It has now been recognised by the European legislature and decision-makers that EU health systems are under mounting pressure to respond to the challenges relating to ageing population, citizens' rising expectation, migration and mobility of patients and health professionals. New technologies have the potential to revolutionalise healthcare and health delivery systems and to contribute to their future sustainability.

Enabling technologies are important for the improvement, prevention of illness and timely delivery of treatment, particularly:

These essentially shift the current paradigm of treatment of the underlying conditions or illness to prevention and primary care to achieve and maintain wellness. E-health and m-health can assist in providing better citizen-centred care, as well as lowering costs and supporting interoperability across national boundaries, facilitating patient mobility and safety. There is a general consensus among the policy makers and industry that new technologies must be evaluated properly, including for cost-effectiveness, and equity; and health professionals' training and capacity implications must be considered.

The impact of information technology (IT) on cross-border healthcare provisions has been recognised by the European Commission (Commission) in its policy paper published in 2007, where ICT and allied enabling technologies have been considered as particularly important in tackling these new healthcare challenges in the coming decades. Three key challenges are identified by the Commission:

Similarly, the European Medicines Agency (EMA) in its Road Map to 2015 on contributions to science, medicines and health also recognises the impact of new technologies, including e-health, on existing healthcare systems.

The Council of Ministers also recognised (in its assessment on innovation in the medical device sector published in 2011) the need to consider the interoperability and safety issues related to the integration of medical devices in e-health systems, especially personal health systems, and m-health systems. However, the deployment of information telecommunication technology systems is entirely a matter of national competence. Certain industry interest groups or initiatives have been established that have advocated the need for clarity and certainty on the regulatory standard to ensure timely market access to the new emerging IT technologies related to e-health and m-health. Such parties include the industry group European Industry Association for Radiological, Electromedical and Healthcare-IT industry (COCIR), which represents many key industry players such as the European Health Telematics Association, European Institute for Health Records and Integrating the Healthcare Enterprise.

It is generally agreed that the e-commerce revolution will have an important enabling role on e-health and m-health to ensure high quality, safety and efficient cross-border healthcare provisions within the EU and beyond. In its communication relating to telemedicine (providing healthcare services at a distance), the Commission indicates that e-health can help improve the lives of EU citizens, both patients and health professionals. However, as the Commission has put it, integrating services such as teleradiology (that is, transmission of radiological patient images, such as x-rays, CTs, and MRIs, from one location to another) and teleconsultation (that is, consultations where the healthcare provider and the patient are not at the same location) healthcare systems is a challenging task. The main issues concern:

Certain medical device manufacturers have applied for the European Conformity mark (CE-mark) to be affixed to their patient care network or mobile software, including the apps designed to facilitate transmission of patient records for diagnosis and determination of the choice of treatment modalities, as well as outcome measurements.

In the EU, medical devices, low voltage equipment, machinery and radio and telecommunications terminal equipment are regulated under the New Approach (NA) directives, which are defined as directives that provide for the affixing of a CE-mark.

NA directives are based on Resolution 85/C 136/01 1985 on a new approach to technical harmonisation, and standards, which sets out a new regulatory approach based on the following agreed guiding principles:

The NA requires standards to offer a guaranteed level of protection for the essential requirements established by the directives, and the national authorities to carry out their responsibilities to protect safety or other interests covered by the directives. Under the NA directives, a safeguard clause procedure is necessary to allow for contesting a product's compliance, or failures or shortcomings of harmonised standards.

The procedure for conformity assessment is risk-based, taking account the classification of the medical device and the intended clinical mode of use, and the nature and characteristics of the device. In the EU, medical devices fall into the following four distinct classes according to the risk assessment and characterisation:

The test for establishing essential requirements seeks to ensure that the device is designed and manufactured in such a way that when used under the conditions and for the purposes intended, it does not compromise the clinical condition, safety or the users. Any risks associated with its intended use should be acceptable risks when weighed against the benefits to the patient. The benefit/risk assessment should be compatible with the overarching objective of achieving a high level of protection of health and safety.

Under the current rules, devices that incorporate software or that are medical software in themselves must be validated according to the state of the art, taking into account the principles of development lifecycle, risk management, validation and verification.

Under EU rules, standalone software can be considered an active medical device, that is, any device operation that depends on a source of electrical energy or any source of power other than that directly generated by the human body or gravity and that acts by converting this energy. Medical devices intended to transmit energy, substances or other elements between an active medical device and the patient, without any significant change, are not considered to be active medical devices.

As indicated in the amendment to Directive 93/42/EEC concerning medical devices (Medical Devices Directive) adopted in 2007, the European legislature has contemplated that a medical device may include software either as a standalone device or in combination with another device for a medical purpose.

A medical device is now defined in the revised Medical Devices Directive to mean any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for a medical purpose, provided that the principal intended action is not mediated through a biological process.

An assessment of a medical purpose is usually based on the declared claims made by the manufacturer on the label, instructions for use and the promotional material consistent with the overarching purpose of the Medical Devices Directive to ensure a high level of protection of patients and consumers.

The Commission's established position distinguishes between two types of software:

Software related to the functioning of a medical device can be regulated as a standalone medical device or as an accessory to the medical device under the Medical Devices Directive. Software used with non-medical equipment is not considered a medical device. The key test is whether the software provides for a proper diagnostic or therapeutic purpose.

If the definition for a medical device, which is sufficiently broad and all encompassing, were to be given its purposive meaning according to established European jurisprudence, equipment, appliances or apparatus involved in e-health or m-health could be regulated as a medical device. This classification in itself may be somewhat artificial, given that mobile software equipment and appliances similar to medical devices are regulated under the NA directives. The NA seeks to address all hazards or risks related to the public interest that the directive intends to protect, such as protection of the consumers, patients or users. According to the Commission, regulatory compliance with the essential requirements can often require simultaneous application of more than one NA directive, and possibly with other EU legal instruments.

In its public consultation document concerning the recast (that is, codification or consolidation) of the Medical Devices Directive, the Commission asked whether the current approach to assessing essential requirements is sufficiently robust to innovative technologies and practices, including those that are based on nanotechnology, genetic testing and advancements in IT, which may be involved in the development of e-health or m-health across the EU. The consultation document also asked whether appropriate adaptation or reinforcement of the established principles underpinning essential requirements is required in the recast of the Medical Devices Directive.

In 2012, the Commission adopted guidance to confirm the position that standalone software having a medical purpose would be regulated as a medical device. If the standalone software does not meet the definition of a medical device or of an in vitro diagnostic medical device but is intended by the manufacturer to be an accessory to a medical device or an in vitro diagnostic device, then the software would be regulated respectively under the Medical Devices Directive or Directive 98/79/EC on in vitro diagnostic medical devices.

Under the NA regulatory framework, a medical device is presumed to conform with the essential requirements if it meets the appropriate harmonised standard. It has been considered that, until the amendment of the Medical Devices Directive, safety regulations for medical device software at least formally were not sufficiently rigorous to the extent that medical software was not legislatively classified as falling within the scope of the Medical Devices Directive.

The international standard EN/IEC 62304 has now emerged as a global benchmark for evaluating software development. This standard can sit side-by-side with the following standards to evaluate the design, management and safety of medical software:

EN/IEC 62304 standard expects a manufacturer to assign a safety class to the software system. The classification is based on the potential for a hazard that could result in an injury to the user, the patient or other people and includes:

Similar to the EU device vigilance guidance, serious injury means injury or illness that directly or indirectly is any of the following:

In its 2012 guidance, the Commission clarifies the classification of standalone software and accordingly the conformity procedure that ought to be followed. For example, standalone software that meets the definition of a medical device is considered as an active medical device. This means rules 9, 10, 11 and 12 of Annex IX to the Medical Devices Directive may apply. Clause 2.3 of the implementing rules in Annex IX provides that software which drives a medical device or influences the use of a device falls automatically into the same class as the device it drives. As regards software intended for diagnosis or therapy, according to rule 10 of Annex IX to the Medical Devices Directive, active devices intended for diagnosis are in Class IIa if they are intended to image in vivo distribution of radiopharmaceuticals.

As regards software that is designed to generate alarms based on the monitoring and analysis of patient specific physiological parameters such as telemedicine systems, the communication system modules might be used with other modules that might be qualified as medical devices. Similarly, where software is intended to capture and analyse results generated by one or more in vitro diagnostic devices, the software is considered as an in vitro diagnostic device. This includes, for example, software that integrates genotype of multiple genes to predict risk of developing a disease or medical condition.

It has been recognised that e-health or m-health in the field of telemedicine is both a health service and an information society service. Therefore, it falls under Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce in the Internal Market (Electronic Commerce Directive). This is also recognised in Directive 2011/24/EU on the application of patients' rights in cross-border healthcare (Cross-Border Healthcare Directive), which addresses patients' cross-border mobility including their ability to access services across borders. The Cross-Border Healthcare Directive requires the Commission to take measures to ensure the interoperability of means for the provision of e-health services including telemedicine.

The EU Court of Justice (ECJ) has ruled in various decisions that neither the special nature of health services nor the way in which they are organised or financed removed them from the regulatory control of the fundamental EU law principle of free movement. This includes the freedom of recipients of healthcare services established in one member state to seek and receive medical treatment from another member state, regardless of how the service is delivered (for example, by telemedicine).

EU law establishes a procedure that imposes an obligation on member states to notify the Commission and each other of all draft technical regulations concerning products and Information Society Services (ISS) including telemedicine before they are adopted and put into operation in national law.

The Electronic Commerce Directive defines rules for the provision of ISS both within and between member states. The Commission believes that the Electronic Commerce Directive applies also to telemedicine. For business-to-business telemedicine services, the country of origin principle applies, that is, the service offered by the business must comply with the related rules of establishment. In the case of business-to-consumer activities contractual obligations are exempted from the country of origin principle. While the definition of medical activities is a matter for the member states, as a general principle, the classification of specific telemedicine services should ensure that these meet the same level of requirements as equivalent non-telemedicine services. That is to say teleradiology should not be less rigorous than radiology. This principle ensures that adequately regulated health services are not replaced by less regulated telemedicine services, and it avoids discrimination between providers of the same service that would be incompatible with the Electronic Commerce Directive.

The interplay of the Medical Devices Directive and the Electronic Commerce Directive has recently been the subject of an ECJ decision (Case C-108/09 Ker- Optika bt v ÀNTSZ Dếl-dunántúli Regionális Intézete) (Ker- Optika) (see box, The Ker- Optika case). It has been argued that this decision supports the proposition that appliances or equipment intended for e-health or m-health would be subject to regulatory supervision under the Medical Devices Directive. However, this decision gives some clarity on the demarcation between the Medical Devices Directive and the Electronic Commerce Directive, and the scope of the respective regulatory regime, particularly in the area of internet sale and supply of a medical device.

In addition, an assessment of the extent of impact of the regulation relating to the spectrum and radiofrequency use on devices intended for e-health and m-health is required. Currently, regulatory supervision generally falls within national competence.

In April 2014, the European Commission launched its long awaited m-health consultation and suggested policy action could be forthcoming as early as in 2015. The Commission solicits views on how best to use mobile devices such as mobile phones, tablets, patient monitoring devices and other wireless devices to improve health and wellbeing. In that regard, to realise the potential of m-mobile (which has the potential to save EUR99 billion in healthcare costs in the EU), safety and usage of data and whether apps are medical devices will need to be addressed. As regards the classification, certain m-health apps have now been classified as medical devices. In parallel, the Commission has published Action 77, which aims at harmonisation of EU-wide standards, interoperability testing and certification of e-Health systems by 2015.

In the US, many of these technologies are regulated by the Food and Drug Administration (FDA) as medical devices, if they are intended for use in the treatment, diagnosis or prevention of disease. For example, the FDA has recently cleared:

The FDA, along with other key regulators, is responding to these emerging technologies by re-examining traditional regulatory approaches to medical devices and wireless communications.

The Federal Communications Commission (FCC) also has jurisdiction over various media and communication technologies. FCC, among other things:

In the mobile health and Health IT sector, FCC regulates the allocation of frequencies and the specification of technical requirements to ensure the security and reliability of wirelines, broadband and wireless communication devices. Because of their shared jurisdiction over health IT, the FDA and the FCC have announced efforts to develop a co-ordinated regulatory approach for wireless-enabled medical devices, mobile apps and other health IT. The FDA and the FCC have signed a memorandum of understanding, in which they agree to, among other things, exchange information on device marketing authorisations and consult on the development of standards for mobile devices and health IT.

The Office of the National Coordinator for Health Information Technology (ONC), which is an agency within the US Department of Health and Human Services (HHS), is responsible for co-ordinating the development and implementation of interoperable health information technology. The ONC is also charged with, among other things:

For companies developing medical apps or software-based medical technology that may be regulated by the FDA, the FCC, or the ONC, it is important to:

Medical devices are defined as, among other things, instruments or apparatus (including components), intended for use when diagnosing, treating or preventing diseases, or medical conditions, or intended to affect the body through non-chemical means (Federal Food, Drug and Cosmetic Act (FDCA) (21 U.S.C. § 321 (h))).

The FDCA definition encompasses accessories and components of a finished medical device. Generally, accessories must comply with requirements that apply to the medical device with which they are intended to be used. Most accessories are authorised by the FDA as part of the marketing application for the underlying device, but certain off-the-shelf accessories are separately regulated if they are intended for general purpose use with a variety of medical devices. Components, for example, built-in modems or hardware, are generally exempt from medical requirements. Instead, the FDA requires the manufacturer of the finished medical device for which the component is made or used to ensure that component meets the manufacturer's specifications and other quality requirements.

The medical device definition also encompasses the regulatory concept of "intended use", the concept the FDA uses to determine whether a product is a medical device. Because a product's regulatory status depends on the manufacturer's intended use, products that may not appear to be medical devices may be subject to the FDA's requirements if they are intended to perform functions that bring them within the medical device definition.

This framework has important implications for smartphones, monitors and other software-based parts that are used with or in medical devices. In determining the requirements and responsibilities associated with such products, it is important to consider the intended uses, as well as the specifications, system components, and parts that are required to use or run the program, as some or all of these items may be accessories or components of the finished device.

Depending on the regulatory controls necessary to ensure that the product can be safely and effectively used as intended, medical devices are classified into one of three classes:

Classification, and associated exemptions, generally determine the level of pre-market review and post-market controls that will be required (if there is any uncertainty about the device classification and applicable requirements, sponsors can contact the Office of Device Evaluation (ODE) within the FDA for clarification, by submitting a request for classification, known as a "513(g) request"). The FDA expects the persons responsible for manufacturing or marketing a device to determine the classification and the corresponding regulatory requirements before commercialising the product. Most medical devices are subject to regulations known as "general controls", which include owner/operator registration and device listing, device good manufacturing practice (GMP)/quality systems requirements and adverse event reporting.

The FDA has recently issued a new regulation on medical device data systems (MDDS) (FDA Final Rule on Medical Devices; Medical Device Data Systems, 76 Fed. Reg. 8637 (15 February 2011), 21 C.F.R. § 880.6310). The regulation defines an MDDS as a device that is intended to transfer, store or display, or electronically convert medical device data from one format to another format in accordance with a preset specification without controlling or altering the functions or parameters of any connected medical devices.

Medical device data includes clinical assessments, physiological conditions or other information regarding the operation or functions of a connected medical device that is either:

Examples of MDDS data retrieval, transfer and storage activities include:

Examples of MDDS data conversion activities include:

A device or system is not an MDDS, if it interprets or adds value to the medical device data by, for example:

Such devices are generally regulated by the FDA under different classification regulations.

Not every IT system or software solution that transfers medical data is considered an MDDS. For example, the MDDS rule does not apply to devices that are solely intended for use as general IT equipment (and not intended for a device use), for example, off-the-shelf wireless or backup systems. Additionally, general purpose IT equipment used in a healthcare facility to display or transfer medical data is not an MDDS, provided that it is not altered or reconfigured beyond the general manufacturing specifications to function as an MDDS.

Even with these broad exclusions, determining the status of an MDDS product requires a fact-specific, case-by-case analysis, based largely on the characteristics and functions of the solution. Companies that develop and market communication systems and software for use in healthcare applications or settings should assess whether those products are FDA-regulated MDDS products.

Since 2011, several hundred manufacturers have registered and listed MDDS products with FDA.

On 23 September 2013, the FDA issued its Final Guidance for Industry and Food and Drug Administration Staff - Mobile Medical Applications (Guidance). The official notice was published in the Federal Register on 25 September 2013 (see 78_Fed. Reg. 59038 (25 September 2013)). The Guidance is available from FDA’s website at: www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf.

The Guidance is the result of a two year process, which started when FDA issued its Draft Guidance for Industry and Food and Drug Administration Staff - Mobile Medical Applications Draft Guidance on Mobile Medical Applications in July 2011. The Guidance is one component of a multi-tiered, multi-agency legislative mandate to develop a comprehensive regulatory framework for health IT, including MMAs, clinical decision support (CDS) devices, and medical software.

The Guidance clarifies that the FDA does not intend to regulate most general health and wellness apps but, instead, intends to focus on a discrete subset of mobile apps that have the same functions and characteristics as regulated medical devices and pose greater risks to patients. This means that the platform (for example, whether it is a smartphone, tablet, or web-based application that runs on a mobile platform) is not as relevant to determining whether an app is a medical device, as the core functions and intended use of the app itself. If a mobile app transforms a platform into a medical device or acts as an accessory and is the kind of functionality the FDA already regulates, it will regulate that app according to the classification regulations and requirements that apply to other devices in that category.

The Guidance also provides an overview of medical device requirements that apply to MMAs and the FDA’s recommendations for manufacturers and developers who must implement those requirements. By declining to regulate a variety of apps that support general health and wellness, patient education, and general disease management, the FDA has paved the way for greater innovation of mobile technology designed to meet broader healthcare goals, such as improving co-ordination of care, increasing patient engagement, and improving the overall quality of care.

The Guidance lists the following three categories of MMAs that the FDA intends to regulate and provides examples in each category in Appendix C.

Apps that connect to a medical device to control the device or display, store, analyse, or transmit patient-specific medical device data. The FDA treats many of these apps as an extension of the medical devices to which they are connected (including wireless connections) or as an accessory. Therefore, in most cases, the apps will be subject to the regulatory requirements that apply to the underlying or connected device. Examples include:

Apps that transform a mobile platform into a regulated medical device. These apps use attachments, display screens, sensors or similar components to perform the functions of regulated devices. Examples include:

Apps that perform patient-specific analysis and provide patient-specific diagnosis, or treatment recommendations. These apps use patient-specific parameters to perform “sophisticated” analysis or interpret data from another medical device. Examples include:

Presumably, the FDA used the word “sophisticated” to differentiate these apps from other unregulated apps that use patient-specific data to provide general education or symptom tracking without providing specific treatment recommendations or diagnoses.

The Guidance describes two categories of unregulated apps:

Appendix A of the Guidance lists examples of apps that are not medical devices. These include:

The second category of unregulated apps includes apps that may meet the legal definition of a medical device or an MMA, but are subject to the FDA’s “enforcement discretion” because it believes that they are low risk. This means that the FDA will not enforce the Federal Food, Drug, and Cosmetic Act requirements for these apps, but it could decide to impose these requirements in future based on new information or new safety data. Although the FDA will not require manufacturers and developers to follow the quality system regulation for these apps, the agency “strongly recommends” that manufacturers and developers of unregulated apps follow quality system principles.

The Guidance lists the following five categories of these unregulated apps and provides examples in Appendix B.

Disease management apps. These apps support adherence to treatment regiments, medications, and disease management plans by providing behavioural coaching and information to patients with specific diseases. Examples include:

The FDA believes that these apps can be safely used by a patient without active oversight of a medical professional. Even where these apps are used for serious conditions that require professional medical care, the FDA believes they are low risk because they are not intended to replace the advice and care of a medical professional.

Patient-specific health information tracking apps. These apps allow patients to organise and track their information related to specific diseases, including chronic diseases, such as obesity, anorexia, arthritis, diabetes, and heart disease. They allow patients to input data, such as blood pressure measurements, drug intake, diet, weight, daily routine, or emotional state. These apps, however, do not provide any recommendations and are not intended to alter a previously prescribed treatment or therapy. The FDA considers these mobile apps to be different from regulated MMAs that provide disease and patient-specific treatment recommendations.

Health education and care co-ordination apps. These apps provide what the FDA describes as “contextually-relevant information” by matching patient-specific inputs regarding diagnosis, treatment, allergies, and symptoms to clinical reference information, such as recognised and established medical sources and texts or specialists in a particular geographic area. Examples include apps that provide standard treatment guidelines for common illnesses such as the flu, or apps that allow users to look-up drug-drug interaction and drug-allergy information.

Apps that facilitate patient and healthcare provider communication. These apps include video-conferencing portals or use a built-in camera on a mobile platform to help the user document or transmit photos (for example, pictures or video of skin lesions or wounds) to supplement verbal descriptions.

Apps that perform basic clinical calculations. These apps automate simple medical calculations that clinicians would otherwise perform manually. The Guidance describes these as calculations that are taught in medical schools. The information supporting the underlying algorithms is derived from and available in medical sources and texts. Examples include calculators for:

Apps that facilitate interaction with physician health records (PHRs) and electronic health records (EHRs). These apps allow patients to download and view information in their EHR or enable access to information in a PHR. They are intended solely for information and record-keeping.

US legislators have responded to industry concerns regarding the FDA’s regulation of health IT and mobile apps by requiring the FDA to prepare a report to Congress, describing the regulatory framework for health IT, and holding hearings to solicit input from industry and the FDA on the agency’s role in regulating health IT. Congress included a provision in the recently enacted Food and Drug Administration Safety and Innovation Act of 2012 (Pub. L. No. 112-144) (FDASIA), which required the FDA, in consultation with the ONC and the FCC (the Agencies) to develop and post on their respective websites “a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework pertaining to health information technology, including mobile medical applications, that promotes innovation, protects patient safety, and avoids regulatory duplication”.

On 3 April 2014, the HHS released a proposed strategy to regulate various health information technologies, entitled FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework (FDASIA Health IT Report), available at www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/ucm390588.htm. The FDASIA Health IT Report outlines a risk-based approach for regulating health IT. Specifically, it posits that the determination of risk and corresponding controls needed to manage such risks should focus on health IT functionality, not the platform(s) (for example, mobile, cloud-based, installed) on which such functionality resides or the product name/description of which it is a part. The FDA described a similar approach in the Guidance.

The proposed framework identifies three categories of health IT:

Of the three, the FDA intends to regulate medical device health IT functions. It does not intend to regulate administrative health IT and health management health IT, however products in these categories may be subject to regulatory oversight by other agencies. The following is a brief summary of each category.

Administrative health IT functions. Administrative health IT functions assist organisations in optimising or executing clerical, administrative functions related to patient care. Examples of administrative health IT functions include:

The FDASIA Health IT Report explains that administrative health IT functions pose limited or no risk to patient safety and, therefore, do not require additional oversight.

Health management health IT functions. Health management heath IT functions help providers, healthcare organisations, and patients to access, organise, and communicate health-related information that may be used to deliver or optimise patient care. Health management health IT functionalities (sometimes referred to as clinical software) include, but are not limited to:

The FDASIA Health IT Report states that health management health IT functions may pose potential safety risks, but these risks “are generally low compared to the potential benefits and must be addressed by looking at the entire health IT ecosystem rather than single, targeted solutions”. If such technology meets the statutory definition of a medical device, “FDA does not intend to focus its regulatory oversight on such functionality”. Instead, the FDASIA Health IT Report proposes to rely on the ONC and industry quality management principles and best practices to establish a “favorable benefit-risk profile of these functionalities”. The FDASIA Health IT Report also proposes to rely on tools for testing, certification and accreditation of this category of products.

Medical device health IT functions. Products with medical device health IT functionality, are a narrowly defined group that the FDA already oversees and regulates “because they generally pose greater risks to patient safety [if they do not perform as intended] than administrative or health management health IT functionality and [the] FDA oversight is better suited to provide assurance of safety and effectiveness for these functionalities”. Examples include currently regulated technology such as:

The ONC and the FCC may have complementary jurisdiction or authority over certain aspects of these devices, related to issues such as interoperable data exchange between a medical device and EHR, use of wireless spectrum for wireless medical devices, and so on.

The proposed regulatory framework attempts to strike a balance between providing appropriate regulatory oversight for the products that pose the greatest risk to public health and creating appropriate mechanisms for self-regulation by industry. The framework does not give the FDA additional authority or more oversight that it currently has. Instead, the framework seeks to leverage private sector and government resources and expertise to focus on four key areas:

The Agencies plan to hold public meetings to solicit public feedback on the FDASIA Health IT Report. The public also has an opportunity to submit formal comments on it. The Agencies will review comments before finalising the FDASIA Health IT Report and implementing final recommendations.

Although the FDA’s Final Mobile Medical Apps Guidance did not address the regulatory status of CDS tools, the FDASIA Health IT Report provided a proposed regulatory framework for these products. CDS tools include a variety of tools intended to enhance, inform, and influence healthcare decisions, by providing healthcare professionals and patient-specific information, intelligently filtered or presented at appropriate times or within specific parameters. These tools include, but are not limited to:

These functionalities can be deployed on a variety of platforms (for example, mobile, cloud-based, installed). According to the Report, “CDS is not intended to replace clinicians’ judgment, but rather to assist clinicians in making timely, informed, higher quality decisions”.

The Agencies proposed to regulate different kinds of CDS tools based on their functions and risks. The Report states that FDA does not intend to regulate CDS tools that provide health management functions. Examples of unregulated CDS tools include:

FDA will continue to regulate CDS that provide medical device function and present higher risks to patient health and safety. Examples of medical device CDS currently regulated by FDA include but are not limited to:

The Agencies recommended that health IT stakeholders work together to develop policies for the transparent disclosure of the rules and information sources underlying individual health management CDS functionalities/products. For the small subset of CDS products that have medical device health IT functionality, present higher risks, and generally have been subject to active oversight by the FDA, the Agencies explained that “active oversight should be continued”.

The FDA stated that it will work with federal and private stakeholders to clarify the types of medical device CDS that should be the focus of the agency’s oversight.

The continued growth and expansion of Health IT in the US and the EU means that a number of companies that currently market health-related apps and software must now:

Often, companies in the health IT space find that they are ill-prepared to meet the developing regulatory challenges. It is recommended that companies venturing into the health IT area invest at the early stages in developing a strong understanding of the legal and regulatory issues, and associated investments and timelines, for proposed products before developing the technology or making improvements to existing technology. Such companies must plan to invest in the infrastructure and processes necessary to ensure that regulated health IT remains compliant. A coherent and integrated commercial strategy for the development of devices relevant to e-health and m-health should be considered on a cross-border basis.