Category: Mobile apps

New FTC Guidance and Tools for Mobile Medical Apps


On Tuesday, April 5, the Federal Trade Commission (“FTC”) released a new web-based tool for developers of health-related mobile apps. The tool asks mobile application developers questions about the mobile app’s function, the type(s) of data that the app collects and the service(s) that the app offers to end-users. The new tool then guides mobile app developers to federal laws that may apply to the mobile app, including the Health Insurance Portability and Accountability Act; the Federal Food, Drug, and Cosmetic Act; and the FTC Act, the FTC’s Health Breach Notification Rule.

Continue Reading →

FDA Finalizes Guidance on Medical Device Data Systems

On February 6, the Food and Drug Administration (the “FDA” or “Agency”) released a finalized guidance (the “Guidance”) informing the public that the Agency does not intend to enforce any regulatory requirements applicable to several types of devices and software that transfer, store, convert, format and display medical data, specifically including medical image storage (“MIS”) devices, medical image communications (“MIC”) devices and medical device data systems (“MDDS”).   The Guidance finalizes a draft guidance issued by the Agency in June of 2014, which in turn also finalizes related changes to a separate guidance on mobile medical applications. To read Hall Render’s article assessing the draft Guidance, click here; or to read our article discussing the mobile medical applications guidance, click here.

The elimination of FDA regulatory requirements for these products could have significant positive impacts for developers and end users of these devices within the emergent areas of home health, personal health and telemedicine. The FDA’s move is particularly designed to support initiatives driving interoperability among medical devices and various health IT systems, including electronic health records.

A few examples of MDDS products include:

  • Software that collects output from a ventilator about a patient’s CO2 level and transmits the information to a central patient data repository;
  • Software that stores historical blood pressure information for later review by a health care provider;
  • Software that converts digital data generated by a pulse oximeter into a digital format that can be printed;
  • Software that displays a previously stored electrocardiogram for a particular patient; and
  • A telemedicine cart that uses two-way audio/video technology to capture and transmit patient-specific data.

Although technically these products will remain regulated as medical devices, the FDA will exhibit “enforcement discretion,” meaning the Agency will neither expect compliance nor enforce regulations for these products.  However, because the Guidance is not binding and conveys no rights of any kind, the Agency may at any point reverse its thinking and begin enforcing the regulations, a situation that could arise if it appears any products in these classes are negatively impacting patient safety.  For Hall Render’s article on the safety of products with health IT components,  click here.

Additionally, in order for a product to be eligible to take advantage of the Agency’s enforcement discretion, the product must not modify medical device data, control any other connected medical devices or be used in connection with active patient monitoring. As an example of a device used to perform monitoring that does not rise to the level of “active patient monitoring,” the Agency identified software that displays data from a blood glucose meter when the software simply provides viewing of that data and not when immediate clinical action is anticipated as a result. This distinction should give pause to software developers, whether from medical device companies, IT consultants or health care providers, who are developing programs to sync data from patient wearables and other home-use devices to electronic health records and provide alerts to clinicians if that data falls outside of desired norms, as the FDA may continue to actively regulate such programs.  The FDA recently released a draft guidance discussing the approach it intends to take regarding “general wellness” devices. For Hall Render’s article on the wellness devices draft guidance, click here.

On February 24, 2015, the FDA will hold a webinar to discuss the finalized MDDS Guidance and two new draft guidance documents applicable to general wellness devices and medical device accessories.  More information about the webinar is available on the FDA’s website.

Practical Takeaways

Because the FDA’s action comes in the form of a guidance rather than a regulation, every potential developer of MDDS, MIC and MIS products will have to decide whether it is comfortable accepting the risk that the FDA could change its opinion at any time.  Many software developers, particularly those looking to make data from wearable and home use devices more actionable to clinicians, may still find it difficult to take on that risk.

Both product developers and end users should also remain cognizant of the limited scope of the FDA’s enforcement discretion, which does not extend to products that contain MDDS, MIC or MIS functions when they also contain other functions and intended uses that are regulated under separate FDA rules.  The transfer, storage, conversion, formatting and display of medical data are common functions in medical devices and will be increasingly so if interoperability efforts are realized. Both developers and end users of such products should continue to diligently scope the full functionality and intended use of products in order to determine the full scope of regulatory requirements.

If you have any questions about the regulation of health IT or medical devices or would like additional information about this topic, please contact Mark R. Dahlby at (414) 721-0902 or or your regular Hall Render attorney.

Please visit the Hall Render Blog at for more information on topics related to health care law.

New Guidance Documents from FDA Seek to Clarify Regulation for Wellness Devices and Medical Device Accessories

On January 20, 2015, the Food and Drug Administration (the “FDA” or “Agency”) published two draft guidance documents designed to fulfill promises it made in the multi-agency Food and Drug Administration Safety and Innovation Act (“FDASIA”) Health IT report. The first draft guidance is intended to promote the innovation of general wellness devices and software applications by identifying certain types of low risk products for which the FDA will not enforce any regulatory requirements. The second draft guidance proposes to regulate medical device accessories based on the risks they present when used as intended, rather than the risks presented by the parent medical device with which the accessory is used.


The Federal Food, Drug and Cosmetic Act authorizes the FDA to regulate as a medical device any instrument, machine, software or other type of product, including component parts and accessories, intended or promoted for use in the diagnosis of disease or other conditions; in the cure, mitigation, treatment or prevention of disease; or intended to affect the structure or any function of the body of man or other animals. Because the definition of a medical device is broad, it captures many types of health IT, arguably including many consumer-facing general wellness products like Apple iWatch, calorie-tracking software and FitBit.

Responding to pressure from industry over the past decade, the FDA has begun clarifying the regulatory environment applicable to many new types of medical software and related products. For example, in 2013, the FDA finalized a guidance on Mobile Medical Applications, in which the Agency wrote it would not enforce regulatory requirements on mobile software applications that pose a low risk to users, provided the products do not make disease-specific claims. In April 2014, the FDASIA Health IT report was issued, in which the FDA again agreed to refrain from actively regulating low risk health IT products and further promised to provide clarity on questions regarding when software may qualify as a regulated medical device accessory and on the regulation of clinical decision support software generally. For Hall Render’s article discussing the Mobile Medical Apps Guidance and the FDASIA Health IT report, click here. The following June, the FDA proposed in another draft guidance document that medical device data systems (“MDDS”), which are devices used to transfer, store, convert, format and display data from other medical devices, should also be exempt from all regulatory requirements. On February 6, 2015, the FDA finalized that MDDS Guidance. To read Hall Render’s article discussing the new MDDS Guidance, click here.

Wellness Devices

In the new draft guidance document entitled General Wellness: Policy for Low Risk Devices (the “draft Wellness Devices Guidance”), the FDA explains that it “does not intend to examine low risk general wellness products to determine whether they are [medical] devices . . . or whether they comply with the premarket review and post-market regulatory requirements for [medical] devices.” The Agency describes general wellness products as having either: (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity (i.e., no correlations to or marketing for specific disease states); or (2) an intended use that associates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition.

According to the Agency, products in the first category include exercise equipment, audio recordings, video games and generally many software programs and devices commonly obtained from retail establishments. Examples of physical conditions for which they may be promoted to assist include weight management, physical fitness, stress management, mental acuity, self-esteem, sleep management and sexual function. Products will fit the second category of general wellness devices only if claims that healthy lifestyle choices may reduce the risk or impact of a chronic disease or medical condition are well understood. According to the FDA, examples of chronic diseases for which a healthy lifestyle is associated with risk reduction or help in living well with that disease include high blood pressure, heart disease and type 2 diabetes. Although “well understood” is not defined, the FDA writes that an acceptable association between disease state and lifestyle would typically be found in peer-reviewed scientific publications. Based on the Federal Trade Commission’s interpretation of the Federal Trade Commission Act, it is likely that at least one well-controlled clinical investigation is required in order to make such claims.

Regardless of the category, the product must also present “a very low risk to users’ safety,” meaning that it may not be invasive (e.g., penetrate or pierce the skin), pose a risk to a user’s health (e.g., exposure to lasers or radiation) or raise biocompatibility questions. The FDA also wrote that a product will not be deemed “low risk” if it “raises novel questions about usability,” although the Agency did not provide examples of “novel questions.”

Accessories to Medical Devices

In the other draft guidance document, entitled Medical Device Accessories: Defining Accessories and Classification Pathway for New Accessory Types (the “draft Accessories Guidance”), the FDA attempts for the first time to clarify what the Agency deems to be “accessories” to medical devices. FDA proposes that an “accessory” is an item intended to support, supplement, and/or augment the performance of one or more medical devices. An example of an accessory could be a smartphone app that is a companion to a medical device.

The Agency further proposes to regulate medical device accessories based on the risks they present when used as intended with their parent devices and not based on the risks of the parent devices. Often the risk of the parent device may be higher than that of the accessory. As an example, the Agency states that “if a parent device warrants regulation as a Class II device but an accessory to the parent device presents lower risks, we would regulate the accessory as a Class I rather than a Class II device.” This proposal would be a substantial departure from the Agency’s current thinking, which has historically been that the risks of the parent device are automatically assigned to its accessories.

Unlike in both the Mobile Medical App Guidance and the draft Wellness Devices Guidance, the FDA did not provide examples of accessories that would or would not be regulated as medical devices. Rather, the Agency encourages manufacturers of accessories to use FDA’s “de novo” classification process to request that the Agency perform a risk-based review of accessory types that are not currently classified. As such, the draft Accessories Guidance provides little actual guidance to developers or users of medical device accessories. Other issues that the FDA did not address as requested by industry stakeholders include:

  • Provide assurance that interoperability claims will not automatically characterize a product as a medical device accessory;
  • Describe how FDA will differentiate between accessories and non-regulated components of a system; and
  • Provide guidance on how the agency intends to regulate claims associated with accessories.

Practical Takeaways Although both draft guidance documents indicate that the FDA remains generally committed to allowing many low risk health care-related products to be developed without active oversight by the Agency, substantial questions remain. For example, clarity is needed on what may trigger “novel questions about usability” such that a wellness device may become subject to higher scrutiny.   Additionally, as clinical decision support tools become more prevalent in both the home and hospital environments, the limited exemption from FDA oversight for wellness devices may soon be outdated. Uncertainty as to regulatory status may also cause confusion as to what rules must be followed (e.g., payment of medical device tax, unique device identification) for not only product developers but also health care providers, which have separate obligations (e.g., adverse event reporting, meeting standards of The Joint Commission) of their own.

The Agency is seeking comments from the public on both proposed guidance documents until April 20, 2015.

If you have any questions about the FDA’s regulation of medical devices or the regulation of health IT generally or are interested in submitting comments to the FDA, please contact Mark R. Dahlby at (414) 721-0902 or or your regular Hall Render attorney.

Please visit the Hall Render Blog at for more information on topics related to health care law.

Report Details Safety Issues with Health IT

In November 2014, the ECRI Institute¹ issued a report discussing issues of patient safety and adverse events linked to health information technology (“IT”) products. The report comes in the form of an annual list of top ten health technology safety hazards.

According to the ECRI Institute, although many facets of health IT have a positive impact on patient outcomes, such as automated reminders that improve medication adherence, technologies can also have an adverse effect on patient safety. The top 10 list addresses all health technologies and not just health IT. However, the ECRI Institute pointed out that health IT is a prominent component in many of the technologies that are experiencing safety issues. The health IT-related technologies making the list in ranked order are:

#1. Alarm hazards, including inadequate alarm configuration policies and practices (e.g., failure to reset medical device to default alarm limits when a new patient is connected);

#2. Data integrity, including incorrect or missing data in electronic health records and other health IT systems (e.g., appearance of one patient’s data in another patient’s record because the clinician entering data has two health records simultaneously open and misdirects the entry);

#5. Ventilator disconnections not caught because of mis-set or missed alarms (e.g., alarm volume is too low relative to competing ambient noise);

#7. Unnoticed variations in diagnostic radiation exposures (e.g., “dose creep” where radiographic technologists may increase the exposure parameters to get a better quality image notwithstanding the dose is higher than industry-recommended exposure levels);

#8. Robotic surgery complications from insufficient training (e.g., surgeons located at a control console several feet away from the patient must be able to proficiently manipulate hand and foot controls to position and operate robotic arms while viewing real-time 3D video of the surgical site);

#9. Cybersecurity, including insufficient protections for medical devices and IT systems (e.g., devices that became infected with malware caused a hospital to have to temporarily shut down its catheterization lab); and

#10. Overwhelmed recall and safety alert management programs where due to the significant increase in volume of “safety alerts,” the hospital may not be keeping up with identification/remediation of affected devices.

As the purpose of the report is to help hospitals recognize and prioritize patient safety issues, it also includes detailed recommendations for how hospitals can mitigate safety issues. In creating its report, the ECRI Institute drew from its experience providing services to health care providers, specifically including health technology-related problem reports received through its Problem Reporting Network and its patient safety organization (“PSO”). The ECRI Institute PSO’s website contains additional details about its experience with health IT safety matters.

In November 2014, the Office of the National Coordinator for Health Information Technology (“ONC”) coordinated with the ECRI Institute PSO and United Healthcare’s (“UHC’s”) PSO to publish a report entitled, Health Information Technology Adverse Event Reporting: Analysis of Two Databases. The report studied the role of health IT in hundreds of thousands of reported adverse events in order to identify the most common incidences implicating health IT. Although the analysis determined that incidents involving health IT were overall less likely to result in harm when compared to those events that were not health IT-related, significant issues were identified, including the following:

  • The most common contributing factors to health IT-related events were communication among staff and team members (40-42%), staff inattention (33-34%), accuracy of the data (21-23%) and availability of data (10-12%).
  • Medication-related events were the most common health IT-related event type, accounting for about one-third of these events.
  • More than half of the health IT-related events were categorized in the Common Formats “other” report category making it difficult to determine the clinical problem involved in these events from these data.
  • About 60% of the events involving health IT were categorized as an incident (i.e., they reached a patient although they may not have resulted in harm to the patient), 14% as near miss event and 26% as an unsafe condition.
  • The UHC data showed that clinical documentation systems, computerized provider order entry and laboratory information systems are among the types of IT most commonly involved in adverse events. Health IT-related issues were common in the interfaces among different software components that make up health IT systems.

The ONC is the agency tasked with implementing a plan issued in 2013 by the Department of Health and Human Services to address the role of health IT in ensuring patient safety. The ONC is working with The Joint Commission to implement the plan, which is entitled the Health IT Patient Safety Action and Surveillance Plan and is built on recommendations from the 2011 Institute of Medicine report entitled Health IT and Patient Safety: Building Safer Systems for Better Care.

It was also proposed in the Food and Drug Administration Safety and Innovation Act (“FDASIA”) Health IT report from 2014 that ONC should run a Health IT Safety Center in collaboration with the FDA, the FCC and the Agency for Healthcare Research and Quality, along with other federal agencies and private stakeholders. The center, for which funding is proposed in the White House’s Fiscal Year 2016 budget, would initially focus on data collection and analysis of health IT-related adverse events, including those tied to the use of electronic health records. Thereafter, it is intended that the center would assist in identifying and implementing a framework for oversight of medium-risk health IT products. (To read Hall Render’s article on the multi-agency FDASIA health IT report, click here.)

If you have any questions about patient safety issues related to health IT or matters pertaining to the regulation of health IT or medical devices, please contact:

Please visit the Hall Render Blog at for more information on topics related to health care law.

¹ ECRI Institute is a 45-year old nonprofit organization that does research to determine which medical procedures, devices, drugs and processes are best in order to improve patient care. It claims more than 5,000 members and clients including hospitals, health systems, public and private payers, federal and state government agencies, accrediting agencies.

New FTC Guidance Addresses Social Media Advertising; Could FDA Be Next?

On March 12, the Federal Trade Commission (“FTC”) published new guidance detailing how advertising disclosures should be made online.  Disclosures are necessary to qualify or limit advertising claims that would otherwise be deceptive, unfair or give misleading impressions.

Continue Reading →

FTC Issues Mobile Privacy and Security Publications

On February 1, 2013, the Federal Trade Commission (FTC) issued two publications recommending ways that key players in the mobile marketplace, such as operating system providers, application developers, advertising networks and analytics companies, can promote mobile privacy and security.

Continue Reading →

ECRI Institute Publishes Top 10 Health Technology Hazards for 2013

ECRI Institute has released its list of the Top 10 Health Technology Hazards for 2013.  The annual report is based on the prevalence and severity of incidents reported by health care facilities and information found in the Institute’s medical device problem reporting databases.

Continue Reading →

mHealth Task Force report recommends greater FCC involvement in health care.

On September 24, the mHealth Task Force, released its recommendations to the Federal Communications Commission (FCC) which recommends greater FCC involvement in mobile health and greater coordination with the FDA, ONC, HHS and other federal agencies…. Continue Reading →

Opinions about Mobile Device Privacy and Security Due to ONC by March 30, 2012

The public comment period regarding securing health information while using mobile devices ends on March 30, 2012. Information regarding ONC’s Mobile Device Roundtable discussion and a link to provide comments can be found here.

Should you have any questions, please contact Alisa Kuehn at 317.977.1475 or