Mobile health’s regulatory path

For developers of mHealth technologies, understanding the ins and outs of FDA regulation is imperative as the market evolves and expands.

Mobile and web-based health solutions have empowered consumers in many ways, offering simple methods to monitor diet and exercise, communicate with caregivers, fill prescriptions and access medical records. mHealth solutions are helping people gain knowledge quickly about their own health, in a way that is easy and enjoyable, using a mobile phone or tablet. Yet there is a downside. Some applications look and act a lot like a medical device, collecting clinical data from the user and providing diagnostic information, therapeutic advice and treatment recommendations. For those solutions, the U.S. Food and Drug Administration (FDA) has an important role in protecting patients from misguided advice that could be harmful and even life-threatening.

In the last few years, the FDA has been taking a sharper stance on mHealth companies, conducting extensive audits and – in at least one case – shutting a company down until it complied with documentation and compliance requests. Other federal agencies, including the Justice Department and the Center for Medicare and Medicaid Services (CMS), are also paying closer attention to the mHealth industry in the interest of protecting patients.

The large majority of mHealth apps, however, focus on tracking lifestyle and fitness. As described in the latest mobile medical guidance document, these consumer apps are subject to zero or minimal FDA regulatory review. Yet a small percentage cross the line from a consumer wellness app to a quasi-medical device or digital therapeutic. It’s important to understand if your application is one of those which could be under the regulatory agency’s radar and more importantly, one that could have patient safety ramifications.

Working with the FDA

WellDoc has had years of experience working with the FDA in conjunction with our digital health therapeutic that helps people with type 2 diabetes manage their conditions. We began communicating with the agency in 2006, when the notion of regulating mobile apps was just beginning to percolate at early mHealth trade shows and conferences. Then, existing FDA guidelines recommended that software developers follow the guidelines for medical devices, along with the accessory rule, which applied to technologies that worked in concert or exchanged data with a medical device, such as a pacemaker or blood glucose monitor. At the time, the rule stated that the software would take the equivalent class of the medical device accessory with which it was interoperating.

The WellDoc BlueStar digital health therapeutic was cleared by the FDA as a Class II device in 2010. Even though the mobile medical guidelines were only evolving, we wanted to be proactive, since our software collected data from glucose monitors and provided real-time coaching about glucose, medication, exercise and diet based on those data points.

There’s been significant progress on the regulatory front for mHealth in the last few years. Industry organizations such as the mHealth Regulatory Coalition (MRC), formed in 2010 and led by Bradley Merrill Thompson, with members including wireless operators, healthcare payers, device manufacturers, lawyers and policy experts, have been instrumental in positively influencing how regulation and free-market innovation can co-exist. In 2014, the FDA’s Center for Devices and Radiological Health (CDRH) officially appointed Bakul Patel as its first director of digital health. Under Patel’s leadership (which began prior to his official assignment as director), the FDA began holding public forums for feedback.

As a result of these efforts, the FDA released in 2013 the Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff, which explains the agency’s oversight of mobile medical apps as devices. The FDA stated that its focus would be on the apps that present a greater risk to patients if they don’t work as intended and on apps that cause smartphones or other mobile platforms to affect the functionality or performance of traditional medical devices.

Where the FDA stands today on mHealth

After more work by the MRC and other organizations, we now have a sharper demarcation of how the FDA views mHealth. Today, the FDA uses these classifications:

• Enforced Discretion (ED) is a new category the FDA created that encourages vendors to use a quality management system and conduct self-audits to determine whether the potential use cases of the solution can pose risks to patient safety. Once that analysis is complete, it’s up to the vendor to submit an inquiry to the FDA, if needed. An example of an ED solution that doesn’t require regulatory oversight is a mobile app that imports weight metrics from a scale and tracks it against an individual’s calories, diet and exercise. ED is less specific, since it’s up to the vendor to make the call. On a positive note, it accelerates the pace of potential innovation and saves the FDA from needlessly evaluating and regulating very low-risk solutions.
• Class I: At this level, vendors must register their device/solution with the FDA and comply with device listing and labeling requirements. Class I designates mHealth technologies that pose a low risk to the individual using it; a tongue depressor, for instance, is a Class I device. Examples of a Class I mHealth solution include medication adherence programs that may be driven by a pharmaceutical company, and which give specific medication adherence guidelines for patients.
• Class II: These mHealth solutions can pose a medium safety risk and require further FDA monitoring. Taking the previous example of the weight management app, if that app is used to calculate the dosing of a medicine a patient should take, it would likely fall into this category. The guidance could be incorrect and suggest a too-low or too-high dose of medicine, with damaging consequences. Vendors must comply with the same Class I documentation requirements but also verify adherence to good manufacturing practice (GMP) standards such as ISO 13485, a common medical device standard.
• Class III: As the highest-risk category, Class III solutions possess a higher probability of causing severe injury or death should there be a malfunction, error or misuse of the product. Beyond the documentation and GMP requirements of Class I and II devices, Class III devices must undergo and submit rigorous clinical testing. There are only a handful of Class III mHealth solutions on the market today.

Preparing for FDA review

While this may all seem overwhelming, the business risks for regulated products are low if your company responds to requests in a reasonable timeframe. If the FDA sends your company a letter asking for more documentation, it doesn’t mean you’ll be out of business in a few months. Keep the communications lines open with the FDA, and do the research upfront on the intended uses of your product and where it potentially falls beneath the regulation umbrella. The FDA is open to inquiries and has plenty of resources on its mobile medical applications site to help you get started. Once you submit the forms for clearance, it may typically take between 90 and 150 days for the agency to approve a brand-new product. Subsequent releases can be approved faster.

mHealth executives shouldn’t lose sleep over regulation: I’m confident that the FDA’s involvement in the industry won’t squash innovation nor make products cost-prohibitive for buyers. The FDA is in the business of working to protect patients. For certain mHealth applications and therapeutics, compliance is just a cost of doing business.

In fact, the FDA did the industry a favor with the 2013 guidance document: it put rails on the ground for an embryonic but rapidly evolving industry. There is little merit in a free-for-all market where trial and error organically weeds out the bad products – harming people along the way. A reasonable yet clearly prescriptive regulatory environment for mHealth is well underway. As long as the various parties maintain the shared goal of patient safety first, everyone wins.