Rise of Mobile Apps and Their Regulation

Technological developments push the boundaries of existing regulatory frameworks. This is very much the case with recent advances in the use of mobile health (m-health) technologies and applications (apps) for portable electronic devices, such as tablets and smartphones. Several factors contribute to this, including increased processing power, greater memory storage, a reduction in size of components, and lower costs to consumers.

In addition, mobile signal coverage and speed has greatly increased along with the availability of Internet connections through Wi-Fi networks, allowing greater access to information on the internet via smart devices. Furthermore, most smart devices now incorporate sensors such as accelerometers, global positioning satellite components, and cameras, which have greatly improved their functionality, expanding their usability into areas, such as healthcare. Consequently, app developers have been producing software that falls into the “medical applications” and “healthcare” categories. Some could fall into categories which will be regulated as medical devices, others as diagnostic devices, while yet others will fall outside the scope of these definitions or even be classed as borderline, between classifications.

Regulators have released some guidance for developers to implement such technologies and this has helped clarify what is expected from these applications and provided an important step in recognising the need to regulate and monitor the growing m-health market.

Despite the potential risks associated with mobile medical apps, most do not undergo formal review or evaluation before entering the market. Currently, developers must first submit their program for review by the app store (e.g., iTunes®, Google Play™). Although a review process is conducted to ensure the app is functional and has no major technical issues, the clinical content in medical apps is not assessed. As such, it is understandable that many apps of lesser quality can slip through the review process. While this lack of review by those responsible for the app marketplace is concerning, there is also a general lack of oversight. In fact, regulation of most software products has proven to be difficult due to their complexity and diversity (and global availability/exposure).

This m-health market is growing exponentially; worldwide projections estimate revenue growth to around US$23 billion in 2017 compared with approximately US$6.9 billion in 2014 (Statistica [Online], 2017).

The regulation of medical apps was not specifically addressed until 2011, when the US FDA released a draft guidance on the topic. The guidance , was updated, finalized and issued February 2015, outlining how the FDA will apply its regulatory authority to mobile medical apps.

The US FDA has already recognised some of the challenges outlined previously, and has released two main categories of guidance to clarify how these applications should be categorised: 1) “mobile medical applications” (MMAs) and; 2) “general wellness products”. The regulation of medical devices differs from that of drugs since it is based on a step or tier classification system. Specifically, devices are designated as either Class I, II, or III, depending on their potential risk. Class I devices are the lowest risk and are generally exempt from review. Class II devices, however, are considered an intermediate level of risk and developers are usually required to submit a premarket notification (or 510[k] notification). Under this process, developers must show that the product is “substantially equivalent” to a similar device already on the market. Class III devices are the highest risk level and must generally undergo a more complex, time-consuming, and expensive premarket approval process.

The guidance also discusses the types of apps for which the FDA plans to exercise “enforcement discretion,” meaning that their regulatory authority would not be applied except in special circumstances. This category mainly includes patient-oriented apps, such as those that help patients track and manage health information. Unfortunately, this category also includes many of the medical apps used by pharmacists and other clinicians in daily practice. For example, the FDA will not regulate apps that provide contextually-relevant access to medical information used in clinical practice (e.g., apps that check for drug–drug or drug–allergy interactions). Similarly, the FDA will not review apps that provide clinicians with a summary of best practice guidelines or other therapy recommendations for a medical condition (e.g., an app presenting a contextually-relevant antibiotic treatment algorithm based on site of infection). Mobile medical calculators are another type of commonly used app for which the FDA will exercise enforcement discretion.

In addition to guidance from the FDA, the Federal Trade Commission (FTC) has released a guide to help mobile app developers remain truthful in advertising and basic privacy principles. Specifically, they suggest that developers avoid making false or misleading claims, avoid omitting important details in advertisements, and have “competent and reliable evidence” that the app functions as intended. Disclosures should also be clear and transparent, as should any data practices regarding privacy (e.g., collecting and sharing user information). Although the FTC has made a concerted effort to address deceptive and unfair practices surrounding mobile technology, they are unable to proactively review the large influx of medical apps entering the marketplace. Similarly, as of November 2013, only 100 of the over 10,000 medical apps available on the marketplace were cleared by the FDA. As such, it is obvious that clinicians cannot rely on government oversight alone to ensure the safety of mobile apps.

Historically, software products intended for use in the diagnosis or treatment of disease have been classified as a medical device. Wide-ranging changes to the overall medical devices and in vitro diagnostics regulatory framework are now in force with the new EU Regulations. The regulation of medical devices in the EU is governed by the CE Marking process. The EU has attempted to provide guidance for MMAs, including the MHRA’s “Medical device stand-alone software including apps (including IVDMDs)” released in 2014 and the EU “Guidance document Medical Devices - Scope, field of application, definition - Qualification and Classification of stand-alone software - MEDDEV 2.1/6” . However, these guidance’s, are far less comprehensive than that provided by the FDA and arguably leaves a degree of ambiguity as to their scope, demonstrating that the EU has some work to do in terms of regulating upcoming technology-based healthcare.

When determining if a medical mobile app meets the definition of a medical device or accessory it is the intended purpose (defined as the “use for which the device is intended according to the data supplied by the manufacturer on the labelling, in the instructions and/or in promotional materials”) of the app needs to be considered. It is therefore the claims that the manufacturer makes about an app either within the app itself (labelling), instructions for use provided with the app and in promotional materials (e.g. advertising, websites, brochures etc.), which are considered to determine whether an app is a medical device or not. From a regulatory context, apps are standalone software.

Diabetes iPhone and Android apps are available for smartphones and tablets to assist in diabetes management. These apps typically log blood glucose readings - although some allow you to log carbs, food, medication, weight and more. They tend to vary price from being completely free up to just over £5. These apps feature graphs displaying the blood glucose figures – or graphs displaying these plus food and medication, detailed table of results, figures and various export function such as the ability to email the results as a spreadsheet. mySugr is an example of a company developing apps in this area and its products include educational and logging apps for patients with diabetes along with Scanner, an app that can transfer blood sugar values from the patient’s glucometer to their iPhone and then logbook. A diabetes logbook with all transferred blood glucose values and clear PDF-Reports for HCP review. The results can also be synchronized to web-based apps for analysis and interpretation of the results to spot trends and patterns and maximize results by identifying weak spots in therapy and focusing on effective changes. The mySugr App is a registered risk class 1 medical device in the US and EU, and mySugr (the company) is ISO 13485 certified.

Another example is the MyAsthma app (developed by GSK and the University of Nottingham) for patients (or their carers) living with asthma. The app is designed to help patients understand their asthma by providing environmental and lifestyle information that may be relevant to their condition, together with data indicating the status of their asthma. Patients or their carers can check and track their asthma control by using the Asthma Control Test (ACT) or the Childhood-ACT (C-ACT) as appropriate within the app, and they can export information from the app to share with their HCP. The app is not intended to diagnose asthma or provide advice on medicines but it is a class I medical device with Intended Use Statement.

An example of an app which has not been developed as a class I medical device or MMA is Yellow Card – MHRA. The Yellow Card Scheme is vital in helping the MHRA monitor the safety of all healthcare products in the UK to ensure they are acceptably safe for patients and those that use them. Reports can be made from the app installed on a handheld electronic device for all medicines including vaccines, blood factors and immunoglobulins, herbal medicines and homeopathic remedies, and all medical devices available on the UK market. The Yellow Card app enables patients or carers to report side effects and review personalised information published by the MHRA related to treatment pathways.

Health apps present a new challenge to regulatory authorities. Software intended for use in a medical context can be classified as a medical device, and health apps therefore potentially fall within the regulatory remit of bodies such as the MHRA and FDA. However, the sheer volume of apps, and their rapid take-up by patients/consumers and HCPs, raises questions about the appropriate levels of regulation and oversight, and whether current and impending regulatory frameworks are fit for purpose. Since the approaches to medical device classification and regulation in the US and the EU are significantly different, it is difficult to directly compare the two. Final steps of classification within the US system rely upon a comparison structure, based upon apps which are already approved as medical devices. The EU system is based upon existing guidelines and defined rules illustrated through flow-charts which guide a developer’s assessment. Although apps are intended to help individuals improve their health and/or manage their disease, they all present different levels of potential risk of harm. Many of the apps that are currently available on the market and unregulated may present undetermined, or possibly higher, risk to the user, due to lack of understanding by the user or machine error. While such classification processes present much additional work for app developers, these steps are essential to ensuring a device’s quality, effectiveness, and above all, safety for end users.