By Sonali P. Gunawardhana and Scott Delacourt, Wiley Rein, LLP
The world of mobile health, or mHealth — the practice of medicine and public health supported by mobile devices — is continually changing due to the innovative nature of the industry and to the regulatory scheme in place to monitor it, ensuring both patient safety and appropriate consumer access.
The regulatory environment surrounding mHealth was undefined for several years. Those who invented software applications for use on smartphones, tablets, and other mobile devices, in pursuit of improved access to healthcare information, found the regulatory scheme ambiguous. Of course, ambiguity is disheartening for those looking to adhere to the appropriate regulatory pathway. Thus, recent moves by the U.S. Food and Drug Administration (FDA) have been welcome news to an industry that has requested more transparency from regulatory authorities regarding compliance with governing laws. On the other hand, Federal Communications Commission (FCC) action in the “net neutrality” proceeding has introduced some new risk and uncertainty.
Through all of this, the mHealth field has continued to grow rapidly, in landscape complexity and in sheer volume of available technological options. The complexity of these devices is why federal regulators from various agencies are actively engaged in discussions to determine the correct balance between ensuring regulatory oversight and spurring innovation.
Most software applications in the mHealth arena — called mHealth apps, medical apps, mobile medical apps, and other permutations — are used by consumers to monitor their own health. But more intricate and complex apps are used by doctors or healthcare providers for various tasks, such as assisting their patients with day-to-day medical care and monitoring health-related risks, allowing patients the freedom to live a normal life away from a traditional healthcare setting.
Consumer apps, most of which will not be regulated by the FDA, are primarily used to track personal fitness, provide reminders for doctors’ visits and/or drug-dosing schedules, and save and display particular medical records. Healthcare-operated apps provide a variety of functions, from tracking vital signs to transforming mobile devices into diagnostic tools, and they are generally used by clinicians and other healthcare providers. This latter app category is of greater concern to the FDA, which must ensure each goes through the appropriate regulatory review to ensure its safety and effectiveness.
Current FDA Regulatory Framework
In July 2011, FDA issued a draft guidance document regarding regulatory oversight of mobile apps. It outlined a risk-based approach, with a focus on those apps that posed the greatest risk to consumers and patients. A little over two years later, FDA issued its final guidance, taking into account comments received by healthcare stakeholders, but this final guidance did not vary much from FDA’s initial position. It clearly stated: “The FDA intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to patient’s safety if the mobile app were to not function as intended.”
The FDA further stated that it would not regulate consumer-operated apps that track general health, or healthcare-operated apps that monitor health records or medical appointments. The agency also omitted from its regulatory authority companies that sell mobile apps through services, such as Apple’s iTunes Store or Google Play. Remaining under FDA oversight are devices that are classified as medical devices, either by working with existing medical equipment or by turning a mobile device into a medical device based on an intended use of diagnosing, treating, or curing a specific health problem.
Of course, there is still confusion as to what exactly this means, particularly for those inventing apps that include characteristics of both a “medical device” and an app that doesn’t fall under the FDA’s regulatory umbrella. Understanding where that line is drawn in today’s regulatory environment is the key to ensuring compliance.
If your app does any of the following, you are subject to FDA oversight and should seek clearance and/or approval based on the risk of your device’s intended use:
- Connects to medical devices in order to control the device, or for active patient monitoring or medical data analysis;
- Transforms mobile platforms into regulated devices by using attachments or functionalities similar to those found in regulated devices; or
- Performs patient-specific analysis, diagnosis, or treatment recommendations.
Spillover Effects Of FCC Action
While the FDA has been working to clarify the regulatory landscape for mHealth apps, it appears the FCC, perhaps unintentionally, may be muddying the waters. In its “net neutrality” proceeding, the FCC took steps designed to ensure that broadband providers — principally telecom and cable companies —would not block access to content on the Internet or discriminate in the manner in which Internet traffic is delivered (i.e., charging “edge providers” like Netflix to deliver their traffic to customers, or introducing “fast and slow lanes” on the Internet). To achieve this result, the FCC changed the regulatory classification of broadband such that it is now regulated in the same manner as telephone service — a highly-regulated service.
While the FCC exercised its “forbearance” authority to exempt broadband from much of legacy telephone regulation, it allowed other telephone regulation to be applied directly to broadband. It is these regulations — particularly data privacy regulations — that may impact mHealth apps, either directly or indirectly.
The FCC elected to impose Section 222, the data privacy provision of the Communications Act, on broadband providers. In the 1990s, the FCC implemented Section 222 by adopting rules regarding the collection and safeguarding of consumer data by telephone companies — data such as telephone numbers called, the time a call was placed, and the duration of call. Because those rules were not meaningful to broadband providers, who do not collect that type of data, it was assumed the FCC would not apply Section 222 to broadband companies.
But, in an unusual move, the FCC stated that Section 222 would apply and be enforced, even before it adopted rules identifying the type of customer data broadband providers should protect. In terms of guidance, the FCC directed broadband providers to take “reasonable, good faith steps” to comply with Section 222, including employment of “effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”
The immediate impact for mHealth apps, and for all edge providers whose services involve the collection and transmission of sensitive customer information via broadband, is likely to be more in-depth, pre-launch review by broadband providers, as well as a greater reluctance to partner in providing such applications. Uncertain of which consumer health data they must protect and how they are expected to do so, broadband providers can be expected to seek reassurances about the privacy controls and practices of mHealth apps before launching them on their networks or partnering in the provision of such services.
A secondary concern is the possibility of direct FCC regulation of mHealth privacy practices. Although the new rules imposed through broadband reclassification apply only to broadband providers, a petition already has been filed with the FCC seeking to broaden the scope of those rules: A group called Consumer Watchdog has asked the FCC, in the course of adopting rules to apply Section 222 to broadband, to apply the new rules to edge providers like Google and Facebook as a way to give the FCC authority to force those companies to honor consumer “do not track” preferences. While it is not clear what action, if any, the FCC will take, the relief Consumer Watchdog requests would require extending new data privacy rules to all edge providers — a group that includes mHealth apps.
With respect to the FDA, the current regulatory framework is based on guidance and, as such, is considered non-binding, but it should be used as a best practice until regulations are promulgated. FDA’s Safety and Innovation Act requires FDA to work with both the Office of the National Coordinator for Health Information Technology (ONC) and the FCC to develop a broad risk- regulatory framework for health information technology.
The act required FDA to submit a report to Congress regarding its progress in this area, which it did in January 2014. The report did not suggest more regulation, but instead emphasized a more de-regulatory structure until specific guidelines and standards could be established. For now, the FDA, ONC, and FCC’s regulatory framework allows each agency broad regulatory discretion to render decisions on a case-by-case basis regarding the type of products, including mHealth apps, subject to regulation. All three agencies seem to have adopted the idea of fostering regulatory flexibility, but all three also have reserved discretion, given that mHealth appears to be highly innovative and that it is difficult to narrow regulatory clarity across the board.
Of course, this can be interpreted as both good news and bad news for those regulated. The regulatory lines still tend to be blurry and, in the case of the FCC’s privacy regulation, those lines are getting more blurry instead of less so. While the absence of distinct lines may be stifling in some cases, and may be an obstacle where mHealth apps require broadband connectivity or partner with broadband providers, the regulatory ambiguity leaves room for highly innovative ideas to flourish, in some cases. The appropriate agencies will eventually have to make more refined determinations about the regulation of mHealth applications but, for now, innovation can proceed organically and with regulatory concerns largely in the background.
About The Authors
Sonali P. Gunawardhana is Of Counsel in Wiley Rein LLP’s FDA Practice. She draws on nearly 10 years’ experience as an attorney at the U.S. Food and Drug Administration (FDA) to offer clients detailed and practical guidance on how to avoid and resolve FDA regulatory challenges. Gunawardhana received her LL.M. from Washington College of Law, American University, and her J.D. from the University of New Hampshire School of Law. She also holds an M.P.H. from Boston University, an M.A. from Webster University, and a B.A. from Syracuse University.
Scott D. Delacourt, a partner in Wiley Rein’s Telecom, Media & Technology and Privacy practices, advises clients on developing and implementing regulatory strategies, and represents them before the Federal Communications Commission (FCC) and Federal Trade Commission (FTC). He has a broad range of experience in transactions; FTC/FCC investigations and enforcement; and wireless, telecom, and privacy regulation. Scott is chair of Wiley Rein’s FTC Practice Group.