EU and US regulation of health information technology, software and mobile apps | Practical Law

EU and US regulation of health information technology, software and mobile apps | Practical Law

The emergence of integrated health information systems, mobile apps and software-based medical devices presents significant opportunities in managing healthcare costs and achieving better outcomes. This article analyses the developing EU and US approaches to health information technology (health IT) and mobile medical applications (MMAs), and the emerging rules and compliance issues for companies developing and marketing these products.

EU and US regulation of health information technology, software and mobile apps

Practical Law UK Articles 3-518-3154 (Approx. 19 pages)

EU and US regulation of health information technology, software and mobile apps

Law stated as at 01 Aug 2014European Union, USA (National/Federal)
The emergence of integrated health information systems, mobile apps and software-based medical devices presents significant opportunities in managing healthcare costs and achieving better outcomes. This article analyses the developing EU and US approaches to health information technology (health IT) and mobile medical applications (MMAs), and the emerging rules and compliance issues for companies developing and marketing these products.
This article is part of the multi-jurisdictional guide to life sciences. For a full list of jurisdictional Q&As visit
The emergence of integrated health information systems, mobile apps and software-based medical devices presents significant opportunities in managing healthcare costs and achieving better outcomes. However, such innovation inevitably gives rise to new legal, regulatory and commercial challenges. This article analyses the developing EU and US approaches to health information technology (health IT) and mobile medical applications (MMAs), and the emerging rules and compliance issues for companies developing and marketing these products. In particular, it examines:
  • Technological developments in health information and delivery systems.
  • The EU approach to regulation.
  • The US approach to regulation.
  • Significant US FDA regulatory developments.

Technological developments in health information and delivery systems

Consumers and healthcare providers are demanding more flexibility, interactivity and portability in health delivery systems, records management and treatment. Insurers and government entities that manage healthcare costs and payments are demanding greater efficiency and cost-savings and greater focus on preventive care. Many different companies are responding to these demands by developing integrated, software-based applications to optimise traditional medical devices. Medical device manufacturers, for example, are developing wireless-enabled medical devices and mobile apps that allow healthcare providers to access and evaluate patient vital signs and other information through remote monitoring or cloud-based data-sharing systems. The telecommunications industry, software developers and Internet Service Providers (ISPs) are also providing wireless solutions, technical support and healthcare solutions to healthcare providers, consumers and health systems.

EU approach to regulation

Background to EU policy on e-health and m-health

It has now been recognised by the European legislature and decision-makers that EU health systems are under mounting pressure to respond to the challenges relating to ageing population, citizens' rising expectation, migration and mobility of patients and health professionals. New technologies have the potential to revolutionalise healthcare and health delivery systems and to contribute to their future sustainability.
Enabling technologies are important for the improvement, prevention of illness and timely delivery of treatment, particularly:
  • E-health (that is, using information and communication technologies (ICT) for the provision of health-related services).
  • M-health (that is, using mobile communication systems for the provision of health-related services).
  • Genomics (that is, use of genetic blue print to identify patient response to treatment or patient susceptibility to a clinical condition or disease, and such information may be presented in an electronic format as “gene chip”).
These essentially shift the current paradigm of treatment of the underlying conditions or illness to prevention and primary care to achieve and maintain wellness. E-health and m-health can assist in providing better citizen-centred care, as well as lowering costs and supporting interoperability across national boundaries, facilitating patient mobility and safety. There is a general consensus among the policy makers and industry that new technologies must be evaluated properly, including for cost-effectiveness, and equity; and health professionals' training and capacity implications must be considered.
The impact of information technology (IT) on cross-border healthcare provisions has been recognised by the European Commission (Commission) in its policy paper published in 2007, where ICT and allied enabling technologies have been considered as particularly important in tackling these new healthcare challenges in the coming decades. Three key challenges are identified by the Commission:
  • Demographic changes including an increase in the ageing population that will have an impact on disease patterns and put downward pressure on the sustainability of EU health systems (highlighted in a World Health Organisation's (WHO) independent assessment).
  • Emerging health threats, including new communicable disease patterns resulting from climate change that may require proper co-ordination and timely response to, and preparation for such health threats, globally. Such an effort will enhance the capacities and capabilities of the EU and those countries outside the EU to ensure consistency in regulatory and policy decision-making.
  • An evolution in healthcare systems partly as a result of the rapid development of new technologies that are revolutionising the way health is promoted and illnesses are predicted, prevented and treated.
Similarly, the European Medicines Agency (EMA) in its Road Map to 2015 on contributions to science, medicines and health also recognises the impact of new technologies, including e-health, on existing healthcare systems.
The Council of Ministers also recognised (in its assessment on innovation in the medical device sector published in 2011) the need to consider the interoperability and safety issues related to the integration of medical devices in e-health systems, especially personal health systems, and m-health systems. However, the deployment of information telecommunication technology systems is entirely a matter of national competence. Certain industry interest groups or initiatives have been established that have advocated the need for clarity and certainty on the regulatory standard to ensure timely market access to the new emerging IT technologies related to e-health and m-health. Such parties include the industry group European Industry Association for Radiological, Electromedical and Healthcare-IT industry (COCIR), which represents many key industry players such as the European Health Telematics Association, European Institute for Health Records and Integrating the Healthcare Enterprise.
It is generally agreed that the e-commerce revolution will have an important enabling role on e-health and m-health to ensure high quality, safety and efficient cross-border healthcare provisions within the EU and beyond. In its communication relating to telemedicine (providing healthcare services at a distance), the Commission indicates that e-health can help improve the lives of EU citizens, both patients and health professionals. However, as the Commission has put it, integrating services such as teleradiology (that is, transmission of radiological patient images, such as x-rays, CTs, and MRIs, from one location to another) and teleconsultation (that is, consultations where the healthcare provider and the patient are not at the same location) healthcare systems is a challenging task. The main issues concern:
  • Building confidence in and acceptance of telemedicine services.
  • Bringing legal clarity particularly in relation to the relevant regulatory regime.
  • Solving technical issues and facilitating market development.
Certain medical device manufacturers have applied for the European Conformity mark (CE-mark) to be affixed to their patient care network or mobile software, including the apps designed to facilitate transmission of patient records for diagnosis and determination of the choice of treatment modalities, as well as outcome measurements.

Regulation of medical devices

In the EU, medical devices, low voltage equipment, machinery and radio and telecommunications terminal equipment are regulated under the New Approach (NA) directives, which are defined as directives that provide for the affixing of a CE-mark.
NA directives are based on Resolution 85/C 136/01 1985 on a new approach to technical harmonisation, and standards, which sets out a new regulatory approach based on the following agreed guiding principles:
  • Legislative harmonisation is limited to products placed on the EU market that meet the essential requirements and benefit from free movement within the EU.
  • Technical specification for assessing conformity with the essential requirements is set out in harmonised standards.
  • Application of harmonised or other standards remains voluntary and the manufacturer can apply other technical specifications to meet the requirements.
  • Products manufactured in compliance with harmonised standards benefit from a presumption of conformity with the corresponding essential requirements.
The NA requires standards to offer a guaranteed level of protection for the essential requirements established by the directives, and the national authorities to carry out their responsibilities to protect safety or other interests covered by the directives. Under the NA directives, a safeguard clause procedure is necessary to allow for contesting a product's compliance, or failures or shortcomings of harmonised standards.
The procedure for conformity assessment is risk-based, taking account the classification of the medical device and the intended clinical mode of use, and the nature and characteristics of the device. In the EU, medical devices fall into the following four distinct classes according to the risk assessment and characterisation:
  • Class I.
  • Class IIa.
  • Class IIb.
  • Class III.
The test for establishing essential requirements seeks to ensure that the device is designed and manufactured in such a way that when used under the conditions and for the purposes intended, it does not compromise the clinical condition, safety or the users. Any risks associated with its intended use should be acceptable risks when weighed against the benefits to the patient. The benefit/risk assessment should be compatible with the overarching objective of achieving a high level of protection of health and safety.
Under the current rules, devices that incorporate software or that are medical software in themselves must be validated according to the state of the art, taking into account the principles of development lifecycle, risk management, validation and verification.
Under EU rules, standalone software can be considered an active medical device, that is, any device operation that depends on a source of electrical energy or any source of power other than that directly generated by the human body or gravity and that acts by converting this energy. Medical devices intended to transmit energy, substances or other elements between an active medical device and the patient, without any significant change, are not considered to be active medical devices.
As indicated in the amendment to Directive 93/42/EEC concerning medical devices (Medical Devices Directive) adopted in 2007, the European legislature has contemplated that a medical device may include software either as a standalone device or in combination with another device for a medical purpose.
A medical device is now defined in the revised Medical Devices Directive to mean any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for a medical purpose, provided that the principal intended action is not mediated through a biological process.
An assessment of a medical purpose is usually based on the declared claims made by the manufacturer on the label, instructions for use and the promotional material consistent with the overarching purpose of the Medical Devices Directive to ensure a high level of protection of patients and consumers.
The Commission's established position distinguishes between two types of software:
  • Software influencing the proper functioning of a device.
  • Software used in combination with non-medical equipment.
Software related to the functioning of a medical device can be regulated as a standalone medical device or as an accessory to the medical device under the Medical Devices Directive. Software used with non-medical equipment is not considered a medical device. The key test is whether the software provides for a proper diagnostic or therapeutic purpose.
If the definition for a medical device, which is sufficiently broad and all encompassing, were to be given its purposive meaning according to established European jurisprudence, equipment, appliances or apparatus involved in e-health or m-health could be regulated as a medical device. This classification in itself may be somewhat artificial, given that mobile software equipment and appliances similar to medical devices are regulated under the NA directives. The NA seeks to address all hazards or risks related to the public interest that the directive intends to protect, such as protection of the consumers, patients or users. According to the Commission, regulatory compliance with the essential requirements can often require simultaneous application of more than one NA directive, and possibly with other EU legal instruments.
In its public consultation document concerning the recast (that is, codification or consolidation) of the Medical Devices Directive, the Commission asked whether the current approach to assessing essential requirements is sufficiently robust to innovative technologies and practices, including those that are based on nanotechnology, genetic testing and advancements in IT, which may be involved in the development of e-health or m-health across the EU. The consultation document also asked whether appropriate adaptation or reinforcement of the established principles underpinning essential requirements is required in the recast of the Medical Devices Directive.
In 2012, the Commission adopted guidance to confirm the position that standalone software having a medical purpose would be regulated as a medical device. If the standalone software does not meet the definition of a medical device or of an in vitro diagnostic medical device but is intended by the manufacturer to be an accessory to a medical device or an in vitro diagnostic device, then the software would be regulated respectively under the Medical Devices Directive or Directive 98/79/EC on in vitro diagnostic medical devices.

Standard for conformity assessment of medical software

Under the NA regulatory framework, a medical device is presumed to conform with the essential requirements if it meets the appropriate harmonised standard. It has been considered that, until the amendment of the Medical Devices Directive, safety regulations for medical device software at least formally were not sufficiently rigorous to the extent that medical software was not legislatively classified as falling within the scope of the Medical Devices Directive.
The international standard EN/IEC 62304 has now emerged as a global benchmark for evaluating software development. This standard can sit side-by-side with the following standards to evaluate the design, management and safety of medical software:
  • EN/ISO 13485 (quality management systems).
  • EN/ISO 14971 (application of risk management).
  • IEC 60601-1 (medical electrical equipment safety).
  • IEC 61010-1 (electrical equipment safety requirements).
  • IEC 60601-2 (medical electrical equipment particular requirements).
EN/IEC 62304 standard expects a manufacturer to assign a safety class to the software system. The classification is based on the potential for a hazard that could result in an injury to the user, the patient or other people and includes:
  • Class A (no injury or damage to health is possible).
  • Class B (non-serious injury is possible).
  • Class C (death or serious injury is possible).
Similar to the EU device vigilance guidance, serious injury means injury or illness that directly or indirectly is any of the following:
  • Life threatening.
  • Results in permanent impairment of a body function or permanent damage to a body structure.
  • Necessitates medical or surgical intervention to prevent permanent impairment of a body function or permanent damage to a body structure.
In its 2012 guidance, the Commission clarifies the classification of standalone software and accordingly the conformity procedure that ought to be followed. For example, standalone software that meets the definition of a medical device is considered as an active medical device. This means rules 9, 10, 11 and 12 of Annex IX to the Medical Devices Directive may apply. Clause 2.3 of the implementing rules in Annex IX provides that software which drives a medical device or influences the use of a device falls automatically into the same class as the device it drives. As regards software intended for diagnosis or therapy, according to rule 10 of Annex IX to the Medical Devices Directive, active devices intended for diagnosis are in Class IIa if they are intended to image in vivo distribution of radiopharmaceuticals.
As regards software that is designed to generate alarms based on the monitoring and analysis of patient specific physiological parameters such as telemedicine systems, the communication system modules might be used with other modules that might be qualified as medical devices. Similarly, where software is intended to capture and analyse results generated by one or more in vitro diagnostic devices, the software is considered as an in vitro diagnostic device. This includes, for example, software that integrates genotype of multiple genes to predict risk of developing a disease or medical condition.

Interplay with Electronic Commerce Directive and other EU legal instruments

It has been recognised that e-health or m-health in the field of telemedicine is both a health service and an information society service. Therefore, it falls under Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce in the Internal Market (Electronic Commerce Directive). This is also recognised in Directive 2011/24/EU on the application of patients' rights in cross-border healthcare (Cross-Border Healthcare Directive), which addresses patients' cross-border mobility including their ability to access services across borders. The Cross-Border Healthcare Directive requires the Commission to take measures to ensure the interoperability of means for the provision of e-health services including telemedicine.
The EU Court of Justice (ECJ) has ruled in various decisions that neither the special nature of health services nor the way in which they are organised or financed removed them from the regulatory control of the fundamental EU law principle of free movement. This includes the freedom of recipients of healthcare services established in one member state to seek and receive medical treatment from another member state, regardless of how the service is delivered (for example, by telemedicine).
EU law establishes a procedure that imposes an obligation on member states to notify the Commission and each other of all draft technical regulations concerning products and Information Society Services (ISS) including telemedicine before they are adopted and put into operation in national law.
The Electronic Commerce Directive defines rules for the provision of ISS both within and between member states. The Commission believes that the Electronic Commerce Directive applies also to telemedicine. For business-to-business telemedicine services, the country of origin principle applies, that is, the service offered by the business must comply with the related rules of establishment. In the case of business-to-consumer activities contractual obligations are exempted from the country of origin principle. While the definition of medical activities is a matter for the member states, as a general principle, the classification of specific telemedicine services should ensure that these meet the same level of requirements as equivalent non-telemedicine services. That is to say teleradiology should not be less rigorous than radiology. This principle ensures that adequately regulated health services are not replaced by less regulated telemedicine services, and it avoids discrimination between providers of the same service that would be incompatible with the Electronic Commerce Directive.
The interplay of the Medical Devices Directive and the Electronic Commerce Directive has recently been the subject of an ECJ decision (Case C-108/09 Ker- Optika bt v ÀNTSZ Dếl-dunántúli Regionális Intézete) (Ker- Optika) (see box, The Ker- Optika case). It has been argued that this decision supports the proposition that appliances or equipment intended for e-health or m-health would be subject to regulatory supervision under the Medical Devices Directive. However, this decision gives some clarity on the demarcation between the Medical Devices Directive and the Electronic Commerce Directive, and the scope of the respective regulatory regime, particularly in the area of internet sale and supply of a medical device.
In addition, an assessment of the extent of impact of the regulation relating to the spectrum and radiofrequency use on devices intended for e-health and m-health is required. Currently, regulatory supervision generally falls within national competence.
In April 2014, the European Commission launched its long awaited m-health consultation and suggested policy action could be forthcoming as early as in 2015. The Commission solicits views on how best to use mobile devices such as mobile phones, tablets, patient monitoring devices and other wireless devices to improve health and wellbeing. In that regard, to realise the potential of m-mobile (which has the potential to save EUR99 billion in healthcare costs in the EU), safety and usage of data and whether apps are medical devices will need to be addressed. As regards the classification, certain m-health apps have now been classified as medical devices. In parallel, the Commission has published Action 77, which aims at harmonisation of EU-wide standards, interoperability testing and certification of e-Health systems by 2015.

US approach to regulation

Background to US policy on e-health and m-health

In the US, many of these technologies are regulated by the Food and Drug Administration (FDA) as medical devices, if they are intended for use in the treatment, diagnosis or prevention of disease. For example, the FDA has recently cleared:
  • A mobile app that allows physicians to view patient MRIs on a smart phone.
  • A commercial ultrasound system that allows users to acquire and view foetal images on a smartphone.
  • Various products that allow patients and physicians to review blood glucose meter readings and other health information through software or cloud-based data management systems.
The FDA, along with other key regulators, is responding to these emerging technologies by re-examining traditional regulatory approaches to medical devices and wireless communications.
The Federal Communications Commission (FCC) also has jurisdiction over various media and communication technologies. FCC, among other things:
  • Regulates interstate and international communications by radio, television, wire, satellite and cable.
  • Oversees the authorisation of equipment using the radio frequency spectrum.
  • Governs the interference potential of equipment which emits radio frequency energy.
In the mobile health and Health IT sector, FCC regulates the allocation of frequencies and the specification of technical requirements to ensure the security and reliability of wirelines, broadband and wireless communication devices. Because of their shared jurisdiction over health IT, the FDA and the FCC have announced efforts to develop a co-ordinated regulatory approach for wireless-enabled medical devices, mobile apps and other health IT. The FDA and the FCC have signed a memorandum of understanding, in which they agree to, among other things, exchange information on device marketing authorisations and consult on the development of standards for mobile devices and health IT.
The Office of the National Coordinator for Health Information Technology (ONC), which is an agency within the US Department of Health and Human Services (HHS), is responsible for co-ordinating the development and implementation of interoperable health information technology. The ONC is also charged with, among other things:
  • Developing regulations to adopt standards and certification criteria for health IT.
  • Administering certification programmes for health IT.
  • Supporting two Federal Advisory Committees.
  • Administering programmes to promote electronic health information exchange.
  • Co-ordinating the health IT policy and programmes of HHS with those of other relevant federal agencies.
For companies developing medical apps or software-based medical technology that may be regulated by the FDA, the FCC, or the ONC, it is important to:
  • Understand the requirements for the development, marketing, safety and quality of medical devices, as well as requirements imposed by other US regulators with authority over health IT products.
  • Identify practical regulatory issues that may impact business objectives.
  • Develop a compliance infrastructure to identify and manage potential compliance risks in an increasingly competitive market.

US regulatory framework for medical devices

Medical devices are defined as, among other things, instruments or apparatus (including components), intended for use when diagnosing, treating or preventing diseases, or medical conditions, or intended to affect the body through non-chemical means (Federal Food, Drug and Cosmetic Act (FDCA) (21 U.S.C. § 321 (h))).
The FDCA definition encompasses accessories and components of a finished medical device. Generally, accessories must comply with requirements that apply to the medical device with which they are intended to be used. Most accessories are authorised by the FDA as part of the marketing application for the underlying device, but certain off-the-shelf accessories are separately regulated if they are intended for general purpose use with a variety of medical devices. Components, for example, built-in modems or hardware, are generally exempt from medical requirements. Instead, the FDA requires the manufacturer of the finished medical device for which the component is made or used to ensure that component meets the manufacturer's specifications and other quality requirements.
The medical device definition also encompasses the regulatory concept of "intended use", the concept the FDA uses to determine whether a product is a medical device. Because a product's regulatory status depends on the manufacturer's intended use, products that may not appear to be medical devices may be subject to the FDA's requirements if they are intended to perform functions that bring them within the medical device definition.
This framework has important implications for smartphones, monitors and other software-based parts that are used with or in medical devices. In determining the requirements and responsibilities associated with such products, it is important to consider the intended uses, as well as the specifications, system components, and parts that are required to use or run the program, as some or all of these items may be accessories or components of the finished device.
Depending on the regulatory controls necessary to ensure that the product can be safely and effectively used as intended, medical devices are classified into one of three classes:
  • Class I (low risk).
  • Class II (moderate risk).
  • Class III (high risk).
Classification, and associated exemptions, generally determine the level of pre-market review and post-market controls that will be required (if there is any uncertainty about the device classification and applicable requirements, sponsors can contact the Office of Device Evaluation (ODE) within the FDA for clarification, by submitting a request for classification, known as a "513(g) request"). The FDA expects the persons responsible for manufacturing or marketing a device to determine the classification and the corresponding regulatory requirements before commercialising the product. Most medical devices are subject to regulations known as "general controls", which include owner/operator registration and device listing, device good manufacturing practice (GMP)/quality systems requirements and adverse event reporting.

Significant US FDA regulatory developments

Final rule on medical device data systems

The FDA has recently issued a new regulation on medical device data systems (MDDS) (FDA Final Rule on Medical Devices; Medical Device Data Systems, 76 Fed. Reg. 8637 (15 February 2011), 21 C.F.R. § 880.6310). The regulation defines an MDDS as a device that is intended to transfer, store or display, or electronically convert medical device data from one format to another format in accordance with a preset specification without controlling or altering the functions or parameters of any connected medical devices.
Medical device data includes clinical assessments, physiological conditions or other information regarding the operation or functions of a connected medical device that is either:
  • Originally obtained or directly available from a connected medical device.
  • Manually entered into a device and then subsequently transmitted by or through an MDDS.
Examples of MDDS data retrieval, transfer and storage activities include:
  • Collecting historical information from a ventilator and transferring it to a central patient data repository.
  • Storing historical blood pressure information for later review.
  • Displaying a previously stored electrocardiogram for a specific patient.
Examples of MDDS data conversion activities include:
  • Converting digital data into a printable format.
  • Converting data to HTML, PDF or HL7 format.
  • Transferring, storing or displaying medical data, including historical records of alarms or other output from a connected medical device, "without analysis or specific recognition of the intent or significance of that data".
A device or system is not an MDDS, if it interprets or adds value to the medical device data by, for example:
  • Charting or graphing data.
  • Providing alarms or other information necessary for "active" or "continuous" patient monitoring or data that a healthcare professional relies on to take immediate clinical action.
Such devices are generally regulated by the FDA under different classification regulations.
Not every IT system or software solution that transfers medical data is considered an MDDS. For example, the MDDS rule does not apply to devices that are solely intended for use as general IT equipment (and not intended for a device use), for example, off-the-shelf wireless or backup systems. Additionally, general purpose IT equipment used in a healthcare facility to display or transfer medical data is not an MDDS, provided that it is not altered or reconfigured beyond the general manufacturing specifications to function as an MDDS.
Even with these broad exclusions, determining the status of an MDDS product requires a fact-specific, case-by-case analysis, based largely on the characteristics and functions of the solution. Companies that develop and market communication systems and software for use in healthcare applications or settings should assess whether those products are FDA-regulated MDDS products.
Since 2011, several hundred manufacturers have registered and listed MDDS products with FDA.

Final guidance on mobile medical apps

On 23 September 2013, the FDA issued its Final Guidance for Industry and Food and Drug Administration Staff - Mobile Medical Applications (Guidance). The official notice was published in the Federal Register on 25 September 2013 (see 78_Fed. Reg. 59038 (25 September 2013)). The Guidance is available from FDA’s website at:
The Guidance is the result of a two year process, which started when FDA issued its Draft Guidance for Industry and Food and Drug Administration Staff - Mobile Medical Applications Draft Guidance on Mobile Medical Applications in July 2011. The Guidance is one component of a multi-tiered, multi-agency legislative mandate to develop a comprehensive regulatory framework for health IT, including MMAs, clinical decision support (CDS) devices, and medical software.
The Guidance clarifies that the FDA does not intend to regulate most general health and wellness apps but, instead, intends to focus on a discrete subset of mobile apps that have the same functions and characteristics as regulated medical devices and pose greater risks to patients. This means that the platform (for example, whether it is a smartphone, tablet, or web-based application that runs on a mobile platform) is not as relevant to determining whether an app is a medical device, as the core functions and intended use of the app itself. If a mobile app transforms a platform into a medical device or acts as an accessory and is the kind of functionality the FDA already regulates, it will regulate that app according to the classification regulations and requirements that apply to other devices in that category.
The Guidance also provides an overview of medical device requirements that apply to MMAs and the FDA’s recommendations for manufacturers and developers who must implement those requirements. By declining to regulate a variety of apps that support general health and wellness, patient education, and general disease management, the FDA has paved the way for greater innovation of mobile technology designed to meet broader healthcare goals, such as improving co-ordination of care, increasing patient engagement, and improving the overall quality of care.
The Guidance lists the following three categories of MMAs that the FDA intends to regulate and provides examples in each category in Appendix C.
Apps that connect to a medical device to control the device or display, store, analyse, or transmit patient-specific medical device data. The FDA treats many of these apps as an extension of the medical devices to which they are connected (including wireless connections) or as an accessory. Therefore, in most cases, the apps will be subject to the regulatory requirements that apply to the underlying or connected device. Examples include:
  • Medical data display apps that pull patient-specific data from bedside monitors, display previously stored EEG waveforms, connect to and/or display picture archiving and communication system (PACS) service, and display medical device data for active patient monitoring.
  • Medical device control apps that control inflation and deflation of a blood pressure cuff through a smartphone, or control delivery of insulin or other drugs.
  • Medical device data system (MDDS) apps that display, store, or transmit medical device data in its original form without controlling or altering the functions of any connected device. MDDS apps appear to differ from medical device data display apps in that they do not alter the data or its presentation.
Apps that transform a mobile platform into a regulated medical device. These apps use attachments, display screens, sensors or similar components to perform the functions of regulated devices. Examples include:
  • Apps that allow a smartphone to function as a blood glucose meter by attaching a blood glucose strip reader through a USB or other port.
  • Apps that measure and store ECG singles through the use of electrodes or sensors.
  • Apps that use a built-in accelerometer on collect motion information for monitoring sleep apnea.
  • Apps that use either internal or external sensors to function as an electronic stethoscope. These apps are subject to regulatory requirements that apply to regulated devices that perform the same or similar functions. For example, an MMA that uses a mobile platform to act as an electronic stethoscope would be required to meet the requirements for electronic stethoscopes, which are regulated as Class II devices under 21 CFR § 860.1875(b).
Apps that perform patient-specific analysis and provide patient-specific diagnosis, or treatment recommendations. These apps use patient-specific parameters to perform “sophisticated” analysis or interpret data from another medical device. Examples include:
  • Apps that use patient-specific information to calculate dosage or create a dosage plan for radiation therapy.
  • Computer aided detection (CAD) software.
  • Image processing software.
  • Radiation therapy treatment planning software.
Presumably, the FDA used the word “sophisticated” to differentiate these apps from other unregulated apps that use patient-specific data to provide general education or symptom tracking without providing specific treatment recommendations or diagnoses.
The Guidance describes two categories of unregulated apps:
  • Apps that are not medical devices and, therefore, are not subject to the FDA’s jurisdiction.
  • Mobile apps that provide health or medical functions that the FDA does not intend to regulate.
Appendix A of the Guidance lists examples of apps that are not medical devices. These include:
  • Electronic textbooks.
  • Apps that provide archived copies of healthcare provider training videos.
  • Apps that support clerical and administrative functions, such as billing, claims processing, and appointment reminders.
The second category of unregulated apps includes apps that may meet the legal definition of a medical device or an MMA, but are subject to the FDA’s “enforcement discretion” because it believes that they are low risk. This means that the FDA will not enforce the Federal Food, Drug, and Cosmetic Act requirements for these apps, but it could decide to impose these requirements in future based on new information or new safety data. Although the FDA will not require manufacturers and developers to follow the quality system regulation for these apps, the agency “strongly recommends” that manufacturers and developers of unregulated apps follow quality system principles.
The Guidance lists the following five categories of these unregulated apps and provides examples in Appendix B.
Disease management apps. These apps support adherence to treatment regiments, medications, and disease management plans by providing behavioural coaching and information to patients with specific diseases. Examples include:
  • Apps that coach patients with conditions such as cardiovascular disease, hypertension, diabetes or obesity, and promote strategies for maintaining health.
  • Medication reminder apps that provide alerts to patients and healthcare providers based on pre-determined medication dosing schedules.
The FDA believes that these apps can be safely used by a patient without active oversight of a medical professional. Even where these apps are used for serious conditions that require professional medical care, the FDA believes they are low risk because they are not intended to replace the advice and care of a medical professional.
Patient-specific health information tracking apps. These apps allow patients to organise and track their information related to specific diseases, including chronic diseases, such as obesity, anorexia, arthritis, diabetes, and heart disease. They allow patients to input data, such as blood pressure measurements, drug intake, diet, weight, daily routine, or emotional state. These apps, however, do not provide any recommendations and are not intended to alter a previously prescribed treatment or therapy. The FDA considers these mobile apps to be different from regulated MMAs that provide disease and patient-specific treatment recommendations.
Health education and care co-ordination apps. These apps provide what the FDA describes as “contextually-relevant information” by matching patient-specific inputs regarding diagnosis, treatment, allergies, and symptoms to clinical reference information, such as recognised and established medical sources and texts or specialists in a particular geographic area. Examples include apps that provide standard treatment guidelines for common illnesses such as the flu, or apps that allow users to look-up drug-drug interaction and drug-allergy information.
Apps that facilitate patient and healthcare provider communication. These apps include video-conferencing portals or use a built-in camera on a mobile platform to help the user document or transmit photos (for example, pictures or video of skin lesions or wounds) to supplement verbal descriptions.
Apps that perform basic clinical calculations. These apps automate simple medical calculations that clinicians would otherwise perform manually. The Guidance describes these as calculations that are taught in medical schools. The information supporting the underlying algorithms is derived from and available in medical sources and texts. Examples include calculators for:
  • Body mass index (BMI).
  • Mean arterial pressure.
  • APGAR score.
  • NIH stroke scale, among others.
Apps that facilitate interaction with physician health records (PHRs) and electronic health records (EHRs). These apps allow patients to download and view information in their EHR or enable access to information in a PHR. They are intended solely for information and record-keeping.

The FDASIA Health IT Report

US legislators have responded to industry concerns regarding the FDA’s regulation of health IT and mobile apps by requiring the FDA to prepare a report to Congress, describing the regulatory framework for health IT, and holding hearings to solicit input from industry and the FDA on the agency’s role in regulating health IT. Congress included a provision in the recently enacted Food and Drug Administration Safety and Innovation Act of 2012 (Pub. L. No. 112-144) (FDASIA), which required the FDA, in consultation with the ONC and the FCC (the Agencies) to develop and post on their respective websites “a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication”.
On 3 April 2014, the HHS released a proposed strategy to regulate various health information technologies, entitled FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework (FDASIA Health IT Report), available at The FDASIA Health IT Report outlines a risk-based approach for regulating health IT. Specifically, it posits that the determination of risk and corresponding controls needed to manage such risks should focus on health IT functionality, not the platform(s) (for example, mobile, cloud-based, installed) on which such functionality resides or the product name/description of which it is a part. The FDA described a similar approach in the Guidance.
The proposed framework identifies three categories of health IT:
  • Administrative health IT functions.
  • Health management health IT functions.
  • Medical device health IT functions.
Of the three, the FDA intends to regulate medical device health IT functions. It does not intend to regulate administrative health IT and health management health IT, however products in these categories may be subject to regulatory oversight by other agencies. The following is a brief summary of each category.
Administrative health IT functions. Administrative health IT functions assist organisations in optimising or executing clerical, administrative functions related to patient care. Examples of administrative health IT functions include:
  • Software intended to facilitate admissions.
  • Billing and claims processing.
  • Practice and inventory management.
  • Scheduling.
  • General purpose communications.
  • Analysis of historical claims data to predict future use or cost-effectiveness.
  • Determination of health benefit eligibility.
  • Population health management.
  • Reporting of communicable diseases to public health agencies.
  • Reporting on quality measures.
The FDASIA Health IT Report explains that administrative health IT functions pose limited or no risk to patient safety and, therefore, do not require additional oversight.
Health management health IT functions. Health management heath IT functions help providers, healthcare organisations, and patients to access, organise, and communicate health-related information that may be used to deliver or optimise patient care. Health management health IT functionalities (sometimes referred to as clinical software) include, but are not limited to:
  • Health information and data management or exchange.
  • Data capture and encounter documentation.
  • Electronic access to clinical results.
  • Most CDS. CDS provides healthcare providers and patients with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and healthcare. Because its risks are generally low compared to the potential benefits, FDA does not intend to focus its oversight on most CDS. FDA, instead, intends to focus its oversight on a limited set of software functionalities that provide CDS and pose higher risks to patients, such as computer aided detection/diagnostic software and radiation therapy treatment planning software. For further information, see section 6, FDASIA Health IT Report.
  • Medication management (electronic medication administration records).
  • Electronic communication and co-ordination (for example, provider to patient, patient to provider, and provider to provider).
  • Provider order entry.
  • Knowledge (clinical evidence) management.
  • Patient identification and matching.
The FDASIA Health IT Report states that health management health IT functions may pose potential safety risks, but these risks “are generally low compared to the potential benefits and must be addressed by looking at the entire health IT ecosystem rather than single, targeted solutions”. If such technology meets the statutory definition of a medical device, “FDA does not intend to focus its regulatory oversight on such functionality”. Instead, the FDASIA Health IT Report proposes to rely on the ONC and industry quality management principles and best practices to establish a “favorable benefit-risk profile of these functionalities”. The FDASIA Health IT Report also proposes to rely on tools for testing, certification and accreditation of this category of products.
Medical device health IT functions. Products with medical device health IT functionality, are a narrowly defined group that the FDA already oversees and regulates “because they generally pose greater risks to patient safety [if they do not perform as intended] than administrative or health management health IT functionality and [the] FDA oversight is better suited to provide assurance of safety and effectiveness for these functionalities”. Examples include currently regulated technology such as:
  • Computer-aided detection/diagnostic software.
  • Remote display or notification of real-time alarms from bedside monitors.
  • Radiation treatment planning software.
  • Robotic surgical planning and control.
The ONC and the FCC may have complementary jurisdiction or authority over certain aspects of these devices, related to issues such as interoperable data exchange between a medical device and EHR, use of wireless spectrum for wireless medical devices, and so on.
The proposed regulatory framework attempts to strike a balance between providing appropriate regulatory oversight for the products that pose the greatest risk to public health and creating appropriate mechanisms for self-regulation by industry. The framework does not give the FDA additional authority or more oversight that it currently has. Instead, the framework seeks to leverage private sector and government resources and expertise to focus on four key areas:
  • Fostering the development of a culture of safety and quality.
  • Leveraging standards and best practices.
  • Employing industry-led testing and certification.
  • Selectively using tools such as voluntary listing, reporting, and training to enable the development of a transparent learning healthcare environment that fosters continual health IT improvement.
The Agencies plan to hold public meetings to solicit public feedback on the FDASIA Health IT Report. The public also has an opportunity to submit formal comments on it. The Agencies will review comments before finalising the FDASIA Health IT Report and implementing final recommendations.

Anticipated Guidance on CDS

Although the FDA’s Final Mobile Medical Apps Guidance did not address the regulatory status of CDS tools, the FDASIA Health IT Report provided a proposed regulatory framework for these products. CDS tools include a variety of tools intended to enhance, inform, and influence healthcare decisions, by providing healthcare professionals and patient-specific information, intelligently filtered or presented at appropriate times or within specific parameters. These tools include, but are not limited to:
  • Computerised alerts and reminders for providers and patients.
  • Clinical guidelines.
  • Condition-specific order sets.
  • Focused patient data reports and summaries.
  • Documentation templates.
  • Diagnostic support.
  • Contextually relevant reference information.
These functionalities can be deployed on a variety of platforms (for example, mobile, cloud-based, installed). According to the Report, “CDS is not intended to replace clinicians’ judgment, but rather to assist clinicians in making timely, informed, higher quality decisions”.
The Agencies proposed to regulate different kinds of CDS tools based on their functions and risks. The Report states that FDA does not intend to regulate CDS tools that provide health management functions. Examples of unregulated CDS tools include:
  • Evidence-based clinician order sets tailored for a particular condition, disease, or clinician preference.
  • Drug-drug interaction and drug-allergy contraindication alerts to avert adverse drug events.
  • Most drug dosing calculations.
  • Drug formulary guidelines.
  • Reminders for preventative care (for example, mammography, colonoscopy, and immunisations).
  • Facilitation of access to treatment guidelines and other reference material that can provide information relevant to particular patients.
  • Calculation of prediction rules and severity of illness assessments (for example, APACHE score, AHRQ Pneumonia Severity Index, and Charlson Index).
  • Duplicate testing alerts.
  • Suggestions for possible diagnoses based on patient-specific information retrieved from a patient’s HER.
FDA will continue to regulate CDS that provide medical device function and present higher risks to patient health and safety. Examples of medical device CDS currently regulated by FDA include but are not limited to:
  • Computer aided detection/diagnostic software.
  • Remote display or notification of real-time alarms (physiological, technical, advisory) from bedside monitors.
  • Radiation treatment planning.
  • Robotic surgical planning and control.
  • Electrocardiography analytical software.
The Agencies recommended that health IT stakeholders work together to develop policies for the transparent disclosure of the rules and information sources underlying individual health management CDS functionalities/products. For the small subset of CDS products that have medical device health IT functionality, present higher risks, and generally have been subject to active oversight by the FDA, the Agencies explained that “active oversight should be continued”.
The FDA stated that it will work with federal and private stakeholders to clarify the types of medical device CDS that should be the focus of the agency’s oversight.
The continued growth and expansion of Health IT in the US and the EU means that a number of companies that currently market health-related apps and software must now:
  • Assess whether these products are regulated by the FDA.
  • Decide whether to request formal advisory opinions from the FDA to better assess the regulatory status of their products, or consider whether to delay the marketing and launch of certain products pending further guidance from FDA.

Recommendations for companies

Often, companies in the health IT space find that they are ill-prepared to meet the developing regulatory challenges. It is recommended that companies venturing into the health IT area invest at the early stages in developing a strong understanding of the legal and regulatory issues, and associated investments and timelines, for proposed products before developing the technology or making improvements to existing technology. Such companies must plan to invest in the infrastructure and processes necessary to ensure that regulated health IT remains compliant. A coherent and integrated commercial strategy for the development of devices relevant to e-health and m-health should be considered on a cross-border basis.

The Ker-Optika case

Sale and distribution

The Ker- Optika case (Case C-108/09 Ker- Optika bt v ÀNTSZ Dếl-dunántúli Regionális Intézete) concerns the sale and distribution of contact lenses, which are regulated as medical devices under the Medical Devices Directive, in Hungary. In this case, the ECJ firstly assessed whether the process of internet sales and especially the delivery of the contact lenses, which are regulated as medical devices, to the consumer's home falls within the scope of the Electronic Commerce Directive. The ECJ distinguished between the selling of goods online and the delivery of products. The process of selling goods online falls within the scope of the Electronic Commerce Directive. However, the delivery of products, in this case a medical device, does not fall within the scope of the Electronic Commerce Directive.

Public health impact

In assessing public health impact, the ECJ appears to have applied the test of an informed and responsible consumer. The ECJ noted that examinations and advice are matters of the consumer's choice, which "is primarily the responsibility of each contact lens user". Consumers could be advised, in the same way as part of the process of selling the lenses over the internet through the interactive features on the internet site concerned, the use of which by the consumer is mandatory before he proceeds to purchase the lens. The ECJ considered that the internet, as a channel of distribution, offered the same quality of information for consumers as offline sales did. In addition, the ECJ stated that distribution via the internet might offer an advantage over an offline sale as the consumer had more time to consider the product and purchase. This way of distribution would be beneficial to the consumer's informed consent.
The ECJ appeared to robustly counter the alleged drawbacks associated with the use of the internet for providing healthcare advice, mostly relating to a lack of personal contact between the provider of goods and services and the consumer. In the ECJ's considered view, the internet is not only used as a means for approaching the potential consumer but also as an appropriate medium in which the purchased service can be carried out.

Relevance to telemedicine

The relevance of the Ker-Optika case to telemedicine is that the internet as a channel of distribution is equally suitable to provide the consumer with sufficient information as physical clinical establishments. The ECJ highlighted the advantages of the internet as giving the consumer more time to think about the purchase and any surrounding questions relevant to the use of a particular medical product. This decision together with a prior ECJ decision on internet sale of medicinal product provides a modern approach to assessing the broader public health impact in the new era of e-commerce and the increasing use of online and mobile services by consumers.

Contributor profiles

Lincoln Tsang

Arnold & Porter LLP

T +44 207 786 6104
F +44 207 786 6299
E [email protected]
Qualified. England and Wales, 1995
Areas of practice. Life Sciences including regulatory and compliance for pharmaceuticals and medical devices, EU administrative law.
Recent transactions
  • Advising companies on global regulatory compliance programme for manufacture, clinical trials and pharmacovigilance.
  • Assisting companies developing internal corporate procedures for e-commerce particularly in relation to disease awareness campaign.
  • Defending companies in regulatory investigation and enforcement actions.
  • Representing companies in market exclusivity challenges.

Vernessa Pollard

Arnold & Porter LLP

T +1 202 942 5811
F +1 202 942 5999
E [email protected]
Qualified. US: New Jersey; District of Columbia
Areas of practice. Pharmaceutical and medical devices, principally focusing on regulatory matters involving the US Food and Drug Administration and US Department of Justice (DOJ).
Recent transactions
  • Advising companies on regulatory, compliance, enforcement and legislative matters involving pharmaceuticals, medical devices, cosmetics, food, and medical technology and software.
  • Advising companies on product approvals, Good Manufacturing Practice (GMP) and Quality System (QS) requirements, advertising and promotion, adverse event reporting, FDA Warning Letters, FDA inspections, recalls, import detentions and corporate compliance programmes.
  • Representing technology, telecommunications and device manufacturers on integrated healthcare IT devices, wireless-enabled medical devices, medical mobile apps and disease management software.