On September 23, 2013, the U.S. Food and Drug Administration (FDA) released its long-awaited final guidance on how the agency plans to regulate mobile medical applications. While certain aspects of the guidance remain very similar to the 2011 draft, particularly the definitions of what is a "mobile application" and when it rises to the level of being a "mobile medical application" subject to overt FDA regulation, the guidance was a major improvement over the 2011 draft in many respects. Most significantly, the agency laid out fairly clear distinctions among mobile apps that FDA asserted:
For each of these three mobile app categories, FDA not only described specific types of functions that would place an app into one of the three categories, but also provided industry with numerous examples of specific devices that fit into each category, both in the narrative of the guidance and in several appendices. While guidance documents are not legally binding on FDA, they do represent the agency's best advice on how to comply with the law relative to the subject covered by the guidance. Thus, for industry, the guidance provides much greater certainty on whether products are subject to FDA's regulatory regime or can come to the market without overt interaction with the agency.
Mobile platform: "commercial off-the-shelf computing platforms, with or without wireless connectivity, that are handheld in nature." This includes smartphones and tablets, such as the iPhone and iPad.5
Mobile application: "a software application that can be executed on a mobile platform … or a web-based software application that is tailored to a mobile platform but is executed on a server." The latter part of the mobile app definition clarifies that the application does not have to be resident on the mobile platform to be subject to the guidance. The guidance thus covers apps solely in a web-browser running on a mobile platform.
Mobile medical application: a mobile application that meets the definition of a "device"6 under Section 201(h) of the Federal Food, Drug, and Cosmetic Act ("the Act") and is intended to either (a) be used as an accessory to a regulated medical device or (b) transform a mobile platform into a regulated medical device.
Two fundamental principles are underlying how FDA will regulate mobile apps emerge from the guidance.
First, FDA's oversight of mobile medical applications will focus on how the app functions, not the particular platform upon which it runs.
Second, FDA will aim its regulatory powers at those mobile medical apps that present a potential risk of safety to patients when the app functions incorrectly. In contrast, FDA will exercise enforcement discretion on mobile apps that, despite being legally medical devices, have a lower-risk profile in the event of a malfunction. However, where "lower risk" leaves off and a "risk of safety" begins is not clearly defined in the guidance.
The guidance also clarifies that FDA will not regulate the use or sale of smartphones or tablets simply because they provide a platform on which a mobile medical app could run, squelching a major concern by many in the app world.
The guidance articulates three categories of mobile medical applications that FDA will be regulating:
Example: a device with the ability to control a blood pressure cuff.
Example: attaching electrocardiograph (ECG) electrodes to a mobile platform to measure, store and display ECG signals.
Example: apps that use patient-specific parameters and calculate dosage or create a dosage plan for radiation therapy.
In addition to describing the characteristics that distinguish the three types of regulated mobile apps, FDA, in Appendix C to the guidance (pp. 26-29), provided a detailed list—broken down by the three types above—of mobile apps that the agency will regulate.
For mobile apps that are—or may be—medical devices, but do not fit within the three types of regulated apps detailed above, FDA will exercise enforcement discretion. As mentioned, while the extent of enforcement discretion is not revealed in the guidance, FDA states that these types of apps include those that are a "lower risk" of harm to patients in the event of a malfunction.8 Among the apps qualifying for enforcement discretion are those:
Example: apps that coach patients with conditions such as diabetes with simple prompts to promote strategies for actions that will help their health situation such as maintaining healthy weight, getting optimal nutrition, etc.
Example: apps the provide simple tools for patients with specific conditions or chronic disease to log, track, or trend their events or measurements (e.g., blood pressure, drug intake, diet) and share this information with their healthcare provider (HCP) as part of a disease management plan.
Example: apps that use a patient's diagnosis to provide an HCP with best practice treatment guidelines for common illnesses.
Example: apps that serve as videoconferencing portals specifically intended for medical use and to enhance communications between patients and HCPs.
Example: a medical calculator for body mass index (BMI).
Example: an app that allows a patient a portal into their own health information.
Additional examples of mobile apps that are or may be devices, yet will receive enforcement discretion, are listed in Appendix B to the guidance. Of particular note for many of today's popular apps—and related devices—such as the FitBit® and Nike+®, FDA clarified in Footnote 32, in Appendix B, that those apps used for individuals to log, record, track, evaluate, or make decisions or behavioral suggestions relating to developing or maintaining general fitness, health or wellness—such as apps that log dietary intake, track normal sleep patterns, or calculate calories burned during exercise—are not medical devices unless they are marketed in a manner that meets the definition of a medical device.
A key feature of the guidance was the agency's description of those entities involved in the app business that would be regarded as a "manufacturer" under FDA's medical device regulatory regime,10 which is a designation that carries greater regulatory burdens than terms such as distributor or importer.11 While the guidance provides several examples discussed below—of when a mobile app player may, or may not, be regarded as a manufacturer—those involved in app development should read both the guidance and applicable FDA regulations with care to determine whether they meet the definition of a manufacturer relative to their role in bringing a mobile medical app to the market.
In construing whether a particular player in the app community is a manufacturer, FDA primarily focused on the creators of the original app concept or those players that assumed both manufacturing and distributions responsibilities, articulating that persons who do any of the following may be regarded as a manufacturer:
The guidance describes these types of actors in the app world as outside the "manufacturer" definition:
For those mobile medical apps that the FDA intends to regulate, the agency will expect the mobile app maker to satisfy all of the statutory or regulatory requirements applicable to the specific device classification governing the app. A brief description of those basic regulatory requirements appears in Appendix E of the guidance.
FDA included, as Appendix E to the guidance, answers to a number of common questions that the agency anticipated would be raised about its regulation of mobile apps. While not in the guidance itself, FDA separately announced in conjunction with issuing the guidance that future updates to the agency's positions on mobile app regulation will be posted to the FDA website.
Acknowledgement: Our thanks to Garrett Lambur, Legal Extern, and 3rd Year Law Student at Drexel University's Earle Mack School of Law for his extensive contribution to the preparation of this summary.