biopsy. A false negative result might cause a patient to put off going to the doctor to check the suspected cancerous cells, delaying treatment.
And, as with nearly all medical products, charlatans and dangerous products exist on the market. FDA would prefer to protect consumers from these kinds of devices.
How Does FDA Regulate Mobile Apps?
FDA began regulating medical software as medical devices since 1989, but only began to specifically regulate mobile apps in 2011 under a draft guidance document entitled Mobile Medical Applications.
(Guidance documents establish FDA's official interpretation of its regulations, but are not legally binding. In this case, the guidance is an interpretation of when a mobile app meets the definition of "medical device.")
Under the approach, later finalized in a 2013 guidance document by the same name, FDA said it would regulate mobile apps according to risk. The approach is meant to recognize that there are a wide range of types of mobile medical apps.
For example, some apps only track calories consumed, steps taken or offer general health information (such as a health dictionary app which allows you to input symptoms, a la Web MD).
FDA said in a statement (and its guidance) that it intends to "focus its oversight on mobile medical apps" that:
"are intended to be used as an accessory to a regulated medical device - for example, an application that allows a health care professional to make a specific diagnosis by viewing a medical image from a picture archiving and communication system (PACS) on a smartphone or a mobile tablet."
"transform a mobile platform into a regulated medical device - for example, an application that turns a smartphone into an electrocardiography (ECG) machine to detect abnormal heart rhythms or determine if a patient is experiencing a heart attack."
"are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or displaying, storing, analyzing, or transmitting patient-specific medical device data."
"This approach to overseeing mobile medical apps is consistent with our existing approach to overseeing medical device functionality of a product and the risks it poses to patients regardless of the shape, size or the platform," FDA wrote.
What Regulatory Requirements Will Apps Need to Meet if They Are Devices?
First, some background about how medical devices are regulated. In the US, medical devices are classified according to risk under three device classes.
- Class I: Generally low risk (think dental floss) and subject to minimal regulatory oversight. For most devices, as long as they meet FDA-set standards ("general controls") they are able to immediately be marketed.
- Class II: Moderate-risk devices subject to both general controls and "special controls" which are meant to recognize the special risks associated with a device. Some Class II devices are exempt from premarket requirements, but many are subject to premarket notification (the "510(k)" pathway) which requires FDA to review a device.
- Class III: The riskiest devices, these devices almost always must be approved by FDA before they are allowed on the market, and typically rely on evidence obtained through clinical testing (i.e. on humans) to prove that they are safe and effective.
Apps which meet the definition of "device" under the guidance will need to meet a range of regulatory requirements contingent upon their device classification (Class I-III).
Class I devices will need to meet all general controls, including:
- Establishment registration, and Medical Device listing (21 CFR Part 807)
- Quality System (QS) regulation (21 CFR Part 820)
- Labeling requirements (21 CFR Part 801)
- Medical Device Reporting (21 CFR Part 803)
- Premarket notification (21 CFR Part 807)
- Reporting Corrections and Removals (21 CFR Part 806)
- Investigational Device Exemption (IDE) requirements (i.e. clinical trial requirements) for clinical studies of investigational devices (21 CFR Part 812)
Class II devices will need to meet all those requirements, plus the "Special Controls" established for the type of device. Most Class II devices will also need to undergo FDA review through a premarket notification [510(k)] submission.
Class III devices will also need to meet all general controls, plus undergo the Premarket Approval (PMA) process under 21 CFR 814.
What Kinds of Apps Won't FDA be Regulating?
For all apps which don't fall under the above definition of "mobile medical application," FDA said it intends to exercise "enforcement discretion"-a policy under which it maintains that it could regulate the devices, but willfully chooses not to. That gives it the leeway to regulate more apps in the future if it determines that they are in fact dangerous.
FDA said in its guidance that it does not plan to regulate the following six types of apps:
- apps which help patients (i.e., users) self-manage their disease or conditions without providing specific treatment or treatment suggestions
- apps which provide patients with simple tools to organize and track their health information
- apps which provide easy access to information related to patients' health conditions or treatments
- apps which help patients document, show, or communicate potential medical conditions to health care providers
- apps which automate simple tasks for health care providers, such as calculating body mass index (BMI) or delivery date estimators
- apps which enable patients or providers to interact with Personal Health Record (PHR) or Electronic Health Record (EHR) systems
FDA's guidance provides extensive lists of what won't be regulated by the agency in Appendix A and B.
Who is a "Manufacturer" of an App?
FDA has explained that a "mobile medical app manufacturer" can include anyone who:
initiates specifications, designs, labels, or creates a software system or application for a regulated medical device in whole or from multiple software components.
It is not someone or an entity who "exclusively" distributes the apps, such as Google or Apple who respectively run two of the largest mobile app marketplaces in the world. It also isn't your Internet provider, a licensed practitioner who uses the app, or anyone developing an app for "research use only" (RUO).
What it does mean, however, is that developers, labelers, hackers (and by that, we mean modifiers) and hardware manufacturers of attachments would be regulated as manufacturers. (See pages 9-10)
Can FDA Regulate the Device a Mobile App Runs on, Such as a Smartphone?
Legally, it can, as the smartphone is a "component part" or "accessory" of the device (i.e. the mobile app). However, FDA has repeatedly and emphatically said that it does not plan to use or enforce this authority on general consumer smartphones.
In its 2013 mobile apps guidance, FDA explains:
"Under this guidance, FDA would NOT regulate the sale or general/conventional consumer use of smartphones or tablets. FDA's oversight applies to mobile apps performing medical devices functions, such as when a mobile medical app transforms a mobile platform into a medical device. However, as previously noted, we intend to apply this oversight authority only to those mobile apps whose functionality could pose a risk to a patient's safety if the mobile app were to not function as intended."
Legislators have also repeatedly pressed FDA on whether it should have the authority to regulate the platforms these medical apps run on.
What Have Legislators Had to Say?
Some legislators, and particularly Republicans, have been moderately opposed to FDA's regulation of mobile apps.
In February 2014, Republican legislators introduced the Preventing Regulatory Overreach to Enhance Care Technology (PROTECT) Act, which is intended to prohibit FDA from regulating many types of medical software, including mobile medical apps. That legislation followed the Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act of 2013, which would have instituted similar restrictions.
Other regulators, such as Rep. Mike Honda, have called on FDA to establish an "Office of Mobile Medical Applications" to better coordinate their regulatory expertise.
Who Else Has Weighed in on Mobile App Regulation?
In April 2014, a working group composed of FDA, the Federal Communications Commission (FCC) and the Office of the National Coordinator (ONC) issued a regulatory framework meant to guide the development and oversight of health information technologies.
The report calls on FDA to "provide greater clarity related to several aspects of medical device regulation involving health IT," including:
- the distinction between wellness and disease-related claims
- medical device accessories
- medical device clinical decision support software
- medical device software modules
- mobile medical apps
FDA is meeting in May 2014 to work on implementing the framework into its existing regulatory approach.
The working group also called for a new inter-agency working group known as the Health IT Safety Center (HITSC) to be created as a public-private entity.
The Federal Trade Commission (FTC) has also weighed in, opining in 2012 that developers of mobile applications, even if they don't fall under FDA, must still meet standards for the truth and accuracy of their claims ("competent and reliable evidence").
Have There Ever Been Problems With Mobile Apps?
Yes. In October 2011, Pfizer recalled its "Pocket.MD" app and sent a "Dear Doctor" letter to healthcare providers after the device was found to be incorrectly calculating a score used to assess rheumatology activity in patients.
This has been called the first-ever mobile app recall.
There have also been regulatory actions taken against numerous "charlatan" apps, such as ones to cure acne and treat tinnitus.
What are the Arguments Against Regulating Mobile Apps?
The basic argument advanced by critics is that FDA's current regulatory framework for medical devices is slow, expensive and onerous.
Apps, and especially those regulated as Class II or Class III medical devices, will need to submit either a 510(k) or a PMA to FDA. As of Fiscal Year 2014, the cost to submit those applications is as follows:
| FY 2014 Review Fees (U.S. Dollars) | ||
|---|---|---|
| Submission | Standard Fee | Small Business |
| Premarket Application (PMA, PDP, BLA, PMR)* | $258,502 | $64,630 |
| First premarket approval submission (PMA) from firms with gross receipts or sales ≤ $30 million | Fee is Waived | |
| 510(k) | $5,170 | $2,585 |
For many companies-and especially application developers, who may just be a small group of software developers working out of a rented garage-these fees can be prohibitive.
And that's just the cost of paying the fees. Complying with FDA regulations is itself expensive, and either requires extensive knowledge of the regulations on a first-hand basis or requires the company to hire an outside regulatory consultant.
The fear of some legislators and developers is that if the cost to develop a mobile app is too high or compliance too difficult, many app developers will choose instead to invest their time and energies innovating in other sectors of the economy. That, in turn, could subject consumers and patients to more expensive devices and fewer innovations over the long term.
There are also other vestigial questions, such as whether a new regulatory application would be required each and every time an app developed submitted a new update for a mobile app. Those applications, known as supplements, also have costs associated with them.
Other concerns, such as the time it takes for FDA to review 510(k) and PMA submissions (several months to more than a year) have also been raised.
Do Other Countries Regulate Software and Mobile Apps?
Yes, quite a few of them.
- In March 2014, the UK's Medicines and Healthcare products Regulatory Agency (MHRA) released a guidance on mobile apps and software.
- Australia's Therapeutic Goods Administration (TGA) released guidance on medical apps in September 2013.
- The EU is (as of April 2014) working on developing a new framework for regulating mobile apps consistently throughout the region.
- And the International Medical Devices Regulators Forum (IMDRF), an international device harmonization group consisting of most of the world's top device regulators, recently issued a draft framework on mobile apps and medical device software.
Where Can I Learn More About Mobile App Regulation?
- Guidance: Mobile Medical Applications
- Public Comments on FDA's Guidance
- FDA's Twitter Chat on the Mobile App Guidance
- The mHealth Regulatory Coalition Website
- FDA Webpage on Mobile Medical Apps
- Learn More at the 2014 RAPS Conference: Understanding the Challenges of Bringing a Mobile Medical App to the Market