Can I Make an App for That? How FDA and HIPAA regulations apply to medical mobile device apps David Giannantonio, JD, MS Assistant Director, Research Compliance Initiatives Office of Compliance June 22, 2016
Overview “How can this thing a medical device?” – FDA “Is there any PHI?” – HIPAA Not giving away the farm – IP protection and contracting Useful Tools
Regulate the ability to market and distribute – Drugs – Medical Devices – Biologics (and more) Must be safe and effective for the intended use Regulatory purview is driven by product labeling and marketing FDA
Medical Devices FD&C Section 201(h) – An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease in man or other animals, OR Intended to affect the structure or any function of the body of man or other animals
The Long Reach of FDA Jurisdiction: United States v. 23, More or Less, Articles etc. FDA sought seizure of phonographic records marketed as eliminating insomnia – FDA claimed they were misbranded (false or misleading labeling) U.S. Court of Appeals Second Circuit held in favor of FDA, reasoning that the phonographs – Were devices that altered the function of the body, AND – Based on evidence, did not make insomnia “a thing of the past” as the labeling claimed Source: Phonograph: Wicker Paradise, license available at labeled for reusehttps:// Bed: llorcraft, labeled for reusehttps://pixabay.com/en/sleep-sleeping-asleep /
Source: Lamp: jarmoluk, labeled for reusehttps://pixabay.com/en/dentist-equipment-replacement-lamp / Consider the flashlight…
FDA’s Approach – Enforcement Discretion FDA intends to oversee only those mobile apps that are medical devices and could pose a risk to patient safety if the app were not to function as intended So, there are: – “Mobile Medical Apps”: mobile apps for which FDA will apply oversight – Mobile apps for which FDA will exercise “enforcement discretion” (i.e., not apply oversight) – Mobile apps not governed under FDA regulations
Mobile Medical Apps Extension of a medical device by connecting to it for purposes of – controlling the device – use in active patient monitoring or – analyzing device data Transforms a mobile platform into a regulated medical device by using attachments, display screens, sensors or functionalities similar to a currently regulated device Becomes a medical device by performing patient-specific analysis and provides patient-specific diagnosis, or treatment recommendations
Mobile Apps Under FDA “Enforcement Discretion” Apps that do not perform the functions of a “Mobile Medical App”, but still fall under the definition of a device – Patient self-management of disease without specific treatment suggestions – Tools to organize and track health information – Help patients document, show, or communicate potential health conditions to health care providers – Automate simple tasks for health care providers – Provide easy access to information related to patient’s health conditions or treatments
Apps that are not medical devices Not intended to be used in diagnosis, cure, mitigation, treatment or prevention of disease – Electronic copies of generic medical references (medical dictionaries); – Apps intended for general patient education and facilitate access to commonly used reference information (even specific to an indication) – Automation of general office operations – General purpose products not specifically intended for medical purposes
FDA Oversight? Example 1 App used to calibrate hearing aids. Yes – Mobile Medical App. This app connects to a medical device (hearing aid) for the purpose of controlling it.
FDA Oversight? Example 2 App that allows a mobile platform to use an attached sensor to record, view, or analyze eye movements for use diagnosing balance disorders. Yes – Mobile Medical App. This app transforms a mobile platform into a medical device used for diagnosis of disease through the use of an attachment.
FDA Oversight? Example 3 App that allows patients and healthcare providers to communicate through or web-based platforms. No – not regulated as a medical device. This app is not intended for use in the diagnosis, cure, mitigation, treatment or prevention of disease, but rather directed at general communications / operations.
FDA Oversight? Example 4 App that utilizes a patient’s information to calculate a dosage regimen for radiation therapy. Yes – Mobile Medical App. This app performs patient-specific analysis to provide treatment recommendations.
FDA Oversight? Example 5 App that allows a healthcare provider to quickly calculate a patient’s BMI. No – Enforcement Discretion. This app is used to perform simple calculations routinely used in clinical practice.
FDA Oversight? Example 6 App that allows for remote display of data from bedside monitors to another viewing platform. Yes – Mobile Medical Device. This app connects to an existing medical device for the purpose of active patient monitoring, or analyzing patient- specific medical device data.
FDA Oversight? Example 7 App that provides general educational information and resources about asthma. No – not regulated as a medical device. This app provides general education about an indication, and is not intended to diagnose, cure, mitigate, treat, or prevent disease.
FDA Oversight? Example 8 App that helps asthmatics track inhaler usage, asthma episodes, location of user at time of attack, or environmental triggers of attacks. No – Enforcement Discretion. While this app may meet the definition of a medical device (i.e., intended to be used in mitigation/prevention), it is a tool to self- manage disease and track health information.
FDA Oversight? Example 9 App into which a patient’s lung function test information can be entered, and determines whether the patient has asthma. Yes – Mobile Medical Device. Performs a patient-specific analysis and diagnosis.
FDA Oversight? Example 10 App that uses a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a health care provider. No – Enforcement Discretion. While may be interpreted to assist in diagnosis/prevention of disease, it simply helps patients document potential medical conditions to healthcare providers.
Some guiding points Common themes – General information vs. patient-specific analysis – Simple/routine tasks vs. complex procedure/data – General wellness vs. claiming to diagnose/treat – Low vs. High risk Enforcement discretion is at FDA’s discretion – FDA may decide to enforce regulations depending on the specific case – FDA may change its exercise of discretion over time Bleed points to think about – When does general education (not a device) become self-management of disease (FDA enforcement discretion)? – When do patient self-management tools (FDA enforcement discretion) become patient-specific analysis, diagnosis, and treatment?
Source: Bloomberg,
So what if I’m regulated? Your app’s regulatory approval pathway and controls will depend on its device classification Class I Least risk General controls Class II Moderate risk General and Special Controls Class III Most risk. Support human life Prevents impairment of human health New devices not substantially equivalent to legally marketed device General and Special Controls, PMA 510(k) premarket notification Demonstrate device is “substantially equivalent” to a legally marketed device for which FDA does not require a PMA Pre-market Approval (PMA) Must provide data showing safety and effectiveness (i.e., clinical trials)
HIPAA Governs the privacy and security of protected health information (PHI) – Privacy: for what purpose, to whom, and at what level of identity can health information be used and disclosed – Security: what protections must a holder of PHI implement to protect it from unauthorized use and disclosure HIPAA applies to “covered entities” and “business associates”
Covered Entities and Business Associates Covered entities – Health care providers Provide medical or health services Conduct certain “covered transactions” (i.e., bill insurance or benefits program for health care) in electronic form Hybrid Entities have covered components (HIPAA applies) and non-covered components (HIPAA doesn’t apply) – Health plans and health care clearinghouses Business Associates – Entity that conducts activities involving the use or disclosure of PHI on a covered entity’s behalf
As it applies to apps If you are an app user, any app you want to use must meet HIPAA security requirements if: – you are performing a covered function (health care treatment, payment or health care operations [TPO]) as part of a covered entity/covered component or as a business associate of a covered entity/covered component, AND – You want to use the app to create, receive, maintain or transmit PHI If you are an app developer, you are a business associate (and therefore subject to HIPAA) if: – You are developing an app on behalf of a covered entity or business associate to create, receive, maintain, or transmit PHI for carrying out TPO; OR – You, through the app, will create, receive, maintain, or transmit PHI on behalf of a covered entity or business associate for carrying out TPO
Is the App Developer a BA? Example 1 App developer provides a health app to individuals, who populate it with their health information they obtained through home equipment. No. Developer is not managing PHI on behalf of a covered entity for a covered function. It is managing data on behalf of the individual user.
Is the App Developer a BA? Example 2 App developer provides a health app to individuals, who populate it with their health information that they pull, not using the app, from their covered entity provider’s EMR No. Developer is not managing PHI on behalf of a covered entity for a covered function. Regardless of where the information came from, it is still managing the data populated into it on behalf of the individual.
Is the App Developer a BA? Example 3 App developer provides a health app to individuals, who can use the app to pull information from their covered entity provider’s EMR to populate it. Healthcare provider and developer have an interoperability agreement that allows technically for the transfers to be performed. Maybe. No if the app only operates at request of the individual to pull information, and developer takes no responsibility from provider for security of the transfer and doesn’t manage/make transfers at provider’s request. Yes if developer also manages transfers on behalf of the provider, or takes on the responsibility of the provider for security of the transfer.
Is the App Developer a BA? Example 4 App developer provides a health app to a covered entity healthcare provider, who in turn provides it to patients as a tool for patient management services. The app facilitates communications from the provider to the patient, and also manages incorporation of patient-entered information into the EMR. Yes. Developer is, by means of the app, managing the use and disclosure of PHI on behalf of the provider.
The Big Questions For the developer: – Who are your clients? Are they covered entities (or other business associates)? – Does a covered entity direct you through the app to create, receive, maintain or disclose identifiable health information as part of a covered function? For the user: – Do you work for a covered entity (or covered component thereof), or business associate? – Are you using the app to manage identifiable health information as part of a covered function?
So HIPAA applies to me. What now? Security Safeguards – Administrative Access authorization; log-in monitoring; sanctions for misuse; password management; data backup recovery plan; malicious software protection; Execution of appropriate contracts (e.g., BAA) – Physical Workstation use and security (e.g., control over mobile platforms) – Technical Encryption, authentication mechanism, unique user identification, automatic logoff Note: Even if HIPAA does not apply, there may be other privacy/security laws and regulations that do
Don’t give away the farm! Intellectual Property (IP) protection – Apps may be protectable under patent law (protection for the system/process) or copyright law (protection for the written code itself) Contracts, contracts, contracts – Engaging a software developer to create the app – Utilizing outside development tools to design your app – Licensing the app to distributors
Tools Mobile Health App Interactive Tool: – center/guidance/mobile-health-apps-interactive-tool center/guidance/mobile-health-apps-interactive-tool FDA Device Classification: – assification.cfm assification.cfm
Support Emory Mobile Application Review and Distribution Process (supported by Emory LITS): le+Application+Review+and+Distribution+Process es le+Application+Review+and+Distribution+Process es Emory Office of Compliance: Emory Office of Technology Transfer: ott ott-