Presentation is loading. Please wait.

Presentation is loading. Please wait.

Can I Make an App for That? How FDA and HIPAA regulations apply to medical mobile device apps David Giannantonio, JD, MS Assistant Director, Research Compliance.

Published byArthur Bryan Modified over 8 years ago

Similar presentations

Presentation on theme: "Can I Make an App for That? How FDA and HIPAA regulations apply to medical mobile device apps David Giannantonio, JD, MS Assistant Director, Research Compliance."— Presentation transcript:

1 Can I Make an App for That? How FDA and HIPAA regulations apply to medical mobile device apps David Giannantonio, JD, MS Assistant Director, Research Compliance Initiatives Office of Compliance June 22, 2016

2 Overview “How can this thing a medical device?” – FDA “Is there any PHI?” – HIPAA Not giving away the farm – IP protection and contracting Useful Tools

3 Regulate the ability to market and distribute – Drugs – Medical Devices – Biologics (and more) Must be safe and effective for the intended use Regulatory purview is driven by product labeling and marketing FDA

4 Medical Devices FD&C Section 201(h) – An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease in man or other animals, OR Intended to affect the structure or any function of the body of man or other animals

5 The Long Reach of FDA Jurisdiction: United States v. 23, More or Less, Articles etc. FDA sought seizure of phonographic records marketed as eliminating insomnia – FDA claimed they were misbranded (false or misleading labeling) U.S. Court of Appeals Second Circuit held in favor of FDA, reasoning that the phonographs – Were devices that altered the function of the body, AND – Based on evidence, did not make insomnia “a thing of the past” as the labeling claimed Source: Phonograph: Wicker Paradise, https://www.flickr.com/photos/wicker-furniture/8520793504, license available at https://creativecommons.org/licenses/by/2.0/legalcode, labeled for reusehttps://www.flickr.com/photos/wicker-furniture/8520793504https://creativecommons.org/licenses/by/2.0/legalcode Bed: llorcraft, https://pixabay.com/en/sleep-sleeping-asleep-1389978/, labeled for reusehttps://pixabay.com/en/sleep-sleeping-asleep-1389978/

6 Source: Lamp: jarmoluk, https://pixabay.com/en/dentist-equipment-replacement-lamp-428651/, labeled for reusehttps://pixabay.com/en/dentist-equipment-replacement-lamp-428651/ Consider the flashlight…

7 FDA’s Approach – Enforcement Discretion FDA intends to oversee only those mobile apps that are medical devices and could pose a risk to patient safety if the app were not to function as intended So, there are: – “Mobile Medical Apps”: mobile apps for which FDA will apply oversight – Mobile apps for which FDA will exercise “enforcement discretion” (i.e., not apply oversight) – Mobile apps not governed under FDA regulations

8 Mobile Medical Apps Extension of a medical device by connecting to it for purposes of – controlling the device – use in active patient monitoring or – analyzing device data Transforms a mobile platform into a regulated medical device by using attachments, display screens, sensors or functionalities similar to a currently regulated device Becomes a medical device by performing patient-specific analysis and provides patient-specific diagnosis, or treatment recommendations

9 Mobile Apps Under FDA “Enforcement Discretion” Apps that do not perform the functions of a “Mobile Medical App”, but still fall under the definition of a device – Patient self-management of disease without specific treatment suggestions – Tools to organize and track health information – Help patients document, show, or communicate potential health conditions to health care providers – Automate simple tasks for health care providers – Provide easy access to information related to patient’s health conditions or treatments

10 Apps that are not medical devices Not intended to be used in diagnosis, cure, mitigation, treatment or prevention of disease – Electronic copies of generic medical references (medical dictionaries); – Apps intended for general patient education and facilitate access to commonly used reference information (even specific to an indication) – Automation of general office operations – General purpose products not specifically intended for medical purposes

11 FDA Oversight? Example 1 App used to calibrate hearing aids. Yes – Mobile Medical App. This app connects to a medical device (hearing aid) for the purpose of controlling it.

12 FDA Oversight? Example 2 App that allows a mobile platform to use an attached sensor to record, view, or analyze eye movements for use diagnosing balance disorders. Yes – Mobile Medical App. This app transforms a mobile platform into a medical device used for diagnosis of disease through the use of an attachment.

13 FDA Oversight? Example 3 App that allows patients and healthcare providers to communicate through email or web-based platforms. No – not regulated as a medical device. This app is not intended for use in the diagnosis, cure, mitigation, treatment or prevention of disease, but rather directed at general communications / operations.

14 FDA Oversight? Example 4 App that utilizes a patient’s information to calculate a dosage regimen for radiation therapy. Yes – Mobile Medical App. This app performs patient-specific analysis to provide treatment recommendations.

15 FDA Oversight? Example 5 App that allows a healthcare provider to quickly calculate a patient’s BMI. No – Enforcement Discretion. This app is used to perform simple calculations routinely used in clinical practice.

16 FDA Oversight? Example 6 App that allows for remote display of data from bedside monitors to another viewing platform. Yes – Mobile Medical Device. This app connects to an existing medical device for the purpose of active patient monitoring, or analyzing patient- specific medical device data.

17 FDA Oversight? Example 7 App that provides general educational information and resources about asthma. No – not regulated as a medical device. This app provides general education about an indication, and is not intended to diagnose, cure, mitigate, treat, or prevent disease.

18 FDA Oversight? Example 8 App that helps asthmatics track inhaler usage, asthma episodes, location of user at time of attack, or environmental triggers of attacks. No – Enforcement Discretion. While this app may meet the definition of a medical device (i.e., intended to be used in mitigation/prevention), it is a tool to self- manage disease and track health information.

19 FDA Oversight? Example 9 App into which a patient’s lung function test information can be entered, and determines whether the patient has asthma. Yes – Mobile Medical Device. Performs a patient-specific analysis and diagnosis.

20 FDA Oversight? Example 10 App that uses a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a health care provider. No – Enforcement Discretion. While may be interpreted to assist in diagnosis/prevention of disease, it simply helps patients document potential medical conditions to healthcare providers.

21 Some guiding points Common themes – General information vs. patient-specific analysis – Simple/routine tasks vs. complex procedure/data – General wellness vs. claiming to diagnose/treat – Low vs. High risk Enforcement discretion is at FDA’s discretion – FDA may decide to enforce regulations depending on the specific case – FDA may change its exercise of discretion over time Bleed points to think about – When does general education (not a device) become self-management of disease (FDA enforcement discretion)? – When do patient self-management tools (FDA enforcement discretion) become patient-specific analysis, diagnosis, and treatment?

22 Source: Bloomberg, http://www.bloomberg.com/news/articles/2016-04-15/fitbit-s-move-into-medical-gadgets-risks-attracting-fda-scrutinyhttp://www.bloomberg.com/news/articles/2016-04-15/fitbit-s-move-into-medical-gadgets-risks-attracting-fda-scrutiny

23 So what if I’m regulated? Your app’s regulatory approval pathway and controls will depend on its device classification Class I Least risk General controls Class II Moderate risk General and Special Controls Class III Most risk. Support human life Prevents impairment of human health New devices not substantially equivalent to legally marketed device General and Special Controls, PMA 510(k) premarket notification Demonstrate device is “substantially equivalent” to a legally marketed device for which FDA does not require a PMA Pre-market Approval (PMA) Must provide data showing safety and effectiveness (i.e., clinical trials)

24 HIPAA Governs the privacy and security of protected health information (PHI) – Privacy: for what purpose, to whom, and at what level of identity can health information be used and disclosed – Security: what protections must a holder of PHI implement to protect it from unauthorized use and disclosure HIPAA applies to “covered entities” and “business associates”

25 Covered Entities and Business Associates Covered entities – Health care providers Provide medical or health services Conduct certain “covered transactions” (i.e., bill insurance or benefits program for health care) in electronic form Hybrid Entities have covered components (HIPAA applies) and non-covered components (HIPAA doesn’t apply) – Health plans and health care clearinghouses Business Associates – Entity that conducts activities involving the use or disclosure of PHI on a covered entity’s behalf

26 As it applies to apps If you are an app user, any app you want to use must meet HIPAA security requirements if: – you are performing a covered function (health care treatment, payment or health care operations [TPO]) as part of a covered entity/covered component or as a business associate of a covered entity/covered component, AND – You want to use the app to create, receive, maintain or transmit PHI If you are an app developer, you are a business associate (and therefore subject to HIPAA) if: – You are developing an app on behalf of a covered entity or business associate to create, receive, maintain, or transmit PHI for carrying out TPO; OR – You, through the app, will create, receive, maintain, or transmit PHI on behalf of a covered entity or business associate for carrying out TPO

27 Is the App Developer a BA? Example 1 App developer provides a health app to individuals, who populate it with their health information they obtained through home equipment. No. Developer is not managing PHI on behalf of a covered entity for a covered function. It is managing data on behalf of the individual user.

28 Is the App Developer a BA? Example 2 App developer provides a health app to individuals, who populate it with their health information that they pull, not using the app, from their covered entity provider’s EMR No. Developer is not managing PHI on behalf of a covered entity for a covered function. Regardless of where the information came from, it is still managing the data populated into it on behalf of the individual.

29 Is the App Developer a BA? Example 3 App developer provides a health app to individuals, who can use the app to pull information from their covered entity provider’s EMR to populate it. Healthcare provider and developer have an interoperability agreement that allows technically for the transfers to be performed. Maybe. No if the app only operates at request of the individual to pull information, and developer takes no responsibility from provider for security of the transfer and doesn’t manage/make transfers at provider’s request. Yes if developer also manages transfers on behalf of the provider, or takes on the responsibility of the provider for security of the transfer.

30 Is the App Developer a BA? Example 4 App developer provides a health app to a covered entity healthcare provider, who in turn provides it to patients as a tool for patient management services. The app facilitates communications from the provider to the patient, and also manages incorporation of patient-entered information into the EMR. Yes. Developer is, by means of the app, managing the use and disclosure of PHI on behalf of the provider.

31 The Big Questions For the developer: – Who are your clients? Are they covered entities (or other business associates)? – Does a covered entity direct you through the app to create, receive, maintain or disclose identifiable health information as part of a covered function? For the user: – Do you work for a covered entity (or covered component thereof), or business associate? – Are you using the app to manage identifiable health information as part of a covered function?

32 So HIPAA applies to me. What now? Security Safeguards – Administrative Access authorization; log-in monitoring; sanctions for misuse; password management; data backup recovery plan; malicious software protection; Execution of appropriate contracts (e.g., BAA) – Physical Workstation use and security (e.g., control over mobile platforms) – Technical Encryption, authentication mechanism, unique user identification, automatic logoff Note: Even if HIPAA does not apply, there may be other privacy/security laws and regulations that do

33 Don’t give away the farm! Intellectual Property (IP) protection – Apps may be protectable under patent law (protection for the system/process) or copyright law (protection for the written code itself) Contracts, contracts, contracts – Engaging a software developer to create the app – Utilizing outside development tools to design your app – Licensing the app to distributors

34 Tools Mobile Health App Interactive Tool: – https://www.ftc.gov/tips-advice/business- center/guidance/mobile-health-apps-interactive-tool https://www.ftc.gov/tips-advice/business- center/guidance/mobile-health-apps-interactive-tool FDA Device Classification: – https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpcd/cl assification.cfm https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpcd/cl assification.cfm

35 Support Emory Mobile Application Review and Distribution Process (supported by Emory LITS): https://wiki.service.emory.edu/display/cita/Mobi le+Application+Review+and+Distribution+Process es https://wiki.service.emory.edu/display/cita/Mobi le+Application+Review+and+Distribution+Process es Emory Office of Compliance: compliance@emory.edu; 404-727-2398 compliance@emory.edu Emory Office of Technology Transfer: ott- web@emory.edu; 404-727-2211ott- web@emory.edu

Download ppt "Can I Make an App for That? How FDA and HIPAA regulations apply to medical mobile device apps David Giannantonio, JD, MS Assistant Director, Research Compliance."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
Regulatory Pathway for Platform Technologies

Regulatory Pathway for Platform Technologies
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Medical Devices Approval Process

Medical Devices Approval Process
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.
+ Medical Devices Approval Process. + Objectives Define a medical device Be familiar with the classification system for medical devices Understand the.

+ Medical Devices Approval Process. + Objectives Define a medical device Be familiar with the classification system for medical devices Understand the.
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.

1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
Prof. Moustafa M. Mohamed Vice dean Faculty of Allied Medical Science Pharos University in Alexandria Development and Regulation of Medical Products (MEDR-101)

Prof. Moustafa M. Mohamed Vice dean Faculty of Allied Medical Science Pharos University in Alexandria Development and Regulation of Medical Products (MEDR-101)

Similar presentations

Ads by Google