Regulatory Landscape Remains Unclear for Mobile Health App Developers

8585047526_37a5bed3ff_bBy Mariko Kageyama

The digital health field has been growing exponentially and is now expanding rapidly into emerging markets. As a result, mobile health apps, or “mHealth apps,” have exploded in popularity. If you search for “health” on online app stores such as Apple’s App Store or Google Play, you will have no problem finding countless apps with various health-related purposes. One survey reports that nearly 260,000 mHealth apps were available worldwide by 2016.

However, what mHealth app developers and consumers may not realize is that these new technologies are becoming the target of increasingly tight regulations by both federal and state laws in the United States.

At the federal level, mobile health apps may be scrutinized under the following federal agency laws:

  • Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act – These acts regulate data privacy and security of health information. They are enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC);
  • Food, Drug, and Cosmetic Act (FDCA) – This act allows the Food and Drug Administration (FDA) to regulate the safety and effectiveness of “medical devices;” and
  • Federal Trade Commission Act (FTC Act) – This act both creates the FTC and allows it to enforce and penalize deceptive or unfair business practices including false or misleading claims about apps’ performance.

Among these major agency players, the FDA has struggled the most with trying to adapt its existing regulatory framework to include and regulate mHealth apps.

For instance, the FDA can regulate “medical devices,” but what qualifies as a “medical device” under FDA law? According to its 2015 Guidanace, the FDA does not want to regulate every single smartphone app that tangentially relates to fitness or wellness. Instead, the FDA only wants to keep an eye on a small subset of apps called “mobile medical apps” that may pose moderate to high risks to a patient’s safety if the apps fail to work as intended. “Mobile medical apps” can either be those connected to existing medical devices already regulated by FDA, or those that “transform” mobile platforms into an FDA-regulated device.

The FDA explains that a mobile app “transforms” into a medical device when it uses attachments, display screens, or sensors, or when it uses a mobile platform’s built-in features such as light, vibrations, and camera to create functionalities similar to those of currently regulated devices. But the exact actions that constitute a “transformation” are not yet known and remain open to significant agency discretion.

Therefore, if you were to create a new mHealth app that “transforms” a mobile device, you may need to seek FDA approval for a specific medical device classification based on the level of safety risks it poses. The classes are ranked I, II, or III and any class of device can be subject to what is known as Premarket Notification 510(k).

In anticipation of ambiguities in this field, multiple federal agencies collaborated in 2016 to create the Mobile Health Apps Interactive Tool. What is unique about this user-friendly educational website is that it is clearly intended for IT developers, not healthcare professionals or general consumers.

State laws have also come into play. Earlier in 2017, the New York Attorney General settled with three mHealth app developers for state law violations over their misleading marketing and privacy practices. Those mHealth apps are: My Baby’s Beat–Prenatal Listener; Heart Rate Monitor & Pulse Tracker; and Cardiio-Heart Rate Monitor + 7 Minute Workout. As illustrated in the settlement documents, these apps do not look any more sophisticated than other similar apps, but the New York AG maintained that these cardiac rate monitors probably fall under FDA Class II medical devices. Such a classification means that these are higher risk devices than Class I and thus subject to greater regulatory controls. Although the investigation did not go further, these state cases show that mHealth app developers and manufacturers can be exposing themselves to large amounts of liability at the state level as well as the federal level.

Despite this heightened oversight, the current FDA Guidance is clearly nothing more than a temporary fix when much more is needed to address these issues in such a rapidly growing and changing field. Because Congress has a less-than-great track record of quickly enacting laws, the FDA and other relevant agencies should act swiftly to reevaluate these regulations in order to ensure consumer health and safety while simultaneously fostering innovation in this massively beneficial field.

Picture Source

Prove It or Lose It: The FTC’s Standard for Scientific Support of Medical App Claims

Medical-Apps-in-HealthcareBy Julie Liu

Among the countless mobile applications that allow us to control much of our lives, the growing wave of medical apps allows us to manage and improve our health with the convenience of a phone or tablet. But, as illustrated by the Federal Trade Commission’s approval of its final order against the maker of the UltimEyes app, this possibility comes with important limitations. Continue reading

The 21st Century Cures Act Will Be Implemented Piecemeal

fdaBy Jason Liu

As technology and medicine advance, the need to streamline and regulate medicine will increase. One can visit a virtual doctor, connect medical devices to the internet, and access cutting-edge gene therapy precision medicine. However, government agencies work with laws that never considered these innovations. To update these laws, the House passed the 21st Century Cures Act in 2015. The Act currently sits in the Health, Education, Labor and Pensions Senate (HELP) committee. Congress may also break the bill into smaller pieces of legislation.

Lamar Alexander (R-Tenn.), the leader of the HELP committee, recently stated that the panel will divide the 21st Century Cures Act into smaller pieces of legislation. The Act has stalled in the Senate because Democrats and Republicans disagree on how to fund the bill. Beginning Feb. 9, the committee will vote on at least seven bipartisan bills ranging from expediting therapies for rare diseases to improving electronic health records. Continue reading

Securing Dr. Robot

unnamed By Brooks Lindsay

Medical device robots present a number of cybersecurity, privacy, and safety challenges that regulation and industry standards must address in order to safely and rapidly advance innovation in the field.

The University of Washington’s Computer Science Department recently highlighted the problem. Computer Science Researchers hacked a teleoperated surgical robot called the Raven II during a mock surgery. The hack involved moving pegs on a pegboard, launching a denial-of-service attack that stopped the robot, and making it impossible for a surgeon to remotely operate. The researchers maliciously controlled a wide range of the Raven II’s functions and overrode command inputs from the surgeon. The researchers designed the test to show how a malicious attack could easily hijack the operations of a medical device robot. The researchers concluded that established and readily available security mechanisms, like encryption and authentication, could have prevented some of these attacks.  Continue reading