On LinkeIn this morning, I came across a couple of comments about the FDA's recent draft guidance on mobile apps. Thoughtful comments by David Doherty and Nathan Billing in a LinkedIn discussion prompted the following. My imperfect interpretation of their comments was the impetus for this post.
David suggests that FDA regulation will stifle mobile app innovation, and observes that brand-name phone manufacturers are in a better position to shoulder FDA regulations than startups. He further wonders why an App Store that takes a 30% cut of app revenue does not appear to draw any regulatory attention from FDA.
Nathan agrees that over-regulation could stifle innovation and suggests that the regulatory burden should vary based on the intended user. Nathan implies, I think, that apps for health care professionals should face greater regulatory scrutiny than apps for use by patients. He also laments that FDA has not designated specific standards that would facilitate cross-vendor interoperability in the mHealth ecosystem.
I don't mean to pick on David and Nathan, it's just that they raise some excellent points that I've seen repeatedly in other forms. The problem with many people's constructive criticism of FDA's draft guidance is that they are criticizing or suggesting things that lie outside FDA's legal framework. Criticism that ignores this legal framework really barking up the wrong tree.
Suggestions that go beyond the FDA's legal framework are not possible without Congress passing major new legislation. Unless the law empowering FDA changes, we have to consider mobile apps within the existing regulatory framework. What you're seeing in the draft guidance is an expression of the FDA's current framework applied to mobile apps.
The objective of this post is not to interpret the current draft guidance on mobile apps, but to describe some basic concepts of FDA regulations to better understand the perceived limitations or choices made by FDA in their draft guidance, and to enable more constructive criticism and suggestions that are consistent with FDA's existing legal framework. FDA regulatory stuff is rather complicated, so please forgive me if I oversimplify some things in an effort to provide some basic explanations.
Limits on FDA's Ability to Regulate
Legally, the FDA can't distinguish between small business innovators and large market incumbents. Nor can they take different regulatory approaches solely based on the user of the medical device - at least in the way that it seems to be implied. The targets of FDA's regulatory power, and how that power is applied are determined by different factors.
A key regulatory concept of the legal foundation for FDA regulations is that the FDA can only regulate manufacturers. An important corollary is that only one manufacturer may be regulated for a given medical device system, regardless of what (or how many) off-the-shelf technologies are incorporated in the overall medical device system.
Another important part of this regulatory framework is that manufacturers are regulated based on two primary things: the claims they make about their product, and the product's inherent functionality.
Probably the most fundamental concept that underlies almost everything FDA does is patient safety or risk. The greater perceived risk, the higher the regulatory burden. As reinforced in this draft guidance, medical devices are divided into three classes based on risk, with the lowest risk being Class I and the highest being Class III.
Another important concept about FDA regulations is that FDA ensures safe and effective medical devices by requiring manufacturers to follow a quality system process, rather than testing and certifying a particular product, standard or piece of technology. The FAA tests and certifies airframes, the FDA ensures manufacturers follow a quality system. The intent here is to promote innovation by defining the basic processes followed by the manufacturer to create, manufacture, market and service the resulting device.
By freeing the manufacturer to chose what they think is the best way to implement a design (as long as they follow a quality system process) is supposed to encourage innovation. In many situations, I suppose this approach does promote innovation. Yet as automation transforms medical devices into information appliances, the lack of an agreed upon technical foundation (such as interoperability standards) stifles a different kind of innovation.
Applying FDA's Framework to Mobile Apps
Who Gets Regulated
Whoever designs and markets (directly or indirectly) the mobile health medical device - be they a startup, a carrier or a mobile phone manufacturer - is the entity the FDA will regulate. In the case of a startup that bases their medical device on say the iPhone, how would FDA go about regulating Apple (solely or in conjunction with the startup)? Also, while FDA only regulates manufacturers, health care providers can meet the legal definition of a manufacturer if they create a medical device, or modify an existing medical device, and use it in clinical practice.
FDA regulations (the Quality System regulation) impose a basic quality system on the design, manufacture, sales and service of a medical device. In the LinkedIn discussion example, the manufacturer (the startup) does the design, marketing (defines the claims and intended use) and provides any service and support. Apple is simply an indirect distribution channel. Apple makes no additional or different claims for the product, nor do they provide any service other than distribution of the software that runs on their phone.
If the FDA were to regulate Apple, how would this improve the safety and effectiveness of the medical device? I can't see how it would. I suspect that if FDA were to attempt to regulate Apple for their sale of medical device applications, Apple would kick all medical device apps out of the App Store - definitely impacting innovation.
The Intended User
The user of the medical device is an important consideration for FDA. When the user is a clinician, with all that implied knowledge and expertise, certain assumptions are often made by the manufacturer - and accepted by FDA - that in the event of a problem (e.g., a limitation of the product, a deterioration in the patient's condition or an adverse event), the user has the wherewithal to "do the right thing," rather than continue blindly down the path that may be indicated by the medical device.
When the user of a medical device is a patient of family member - what the FDA calls a "lay person" - the user lacks the broad and deep knowledge that a clinician brings to the use of a medical device. Thus the device must have a better user interface and a safer design to ensure an outcome on par with that obtained by a clinician user. This is not a new issue for FDA.
The past several years have seen a number of hospital products pushed for use in home health. From this experience, the industry and FDA have learned the lessons described above. Consequently, FDA considers medical devices designed for use by lay people to generally be higher risk than those whose intended user is a clinician.
The result is that FDA will likely bring a higher level scrutiny to devices intended for use by lay people, compared to devices intended for use by professionals. The result will not be a lowering of the regulatory bar for products targeting patients, but a higher regulatory hurdle.
Industry Standards Adoption
Many of the comments about the FDA's draft rule on mobile apps lament the absence of industry standards to facilitate cross-vendor interoperability. The implied or explicit solution being that the FDA mandate a specific standard. While there is a great need for a minimal level of cross vendor interoperability to foster market adoption, the FDA has no legal foundation for placing a specific standard on industry. In short, great idea, but a complete waste of time. Instead, one should look to see how this problem has been solved in other industries.
There are plenty of standards bouncing around, some, like 11073 for more than 30 years. The challenge is picking a standard(s), getting a critical mass of vendors to adopt said standard(s), and providing a meaningful level of test and certification for compliance. Most any health care market can be divided between acute care (i.e., hospitals where the patient's too sick to be walking araound) and ambulatory care (i.e., home health, chronic disease management, physician offices and clinics - where the patient's sick but is still ambulatory).
Most mobile apps target ambulatory care markets. There is a test and certification alliance, the Continua Health Alliance, that exists for selecting standards and providing the necessary test and certification for the ambulatory market. There are admittedly several big holes in FDA's regulatory famework when one considers mobile app products (that are all outside the scope of this blog post). While not a standards oriented group, the mHealth Regulatory Coalition, that is working to address shortcomings in FDA's current regualtory framework for mobile apps. Be sure to check them out.
For acute care, there are a number of industry standard setting initiatives. The oldest is the IHE PCD domain. This group has been working since 2005 on medical device connectivity and interoperability. This test and certification group is mainly held back by the absence of a standard that's been adopted by medical device manufacturers, and the resulting glacial pace of adoption - but they are making progress. Another hotbed of standards work comes from the Medical Device Plug and Play Interoperability Program at CIMIT and Partners Healthcare. They're working on the Integrated Clinical Environment standard, MD Fire connectivity purchase contracting language and also working with FDA on dealing with developing a more effective interoperability regulatory framework.
International Markets and Quality Systems
Before I posted this, Dayle Kern added to the LinkedIn discussion asking, "What about mobile apps for developing countries?" My first thought is that as a market, mobile apps is still very much in the pilot stage. While there's a perception that adoption is much greater outside the U.S. (especially in the third world), the reality is that there's just a lot of pilots being run in other countries in addition to those in the U.S. My next thought is that while the regulatory burden may be lower outside the U.S. (and especially in the third world), why shouldn't the patients in those countries get a product that's as safe and effective as the ones intended for U.S. or European users?
I have clients doing clinical trials outside the U.S., and who launch products outside the U.S. first. The reasons behind those decisions have everything to do with time to market and costs - much of which are determined by relative regulatory burdens here and in other countries. But, without exception, they're following appropriate quality systems to ensure a safe and effective product. The costs they're saving are not on the design side, but on the regulatory side. And consequently, their products are as safe and effective as they would be if the U.S. was where they were doing trials or launching their product.
Finally, in a world where it's almost impossible to buy a hot water heater or air conditioner from a manufacturer who is not ISO9001 certified, it's almost as impossible to buy an healthcare IT software application from a vendor following the same or similar basic quality system. From their resistance to adopt quality systems, one would almost think that vendors in health care consider quality and safety to be less important than do companies in the HVAC business.
Manufacturers in many other industries don't seem to have a problem innovating or competing while broadly adopting quality systems - on a voluntary basis, I might add. Please explain to me how a similar quality system for medical devices - regulated or otherwise - is an unreasonable burden?