Mobile Apps Guidance Q&A

Mobile Apps Guidance Q&A

On LinkeIn this morning, I came across a couple of comments about the FDA’s recent draft guidance on mobile apps. Thoughtful comments by David Doherty and Nathan Billing in a LinkedIn discussion prompted the following. My imperfect interpretation of their comments was the impetus for this post.

David suggests that FDA regulation will stifle mobile app innovation, and observes that brand-name phone manufacturers are in a better position to shoulder FDA regulations than startups.  He further wonders why an App Store that takes a 30% cut of app revenue does not appear to draw any regulatory attention from FDA.

Nathan agrees that over-regulation could stifle innovation and suggests that the regulatory burden should vary based on the intended user. Nathan implies, I think, that apps for health care professionals should face greater regulatory scrutiny than apps for use by patients. He also laments that FDA has not designated specific standards that would facilitate cross-vendor interoperability in the mHealth ecosystem.

I don’t mean to pick on David and Nathan, it’s just that they raise some excellent points that I’ve seen repeatedly in other forms. The problem with many people’s constructive criticism of FDA’s draft guidance is that they are criticizing or suggesting things that lie outside FDA’s legal framework. Criticism that ignores this legal framework really barking up the wrong tree.

Suggestions that go beyond the FDA’s legal framework are not possible without Congress passing major new legislation. Unless the law empowering FDA changes, we have to consider mobile apps within the existing regulatory framework. What you’re seeing in the draft guidance is an expression of the FDA’s current framework applied to mobile apps.

The objective of this post is not to interpret the current draft guidance on mobile apps, but to describe some basic concepts of FDA regulations to better understand the perceived limitations or choices made by FDA in their draft guidance, and to enable more constructive criticism and suggestions that are consistent with FDA’s existing legal framework. FDA regulatory stuff is rather complicated, so please forgive me if I oversimplify some things in an effort to provide some basic explanations.

Limits on FDA’s Ability to Regulate

Legally, the FDA can’t distinguish between small business innovators and large market incumbents. Nor can they take different regulatory approaches solely based on the user of the medical device – at least in the way that it seems to be implied. The targets of FDA’s regulatory power, and how that power is applied are determined by different factors.

A key regulatory concept of the legal foundation for FDA regulations is that the FDA can only regulate manufacturers. An important corollary is that only one manufacturer may be regulated for a given medical device system, regardless of what (or how many) off-the-shelf technologies are incorporated in the overall medical device system.

Another important part of this regulatory framework is that manufacturers are regulated based on two primary things: the claims they make about their product, and the product’s inherent functionality.

Probably the most fundamental concept that underlies almost everything FDA does is patient safety or risk. The greater perceived risk, the higher the regulatory burden. As reinforced in this draft guidance, medical devices are divided into three classes based on risk, with the lowest risk being Class I and the highest being Class III.

Another important concept about  FDA regulations is that FDA ensures safe and effective medical devices by requiring manufacturers to follow a quality system process, rather than testing and certifying a particular product, standard or piece of technology. The FAA tests and certifies airframes, the FDA ensures manufacturers follow a quality system. The intent here is to promote innovation by defining the basic processes followed  by the manufacturer to create, manufacture, market and service the resulting device.

By freeing the manufacturer to chose what they think is the best way to implement a design (as long as they follow a quality system process) is supposed to encourage innovation. In many situations, I suppose this approach does promote innovation. Yet as automation transforms medical devices into information appliances, the lack of an agreed upon technical foundation (such as interoperability standards) stifles a different kind of innovation.

Applying FDA’s Framework to Mobile Apps

Who Gets Regulated

Whoever designs and markets (directly or indirectly) the mobile health medical device – be they a startup, a carrier or a mobile phone manufacturer – is the entity the FDA will regulate. In the case of a startup that bases their medical device on say the iPhone, how would FDA go about regulating Apple (solely or in conjunction with the startup)? Also, while FDA only regulates manufacturers, health care providers can meet the legal definition of a manufacturer if they create a medical device, or modify an existing medical device, and use it in clinical practice.

FDA regulations (the Quality System regulation) impose a basic quality system on the design, manufacture, sales and service of a medical device. In the LinkedIn discussion example, the manufacturer (the startup) does the design, marketing (defines the claims and intended use) and provides any service and support. Apple is simply an indirect distribution channel. Apple makes no additional or different claims for the product, nor do they provide any service other than distribution of the software that runs on their phone.

If the FDA were to regulate Apple, how would this improve the safety and effectiveness of the medical device? I can’t see how it would. I suspect that if FDA were to attempt to regulate Apple for their sale of medical device applications, Apple would kick all medical device apps out of the App Store – definitely impacting innovation.

The Intended User

The user of the medical device is an important consideration for FDA. When the user is a clinician, with all that implied knowledge and expertise, certain assumptions are often made by the manufacturer – and accepted by FDA – that in the event of a problem (e.g., a limitation of the product, a deterioration in the patient’s condition or an adverse event), the user has the wherewithal to “do the right thing,” rather than continue blindly down the path that may be indicated by the medical device.

When the user of a medical device is a patient of family member – what the FDA calls a “lay person” – the user lacks the broad and deep knowledge that a clinician brings to the use of a medical device. Thus the device must have a better user interface and a safer design to ensure an outcome on par with that obtained by a clinician user. This is not a new issue for FDA.

The past several years have seen a number of hospital products pushed for use in home health. From this experience, the industry and FDA have learned the lessons described above. Consequently, FDA considers medical devices designed for use by lay people to generally be higher risk than those whose intended user is a clinician.

The result is that FDA will likely bring a higher level scrutiny to devices intended for use by lay people, compared to devices intended for use by professionals. The result will not be a lowering of the regulatory bar for products targeting patients, but a higher regulatory hurdle.

Industry Standards Adoption

Many of the comments about the FDA’s draft rule on mobile apps lament the absence of industry standards to facilitate cross-vendor interoperability. The implied or explicit solution being that the FDA mandate a specific standard. While there is a great need for a minimal level of cross vendor interoperability to foster market adoption, the FDA has no legal foundation for placing a specific standard on industry. In short, great idea, but a complete waste of time. Instead, one should look to see how this problem has been solved in other industries.

There are plenty of standards bouncing around, some, like 11073 for more than 30 years. The challenge is picking a standard(s), getting a critical mass of vendors to adopt said standard(s), and providing a meaningful level of test and certification for compliance. Most any health care market can be divided between acute care (i.e., hospitals where the patient’s too sick to be walking araound) and ambulatory care (i.e., home health, chronic disease management, physician offices and clinics – where the patient’s sick but is still ambulatory).

Most mobile apps target ambulatory care markets. There is a test and certification alliance, the Continua Health Alliance, that exists for selecting standards and providing the necessary test and certification for the ambulatory market. There are admittedly several big holes in FDA’s regulatory famework when one considers mobile app products (that are all outside the scope of this blog post). While not a standards oriented group, the mHealth Regulatory Coalition, that is working to address shortcomings in FDA’s current regualtory framework for mobile apps. Be sure to check them out.

For acute care, there are a number of industry standard setting initiatives. The oldest is the IHE PCD domain. This group has been working since 2005 on medical device connectivity and interoperability. This test and certification group is mainly held back by the absence of a standard that’s been adopted by medical device manufacturers, and the resulting glacial pace of adoption – but they are making progress. Another hotbed of standards work comes from the Medical Device Plug and Play Interoperability Program at CIMIT and Partners Healthcare. They’re working on the Integrated Clinical Environment standard, MD Fire connectivity purchase contracting language and also working with FDA on dealing with developing a more effective interoperability regulatory framework.

International Markets and Quality Systems

Before I posted this, Dayle Kern added to the LinkedIn discussion asking, “What about mobile apps for developing countries?” My first thought is that as a market, mobile apps is still very much in the pilot stage. While there’s a perception that adoption is much greater outside the U.S. (especially in the third world), the reality is that there’s just a lot of pilots being run in other countries in addition to those in the U.S. My next thought is that while the regulatory burden may be lower outside the U.S. (and especially in the third world), why shouldn’t the patients in those countries get a product that’s as safe and effective as the ones intended for U.S. or European users?

I have clients doing clinical trials outside the U.S., and who launch products outside the U.S. first. The reasons behind those decisions have everything to do with time to market and costs – much of which are determined by relative regulatory burdens here and in other countries. But, without exception, they’re following appropriate quality systems to ensure a safe and effective product. The costs they’re saving are not on the design side, but on the regulatory side. And consequently, their products are as safe and effective as they would be if the U.S. was where they were doing trials or launching their product.

Finally, in a world where it’s almost impossible to buy a hot water heater or air conditioner from a manufacturer who is not ISO9001 certified, it’s almost as impossible to buy an healthcare IT software application from a vendor following the same or similar basic quality system. From their resistance to adopt quality systems, one would almost think that vendors in health care consider quality and safety to be less important than do companies in the HVAC business.

Manufacturers in many other industries don’t seem to have a problem innovating or competing while broadly adopting quality systems – on a voluntary basis, I might add. Please explain to me how a similar quality system for medical devices – regulated or otherwise – is an unreasonable burden?



  1. Excellent tutorial on the FDA mandate for app developers new to the healthcare space. Attending recent #mhealth conferences and #SXSW has made me nervous that developers are building cool apps for patients, but they have no experience getting content or products through legal or regulatory review. It was only a matter of time before the FDA got to this on their agenda. Thanks for your common sense explanation on why the FDA does what it does, and frankly, why it’s a social good.

    Now, how about some FDA guidance on social media?

  2. Great ideal David! I’ve just started a post on social media guidance.

  3. Tim,

    In Europe they use the system you’ve described where you must have used a test and certification body for the regulatory aspect – not prove your product was developed using a quality process system. One other nitpick – IHE-PCD does not certify – they have a conformance test, but do not certify. Manufacturer’s issue conformance statements after they’ve participated in a Connect-a-Thon which is monitored anc checked by IHE observers. If you are a provider, you must understand completely what you are buying/not buyin when you specify a certification versus a conformance.

    Lastly, the whole mobile apps paradigm is definitely a sticky wicket…there are several mechanisms for mobile enablement of health care – one could argue that a voice line could be of a critical nature; SMS text based messaging all the way to alarm/waveform and image propogation. Differing levels of technology but all could have the same impact on the patient if the information was not correctly sent or understood.

  4. Great summary.

    I wrote a similar piece for @pharmaphorum regarding potential implications for pharma — all ears for conversation and feedback:

    Exciting times in mobile health!


  5. Bridget, thanks for your comment. Your mHealth consulting in Europe has provided you with a perspective that few in the industry share.

    Regarding test and certification organizations (TCOs), the depth and breadth of testing done by TCOs varies greatly. One of the most extensive is the Wi-Fi Alliance (WFA) that requires a rather comprehensive test suite be completed successfully. Last time I checked, a third party lab would charge $15k to $20k to run this test suite on a product.

    Other organizations, like the IHE and Continua, complete much more abbreviated test plans under the watchful eyes of official proctors during weekend “plug-fests” held in hotel ballrooms. Continua’s “certification” is the same as the WFA’s, the right to display a logo on your product. The IHE’s certification comes in the form of a listing of integration statements in the IHE’s product registry.

    Medical device manufacturers that want to demonstrate cross-vendor interoperability or network coexistence are in a bit of a bind. Existing TCO’s testing don’t come near to that required by FDA’s Quality System regulation. Consequently, manufacturers have a choice of foregoing test and certification altogether, or doing it twice – once for the TCO and again themselves to satisfy the FDA. What’s needed is a TCO that operates at a level as rigorous as that mandated by the Quality System regulation. Then medical device manufacturers will only have to go through the process once.

    Admittedly, all these examples fall short of a test and certification process geared for regulating live safety products like medical devices and airplanes. But even these less robust TCOs provide a valuable service by way of demonstrating a certain degree of cross-vendor interoperability, something that’s critical to many mHealth applications.

  6. William Hyman

    The FDA has announced a Mobile Apps Public Meeting.
    Sept 12-13, 2011
    Silver Spring MD

  7. William Hyman

    The FDA Law Blog reports that the FTC has also weighed in on medical mobile apps, bringing charges against an acne “treatment” app available at iTunes. The actual claimed treatment was alledgedly achieved by holding the mobile device to the effected area. Perhaps not surprisingly the FTC says the claims made have not been substantiated.
    (As previously noted, that Hyman and I are not related.)

  8. William Hyman

    The FDA Law Blog has reported on the September 12-13 FDA Mobile Medical Apps public meeting. This includes a discussion of clinical decision support systems.

  9. using any ap, without making sure it’s from a reliable source, is like doctoring that ugly mole using a ‘how-to-knit’ article on Wickipedia.

  10. William Hyman

    Here is a discussion of an app Dear Doctor letter:

    And here an app recall (for not being cleared in the US)


  1. Wi-Fi Capacity and New Devices | Medical Connectivity - [...] smart phone wireless app arena (which may or may not be regulated medical devices) as discussed here and [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>