Technology often starts in a simple way, perhaps with a simple “click” on an “I AGREE” button on your smartphone. Once the technology has spread, lawyers and authorities start debating what it is and how it fits with the laws.
The following post is the first part of a legal analysis of medical apps attempting to establish what they are under current legislation (Part I), as well as what is wrong with them according to various authorities who have scrutinized them (Part II).
I keep reading and hearing that apps are not regulated and that the European Union stands behind than the United States in that process. Both statements are wrong. Medical apps can be regulated, if they fall within the scope of the definition of “medical device”. The trick is to find out if they do…
It probably takes less time to download a medical app on your smartphone than to determine if it falls under the definition of “medical device”. Where to look for guidance?
THE EU COMMISSION GUIDELINES. In June 2012 the European Commission has issued Guidelines (MEDDEV 2.1/6) in order to attempt to clarify when standalone software is a medical device. A 6-step decision diagram is also provided by the Guidelines as an aid to decide if a medical application is a medical device. If the medical app is indeed a medical device, then a conformity assessment is required and the app must carry the CE marking.
One key element stands out in order to decide whether a medical app is a medical device: its intended use. This has been further emphasized in the Brain Products GmbH case (Case C-219/11) decided by the European Court of Justice regarding an electro-technical system enabling human brain activity to be recorded. The Court stated that “a device used in humans for the investigation of a physiological process falls within the scope of Directive 93/42 only if the intended purpose of that device, defined by its manufacturer, is medical”, while specifying that the fact that the software is used in a medical context is not sufficient to trigger its qualification as “medical device”. Therefore, the intended use of a device is up to the manufacturer, although – as the influential medical device counsel and blogger Erik Vollebregt puts it – “you cannot disclaim an obvious intended purpose as this would amount to a contradictory label and consequently a non-compliant product”.
THE FDA’s VIEW. On September 23, 2013 the United States Food and Drug Administration tackled the same problem and issued a guidance document “to clarify the subset of mobile apps to which the FDA intends to apply its authority”, because while “The FDA encourages the development of mobile medical apps that improve health care and provide consumers and health care professionals with valuable health information.”, however “The FDA also has a public health responsibility to oversee the safety and effectiveness of medical devices – including mobile medical apps.”
FURTHER HELP FROM THE UK. On March 21, 2014, the United Kingdom Medicines and Healthcare Products Regulatory Agency (MHRA) has also issued guidelines to help “healthcare and medical software developers who are unsure of the regulatory requirements for CE marking stand-alone software as a medical device”. The MHRA indicated that software functions that, e.g., analyze, alarm, calculate, control, convert, diagnose, measure, monitor, are likely to lead the app to be considered as a medical device.
REALITY CHECK! The intention of the EU Commission, the FDA and the MHRA to clarify the regulatory framework is commendable and guidelines abound (see also the D4Research guide), but how many mobile medical apps actually bear a CE marking? How many app developers, app stores and app users are even aware of such requirements? I have witnessed awards granted to apps and eHealth projects which showed no awareness of the regulatory aspects. Announcements to “crack down” on illegal apps have been issued (e.g., by the Dutch authorities). What is happening in Italy? While the Ministry of Health is developing its own apps, its general manager Dr. Marletta in December 2013 has announced that the explosion of medical app use is an area of concern, especially with regard to risks and liabilities, which will be monitored by the authority going forward. Actual enforcement action, however, is still to be seen.
THE PROPOSED MEDICAL DEVICE REGULATION: WHAT MAY HAPPEN NEXT. If the Proposal Regulation replacing the Medical Device Directive sees the light, software will be expressly regulated and specific quality requirements will apply concerning the following aspects:
- software design must ensure repeatability, reliability and performance according to the intended use;
- appropriate means to eliminate or reduce as far as possible and appropriate consequent risks in case of single fault condition;
- software must be developed and manufactured according to the state of the art taking into account the principles of development life cycle, risk management, verification and validation;
- if intended to be used in combination with mobile computing platforms, software must be designed and manufactured taking into account the specific features of the mobile platform (e.g. size and contrast ratio of the screen) and the external factors related to their use (varying environment as regards to level of light or noise).CONCLUSIONS. Medical apps do not stand in a regulatory vacuum: if they fall within the definition of “medical device”, they are subject to essential requirements and should bear the CE mark.
- INSTRUCTIONS FOR USE FOR MEDICAL APPS: IN WHICH FORM? We note that, under the e-labeling regulation (Regulation no. 207/2012) entered into force on March 30, 2013, stand-alone software that is deemed to be a medical device can have instructions for use in electronic form, provided that the devices are intended for exclusive use by professional users and that the use by other persons is not reasonably foreseeable. Instead, if the app is a medical device but intended for a patient, instruction for use in paper form must be provided. This requirement appears both unpractical and unreasonable given that a patient downloading an app seems “digital” enough to be sufficiently protected by electronic instructions.
 The very definition of medical device included in Directive 93/42/EEC, as amended by Directive 2007/47/EC, includes software. In fact, “’medical device’ means any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of:
- diagnosis, prevention, monitoring, treatment or alleviation of disease;
- diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap;
- investigation, replacement or modification of the anatomy or of a physiological process,
- control of conception,
and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means;”.
 An average smartphone user downloads 37 apps, according to the Opinion 02/2013 on apps on smart devices by the Article 29 Data Protection Working Party, page 2.