Uncertainty abounds when managing digital health regulatory uncertainty regarding the FDA and other international regulatory bodies. For this discussion we'll divide uncertainty into two categories, uncertainty due to a lack of knowledge about the potential regulations on the part of manufacturers and uncertainty about just what various regulatory agencies are doing - or going to do - about new and innovative products that meet the definition of a medical device.
What is a Medical Device?
Let's start with the first category; there is an astounding amount of misinformation and just plain wrong-headedness on the part of many vendors (and providers) who are outside the ranks of traditional medical device manufacturers. The first issue we need to address is the question, "What is a medical device?" Here's the legal definition of a medical device, courtesy of FDA:
A device is:
- an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of it's primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.
If you look up the word contrivance, you'll see that almost anything can be a medical device: tongue depressor, superglue, software, even services — let your imagination run free. If it quacks like a duck — is intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease (or other health related conditions like injury), it is a duck. Calling it a chicken or even a turkey does not change a regulatory agency's perception of the quacking product's "duckness."
There is also a classification of medical device called a Medical Device Data System, or MDDS. An MDDS acquires data from one or more medical devices, stores it, can transform it per written specifications (e.g., change units of measurements or labels of data elements), display the data and make the data available to other applications. Thus if a product meets the definition of an MDDS it is a duck, and cannot claim to be something else because all that's being done is automated record keeping.
Automated record keeping is generally held by regulators to not be a medical device — but the first step of acquiring data from the medical device does qualify as a medical device. The only way to acquire medical device data without being categorized as an MDDS is to get the data from another application that is an MDDS, or have users hand-enter the data into your application.
I've heard the argument that, "we're only storing the data, and that's not a medical device." This can be true, if what you're doing with the data (besides storing it) does not meet the definition of a medical device, and if you're not acquiring the data directly from the medical device (because that's an MDDS).
The Regulatory Significance of Marketing Claims
Fierce Mobile Healthcare captured a great quote in a story the other day by Bakul Patel, a policy advisor in CDRH at FDA about the potential for digital health app regulation,
Companies that make health claims in their marketing, or actually perform clinical operations on their mobile devices, may be the first targets [of FDA enforcement actions].
So we've already dealt with the second part of Patel's statement, about whether the product performs clinical operations and thus meets the definition of a medical device. The first part, about marketing claims is the next important regulatory concept. Claims are also referred to as "labeling" by FDA, and include a product's positioning statement, brochures, advertisements, white papers, and what sales reps tell customers verbally, in email or PowerPoint presentations.
You can't take a duck and call it a chicken in your marketing claims if it's really a duck. Likewise, if there's a likelihood customers will use it as a duck after purchase, regulators will treat it as a duck. For example, say you develop software to view DICOM images (xrays, CT scans, MRIs, maybe some sexy 3D reconstructions) on the iPhone and iPad - but you tell physicians they can't use your product to render an actual diagnosis. What then are they to use the app for, a novelty? A similar product was identified as a duck by FDA a few years ago, and eventually received FDA clearance for sale by the vendor.
Another important thing regarding claims about medical devices is that regulatory agencies will treat your product like a regulated medical device if you make claims that your product is a medical device. For example, Apple came perilously close to claiming the iPhone was a medical device during their iOS 3.0 intro event. Since then, Apple's toned down their aggressive marketing of the iPhone (and iPad) as medical devices, though they still show examples of medical device applications in commercials, at events and on their website. In another example, several years ago Cisco produced a brochure that showed a patient monitor alarm message and associated waveform displayed on a Cisco VoIP handset. This quickly drew a visit by FDA and a "request" to withdraw the brochure, which they did.
When managing digital health regulatory uncertainty, the bottom line is whether your product is a medical device or not. If you make claims that give the impression that it is a medical device, you are likely to find yourself regulated — or have to claw back your claims.
Regulation of Off-the-Shelf Technologies
A similar topic that is rife with confusion is whether generic products like smartphones, smartwatches, wireless carriers or network equipment will be regulated. Currently available smartphones, by themselves, do not meet the definition of a medical device. There are three ways the smartphone itself can become regulated:
- The smartphone manufacturer could make medical device claims - even though the product does not meet the definition of a medical device
- The smartphone manufacturer could add features, say an interface to acquire data from sensors like glucometers, implanted pacemakers or some other medical device
- A third party could develop a product, notably software that runs on the smartphone, and perhaps other components or accessories, that all together meet the definition of a medical device
Item one above relates to the Apple and Cisco examples used earlier. If your product is not a duck, don't make claims that it is and you need not have to deal with FDA and their international brotherhood of regulators.
The second scenario above is really just as straightforward. If Samsung built an Android smartphone with an interface for glucometers, and then promoted the product to diabetics like, "Hey, buy my smartphone to acquire data from your glucometer to better manage your diabetes," they've transformed their product into a medical device. Another similar situation would be where the smartphone manufacturer creates a port on their phone to attach a blood pressure cuff, which they sell as an accessory to their smartphone. A generic equipment manufacturer who does something like this will likely see someone from FDA in the very near future.
Now what about a generic interface like Bluetooth? What if a third party uses that Bluetooth interface already built into the smartphone to connect a glucometer to help diabetics manage their disease? Then the third party becomes the regulated entity, and the smartphone is just another off-the-shelf component that goes into the overall medical device. In this case, the medical device is regulated — through the third party manufacturer — and the smartphone maker never hears from the FDA. From this example you see that which manufacturer ends up getting regulated is what's important, and not the device itself.
Bottom line, general purpose smartphones, tablets, personal computers, wireless carrier's networks, LAN equipment — none of these manufacturers will be regulated, with one exception. If the general purpose equipment manufacturer makes medical device claims, the general purpose equipment manufacturer will be regulated. If a third party uses general purpose equipment as off-the-shelf technology in their medical device, the third party gets regulated and not the general purpose equipment manufacturer. (Of course there's a third possibility where the general purpose manufacturer adds specific features to their product transforming it into a medical device — which we've addressed above.)
So when people ask, "Is the FDA is going to regulate smartphones?" they are asking the wrong question. The manufacturer of the medical device will be regulated, regardless of whether the smartphone is a component in a medical device, or the smartphone is transformed into a medical device itself. It is true that indirectly smartphones are regulated by FDA, but such a statement really distorts what's actually going on.
Apple Watch Example
Apple's recent FDA clearance for the Apple Watch is a great example of managing digital health regulatory uncertainty. Apple added medical device features to their watch and make medical device claims about detecting certain cardiac arrhythmias. The cardiac arrhythmia feature was cleared using the De Novo process using two submissions, one for the Irregular Rhythm Notification Feature and one for the ECG App. Apple's intended use for this device does not require a physician's prescription and was cleared for over the counter use.
This contrasts with Alivecor's clearance for their Kardia Band System intended to record, store and transfer single-channel electrocardiogram (ECG) rhythms. Here the Kardia watch band and application software are manufactured by Alivecor, using the Apple Watch as a general purpose computing platform. Alivecor is the regulated manufacturer for this product, and not Apple or the Apple Watch. Due to their claims and ability to designate a predicate device (based on the iPhone), Alivecor was able to get 510(k) clearance, rather than go through the much more complex and potentially time consuming De Novo process. The Alivecor product is intended for use only under a physician's prescription.
The FDA issued a statement the same day that Apple announced the Apple Watch arrhythmia features. This statement refers to the FDA's efforts to increase their ability to regulate what is expected to be a rapidly growing number of medical devices based on tablets, smartphones, smartwatches and other consumer electronics.
As an aside, the FDA took some flack for apparently fast tracking Apple's De Novo submission. In the FDA's statement linked above, they make reference to working with Apple prior to their submission. This unusually early collaboration, and the fact that Apple's regulatory consultant for the submission was Donna-Bea Tillman who ran the Office of Device Evaluation at FDA for several years, are the likely factors resulting in this rapid clearance. It is doubtful any other company (or even Apple, for that matter) will get this kind of fast track cooperation from FDA in the future.
It has also been misreported by Forbes and others that the Apple Watch's two clearances are for the arrhythmia detection and falls. A review of the FDA 510k and De Novo databases show 2 De Novo clearances (linked above), both for the arrhythmia product. Apple does not appear to have an FDA clearance for fall detection (which makes sense for a consumer device). Apple Watch fall detection is positioned as a "health and wellness" feature (which is not regulated by FDA) rather than as a medical device.
In fact, fall detection is a great example of a product that can be a medical device or not, based purely on the intended use and marketing claims. Apple positions this feature as a one for consumers and does not make claims that it is for patients at risk for falls. In cases like this, it is up to the manufacturer to determine which kinds of intended use and claims are desired or sufficient to drive revenue and whether they want to be regulated or not. Once this decision is made, the manufacturer should have a regulatory strategy that details the regulatory boundaries and communicates to employees what is required so as not to unintentionally deviate from the strategy.
Medical Devices for Consumers Versus Practitioners
Some have suggested that the Apple Watch Afib arrhythmia feature is not a medical device. Admittedly, the different requirements for an over-the-counter medical device versus one that requires a physician's prescription is confusing. I suspect that the accuracy and specificity of Apple's arrhythmia detection is as accurate as a prescription only product like the Alivecor Kardia Band ECG monitor that also uses the Apple Watch (and is used by cardiologists to diagnose Afib arrhythmias in certain patients). The key difference is the latter is used as a diagnostic tool by physicians for specific patients and the other is not. This Forbes article has a good discussion about complexities that can arise when diagnostic tools are placed in the hands of consumers without the active involvement of clinicians.
Skepticism of Apple's Afib arrhythmia claims and whether it will have any diagnostic value in the real world is justified. With the exception of one or two academic medical studies (that may be funded and/or promoted by Apple in the future), I suspect that the feature will only be used by the "worried well" and that the typical family practice doc will take any Apple Watch Afib results with a grain of salt and order a EKG or refer to a cardiologist. This ambiguous situation though does not preclude the Apple Watch from being a medical device, as it most surely is. Nor does this ambiguity preclude the Apple Watch from identifying a previously undiagnosed patient who has Afib arrhythmias.
Regulatory Agency Actions
Anticipating regulator's actions is a key part of managing digital health regulatory uncertainty. Regulators have what's called, "discretion," whereby they decide if they want to ignore something they legally could pursue or not. This is typically referred to as enforcement discretion.
It is common for regulators to observe the development of new medical device markets without enforcing regulations, provided there is no undue risk to patient safety. At some point, when the market has matured sufficiently, and/or FDA's understanding of the new market matures, or risk to patient safety becomes too big to ignore, the regulator shifts away from enforcement discretion. Regulators may signal this shift through a reclassification of the device category (as FDA did with MDDS), by publishing a guidance document, or they may simply start enforcing regulations.
Enforcement discretion in no way limits a regulator's future actions. Just because they chose to look the other way before doesn't mean they can't change their minds — at any time — and later pursue enforcement. This is true in relationship to past inaction and future regulatory actions, and the retroactive enforcement of actions that previously received enforcement discretion. Thus taking advantage of enforcement discretion, either explicitly stated by FDA or assumed by the manufacturer based on FDA inaction, is a business risk that can result in unanticipated enforcement actions that result in costs and potential delays in getting to market.
Regulators rarely, if ever, publicly announce a policy of enforcement discretion regarding a medical device market or product. They only sometimes signal a shift away from enforcement discretion. Nor do regulators clearly state that, "if you do x, we will not pursue enforcement, but if you do y we will pursue enforcement." It is possible to infer such distinctions retroactively, but with nothing on the record either way this becomes an exercise in supposition.
What types of products meet the legal definition of a medical device is pretty black and white; what makes things confusing is all the products that meet the definition that aren't actively regulated due to discretion. All of this discretion creates a lot of uncertainty for manufacturers. This uncertainty requires management to make judgement calls about how much regulatory risk they want to assume with a given product in a given market. Unlike mature markets like hospital patient monitors, emerging markets like digital health and clinical decision support have a lot of uncertainty.
Probably the biggest risks are having to incur unanticipated costs and time-to-market delays to become a regulated manufacturer and, if necessary, receive clearance from the regulatory agency to sell your product. The manufacturer of the smartphone app for viewing DICOM images mentioned above was delayed 2 years in getting their product to market, and they had to bear significant costs to bring company operations into regulatory compliance and generate clinical data to demonstrate their product's safety and effectiveness. If they'd had a regulatory strategy from the get-go, their costs would have been substantially less (but still more than an equivalent product that's not a medical device) and probably gotten to market a lot sooner. Eliminating regulatory uncertainty is all about getting informed and planing, rather than having to react to something you'd hoped to avoid.
Managing Digital Health Regulatory Uncertainty
If you're going to manage digital health regulatory uncertainty, the first thing is to pay attention! Actively track regulators to learn about any enforcement actions against vendors or products similar to yours (the FDA has public databases with this information). Seek access to informal or back channel communications with regulators. You can do this by attending meetings attended by regulators and building personal relationships with regulators through standards work and other means. If your company lacks the resources to do these things directly, engage with someone who can do them for you. Next, continuously apply your awareness of the regulatory environment around your product to your specific situation.
If you manufacture general purpose products or services (e.g., smart phones, cellular carrier networks, Ethernet or Wi-Fi equipment) and you know your products are being used in medical devices, you should probably have or develop a regulatory strategy to ensure you maintain your unregulated status. If you're a general purpose manufacturer or service provider, and know that your product is used in medical devices, and want to encourage the medical device market to adopt your products, you definitely need a regulatory strategy. Encouraging the use of your products or services in medical devices can cause you to become regulated, if you don't do things in the right way.
If you are using off-the-shelf components and creating your own product or components (writing software, creating services or developing specialized hardware) for health care related activities, you too should have a regulatory strategy. If your product does not meet the definition of a medical device, you need a strategy that clearly demarcates what makes your product not a medical device, and the actions you will take to maintain those distinctions.
Most likely your product does meet the definition of a medical device, and in many nascent markets — like digital health — enforcement discretion is not being pursued by regulators. In that case you need a more complex strategy. Your strategy should include:
- An attempt to discern what, if any, actions will cause regulatory discretion to shift to enforcement, and if or how to avoid those actions
- Judge the maturity of your market and any indicators (especially actions or comments by regulators) as to when regulators might shift from enforcement discretion
- Evaluate the impact of being regulated on both your operations and external market factors like potential competitive advantage — it is common for some companies to voluntarily be regulated before the actual shift to enforcement discretion
- Develop your plan for when and how to become regulated
Like any evolving situation, the biggest challenge to managing digital health regulatory uncertainty comes from not knowing what you don't know. Hope is not a plan, and the worst thing you can do is nothing. Start turning over those rocks — you may find a few icky things, but there's no monsters.
Tim - another great explanatory post with excellent examples. I find it laughable that EMRs/etc aren’t regulated and the comment from your post : “‘we’re only storing the data, and that’s not a medical device.’ This can be true, if what you’re doing with the data (besides storing it) does not meet the definition of a medical device, and if you’re not acquiring the data directly from the medical device (because that’s an MDDS)” is scary because the EMRs are not just storing the data, they are using it to help make decisions (clinical decision support - or AI as a lot of marketing people like to call it nowadays).
Interestingly, one can see why many EMRs/EHRs will not allow direct integration from outside systems and insist on an integration broker, so that many times you will see the device integration broker sending data to another integration broker which then sends the data or maps it to the EMR/EHR back-end database application. It’s like they are trying to stay an arms length away from being ‘regulated’ by thrusting the MDDS and other FDA requirements downstream. And yet, clinical decision support can be even more dangerous than one device measurement because it is using and integrating data from different sources, using or developing an algorithm based on that data and making recommendations on actions for clinicians to take. Most medical devices don’t do that unless they have some type of a software agent embedded example: (AED).
In the commercial realm, these ‘health and wellness devices’ are getting more sophisticated and are being used in clinical decision support algorithms. Your example of a falls detector is a good one. A simple accelerometer and/or passive monitoring in the home is used to feed a ‘personal health monitoring’ back-end or algorithm which can then be accessed by the consumer/patient or an information caregiver or a clinician. These algorithms can also give advice to all users. So, where does the medical device begin and end in that situation?
I want to be careful as over-regulation can stifle innovation, however, having one end of a system bear the burden of the regulatory oversight and not another isn’t correct either, especially as these systems are becoming more integrated over time and people (users, patients, clinicians and informal carers) are beginning to rely on them for advice. it will be interesting to see how all this shakes out in the end.