Digital Health

Digital Health

HCS provides compliance and validation services for mobile medical apps, aka digital health products. We have pioneered techniques, approaches, and tools for unique solutions for the specific compliance needs of mobile medical apps that qualify as medical devices.

If you are one of the tens of thousands of entrepreneurs in the exploding world of mobile health, it’s a near certainty that you should be engaged in regulatory compliance activities. It can be tricky to know what is needed. Read our white paper, Compliance for Mobile Medical Apps, below:

Compliance for Mobile Medical Apps: A Conversation

Hello. Welcome. Grab a tasty beverage and pull up a chair; we need to talk. Don’t worry. Everything will be just fine. We promise. Comfy? Good. Let’s start at the beginning. (It’s a very good place to start.)

These are the Voyages

When we were young, our imaginations were limitless. Anything was possible: flying cars, robot friends, aliens as pets. We watched movies like Back to the Future Part II and coveted that hover skateboard. We raised a curious eyebrow as Dr. McCoy from Star Trek analyzed every ailing red-shirted ensign with a single hand-held gadget that chirped. It seemed rather silly, that little gadget called a tricorder, but somewhere in the backs of our minds and the all-knowing depths of our instinctive guts, we knew that things like that were possible, someday, maybe even tomorrow. There are still no flying cars or hovering skateboards (none that are safe, anyway), but somehow, almost by accident, it seems, Dr. McCoy’s little handheld medical miracle is becoming a reality. It’s being built, right now, here in this world. And the best part? It’s starting to work.

Welcome to the World of Tomorrow

Well, we’re not quite there yet, but we’re standing on the threshold peeking in. There is not yet a single device that can diagnose, monitor, and treat a patient for every type of health problem without even making physical contact or directly interacting with bodily molecules. That’s still something of a holy grail in the medical device industry. What we have instead is the birth of the first generation of a new species, burst from the womb of rapidly evolving technology: tens of thousands of medical devices and mobile apps designed for uniquely specific purposes, all working together to lay the collective foundation for what could one day be the ultimate medical utopia.

But without discipline, all of this forward momentum is for naught. As tempting as it is to run wild with ideas and succumb to the raptures of pure creativity, progress must be tempered by responsibility. Chaos benefits no one. After all, this is serious business, this effort to heal the sick and prolong life. One could argue that it’s the most important business of all. Governing agencies like ISO, HIPAA, and the FDA all seem to think so. They watch from on high and judge us as we scurry. And did we not make it so? We created these omnipotent, omniscient entities – we made them in our own image – in order to rein ourselves in while we do the work of the gods. Because this is work we can’t afford to screw up.

Identity Crisis

So much is being said and written about the definitions of medical devices and Mobile Medical Apps (MMA). Categories are defined and redefined, elaborate criteria matrices are created, FDA guidance documents are analyzed down to the last punctuation mark. And although most of the conclusions are at least somewhat definitive and cohesive, so many questions are still being asked. What is an MMA? Is my company’s product an MMA? How does the FDA categorize it, and what tasks do I need to perform to ensure it is compliant? Is there some magic loophole that I can slip through to avoid all this pesky compliance nonsense?

All these questions are valid, even the last one. We could spend a dozen pages regurgitating FDA definitions and providing if-then scenarios trying to answer them. But let’s not do that here. (If you must, refer to the references section at the end of this document.) Because even after defining your device or MMA you still arrive at the same destination, which is the brightly flaming question that still stands after all the others have been burned down: What do I have to do?

What You Have to Do and Why You Have to Do It

The first thing you have to do is understand what compliance really is and why it is necessary. Quite simply, compliance is documented evidence that you have ongoing reasonable control over your processes, your people, and your products. But why is this important for MMA, even those for which the FDA intends so mysteriously (and frustratingly) to “exercise enforcement discretion?” Let us count the ways.

The most obvious reason for pursuing compliance is the need to adhere with established governances applicable to your product. For manufacturers of tangible medical devices, this will include ISO 13485, which defines regulations for quality systems for medical devices. For MMA, the FDA has categorized several types of MMA that are the focus of their regulatory oversight (defined in Appendix C of the FDA MMA guidance document listed in the references section). Adherence to these regulations is mandatory; incompliance, even partial, can lead to serious legal and financial repercussions, ranging from a stressful, costly audit all the way to seizure or injunction.

Examples of MMA that are not considered medical devices, and are therefore out of scope for FDA oversight, are defined in Appendix A of the FDA MMA guidance document (listed in the references section). But there is a large gray area between Appendix A and Appendix C: MMA for which the FDA is exercising enforcement discretion. This is defined, and fittingly sandwiched, in Appendix B of the FDA MMA guidance document. Products in this category are open to interpretation; the focus is on intended functionality, which can be very subjective. A common attitude toward this particular categorization is one of dismissal. But remember, “enforcement discretion” does not equal exemption. And it certainly does not mean that the rules are not subject to change. One of the reasons this gray area exists is because the FDA does not currently have the resources to enforce oversight for tens of thousands of MMA products. (More on that later.) In perhaps the most telling statement in the guidance document, the FAQ contains the following edict-in-the-form-of-a-suggestion that can only be a foreshadower of mandates to come:

“All manufacturers of medical device software should have in place an adequate quality management system that helps ensure that their products consistently meet applicable requirements and specifications and can support the software through its total life cycle.”

Wink, wink.

And there’s much more to compliance than the obvious twin guns of ISO and FDA. Let’s not forget HIPAA, the Health Insurance Portability and Accountability Act of 1996 that governs privacy, security, and breach notification related to individually identifiable personal health information. Does your software or app allow a user to upload or transfer personal health information, such as using a mobile phone to post cholesterol improvements on social media, email or share blood sugar data with a doctor, or upload blood pressure data to a healthcare provider’s network? If yes, then guess what? You need to adhere to HIPAA regulations. Even if your product has no ISO or FDA implications, you may still need policies, procedures, and technical solutions in place to ensure HIPAA compliance.

Finally, compliance efforts are part of good business practices. Establishing and documenting policies and procedures are infinitely beneficial. For starters, they provide a framework for consistency and quality. They serve as training for new employees or consultants. In the event of a lawsuit, compliance documentation (such as testing and training records) can save the day, and perhaps the entire company. Most importantly, documented compliance efforts provide proof that your company is taking its job – and its customers – seriously. Potential consumers and clients, when given the choice, will undoubtedly choose the product or provider with documented practices and/or FDA approval over a company without. And the appeal won’t stop there: investors and large companies or entities interested in purchasing smaller companies or startups will pay much more attention – and money – if there is documented proof of a quality system and adherence to applicable regulations. Whatever your personal goals are, having a documented quality program is more than just a good idea. It’s common sense.

What You Have to Do and How It Can Be Done

The good news is that compliance does not have to be expensive. A good quality program is based on acceptable risk. In other words, you only bite off what you can chew. Remember, the goal of compliance is not to obtain perfection but rather to exist in an ongoing state of reasonable control.

The first step is to identify the regulatory applicability for the product(s). This leads to a comprehensive assessment to identify the gaps, which in turn leads to the creation of a customized action plan designed to mitigate and/or close the gaps. For example, HIPAA applicability can be addressed with a solution as simple as a security procedure and an accompanying privacy policy statement. Who hasn’t been to the doctor and signed off on the form acknowledging the receipt of the privacy data information? You’ve already seen these things. They’re not strangers. We’re not re-inventing the wheel here; we’re crafting a special wheel just for you that will fit your particular axle.

It might seem overwhelming, but with the right organization and a good plan in place, it doesn’t have to be. It might seem like an unappealing way to spend money – you had your eyes on that really slick furniture for the conference room or those super-cool iGadget thingies. But spending money on compliance efforts is not a gamble. It’s a sure bet. The returns are guaranteed, and you will reap them as long as you are in business.

Big Brother Will Be Watching You Soon

Still not convinced? Here’s something else to consider: Big Brother may not be watching you at this very moment, but he wants to. And soon enough, he will.

The FDA drew a line in the sand when establishing their current guidance regarding the selective oversight of MMA. But as the tides shift, that line will undoubtedly wash away, only to be redrawn again in a new location, and most likely much further inland. This positioning has been the subject of much debate, including in Congress, beginning a few years ago when smartphones began to blow the doors off of the medical device industry. With tens of thousands of products and services in question, many developed by entrepreneurs with little to no experience or knowledge of the health care industry and its regulations, how can the FDA possibly keep up? How can they oversee this tidal wave of innovation and separate the wheat from the chaff in an effort to keep people safe? And how far should their reach extend?

“Many members of Congress and industry believe that regulation will stifle mHealth (mobile health) innovation. The true challenge, however, is creating a regulatory framework that encourages high-value innovation while also preventing the market from being overcome with products that are ineffective or unsafe.”

This statement, written in The New England Journal of Medicine by a group of lawyers led by Nathan G. Cortez of the Southern Methodist University Dedman School of Law in Dallas, Texas, succinctly summarizes the delicate balance required to ensure safety and control without strangling creative progress. The article, “FDA Regulation of Mobile Health Technologies,” closes with the following stern advice to the governing entities:

“Congress must recognize that robust FDA oversight is not necessarily incompatible with innovation in the mHealth (mobile health) industry. In fact, the industry’s long-term potential may depend on it.”

In short, it’s a warning. The legal industry, grown fat and sleek in our litigious society, may have the most accurate, healthy perspective from their position of observation in the tall grasses. The stampede of untamed MMA is opening up an entire branch of medical legal needs that will fill the bellies of many a law firm. Even now, hungry lawyers are crouched where the shrubs meet the plain, watching carefully the every move of the infant MMA. Some are stalking prey, some are more benign, looking for opportunities to form symbiotic relationships. But they all see the same future taking shape, the inevitability that awaits every overpopulated species: the survival of the fittest and the fall of the weak.

The Long Arm of the Law

All it will take is one plump, juicy lawsuit to change everything. The precedent has been set time and again: the disastrous birth defects caused by the drug Thalidomide in the late 1950’s led to new regulations regarding drug testing, proof of efficacy, and disclosure of side effects; Brown v the Board of Education of Topeka in 1954 changed the entire structure of the American public school system and greatly impacted civil rights and racial relations and attitudes; the 1998 Tobacco Master Settlement Agreement, the result of one of the largest civil class actions suits in history, forced tobacco companies to drastically change how they conduct business, advertise their products, and even how they spend their earnings. It’s not inconceivable for something to go horribly wrong with MMA that might result in the type of tragedy that can only lead to massive legislation change.

The rumblings have already begun. Standard medical devices are no stranger to lawsuits; a notable class action suit involving the complications caused by surgical transvaginal mesh implants was so massive in scope that it spawned numerous public alert messages and commercials and tens of thousands of lawsuits filed. MMA is not far behind. Both the watchful legal experts and the mindful life science industry experts are predicting that MMA will be the focus of the next legal surge.

A 2014 study of blood pressure apps led by Dr. Nilay Kumar and documented in the Journal of the American Society of Hypertension illuminates very real concerns from both healthcare and regulatory perspectives. The study, which included 107 common blood pressure and hypertension apps available via Google Play or Apple iTunes (downloaded between 900,000 and 2.4 million times at the time of the study!) revealed that, while mostly beneficial, many of the apps were questionable in terms of accuracy and safety. Only 2.8 percent of the apps were developed with the input of healthcare agencies such as universities. None had been approved by the FDA at the time of the study. Devices that use a mobile phone’s camera to “read” blood pressure via the fingertip were labeled by some scientists as premature and “bogus.”

Dr. Kumar stated, “Apps that inaccurately measure blood pressure could lead to false alarms and possibly fatal false assurances.” The study further stated that there were “serious concerns about patient safety” and an “urgent need for greater regulation and oversight in medical app development.” These concerns sweep the entire MMA spectrum.

Granted, much of this is speculation. But at the risk of sounding paranoid, let’s put on our disaster hats and imagine what could happen. (Let’s pretend we’re developing risk scenarios for an entire industry.) What if one of the many medication reminder apps fails or is inherently flawed, causing a user to forget to take (or take too much of) an essential, life-saving drug? There are several MMA available right now that utilize some amazing yet unregulated technology in the form of a container with special sensors that determine whether or not the user’s pills are in the container or not. They typically work with a corresponding custom app to give reminders or notify the user or a caregiver if the medication has been skipped. For instance, Grandson gets a text message informing him that Grandma has not taken her Tuesday morning pill according to the data received from the device sensors. He calls Grandma and tells her to take her pill. Grandma takes a pill and suffers a massive stroke. How did it happen? Did Grandma really forget to take her pill? Did she get confused and accidentally make a mistake, having relied on both the device and her Grandson? Did the device malfunction? Did the app malfunction? Who is to blame? These are questions the lawyers will ask after the lawsuit has been filed and the costly investigations and legal maneuvers have begun.

The Long Arm of the Law

All it will take is one plump, juicy lawsuit to change everything. The precedent has been set time and again: the disastrous birth defects caused by the drug Thalidomide in the late 1950’s led to new regulations regarding drug testing, proof of efficacy, and disclosure of side effects; Brown v the Board of Education of Topeka in 1954 changed the entire structure of the American public school system and greatly impacted civil rights and racial relations and attitudes; the 1998 Tobacco Master Settlement Agreement, the result of one of the largest civil class actions suits in history, forced tobacco companies to drastically change how they conduct business, advertise their products, and even how they spend their earnings. It’s not inconceivable for something to go horribly wrong with MMA that might result in the type of tragedy that can only lead to massive legislation change.

The rumblings have already begun. Standard medical devices are no stranger to lawsuits; a notable class action suit involving the complications caused by surgical transvaginal mesh implants was so massive in scope that it spawned numerous public alert messages and commercials and tens of thousands of lawsuits filed. MMA is not far behind. Both the watchful legal experts and the mindful life science industry experts are predicting that MMA will be the focus of the next legal surge.

A 2014 study of blood pressure apps led by Dr. Nilay Kumar and documented in the Journal of the American Society of Hypertension illuminates very real concerns from both healthcare and regulatory perspectives. The study, which included 107 common blood pressure and hypertension apps available via Google Play or Apple iTunes (downloaded between 900,000 and 2.4 million times at the time of the study!) revealed that, while mostly beneficial, many of the apps were questionable in terms of accuracy and safety. Only 2.8 percent of the apps were developed with the input of healthcare agencies such as universities. None had been approved by the FDA at the time of the study. Devices that use a mobile phone’s camera to “read” blood pressure via the fingertip were labeled by some scientists as premature and “bogus.”

Dr. Kumar stated, “Apps that inaccurately measure blood pressure could lead to false alarms and possibly fatal false assurances.” The study further stated that there were “serious concerns about patient safety” and an “urgent need for greater regulation and oversight in medical app development.” These concerns sweep the entire MMA spectrum.

Granted, much of this is speculation. But at the risk of sounding paranoid, let’s put on our disaster hats and imagine what could happen. (Let’s pretend we’re developing risk scenarios for an entire industry.) What if one of the many medication reminder apps fails or is inherently flawed, causing a user to forget to take (or take too much of) an essential, life-saving drug? There are several MMA available right now that utilize some amazing yet unregulated technology in the form of a container with special sensors that determine whether or not the user’s pills are in the container or not. They typically work with a corresponding custom app to give reminders or notify the user or a caregiver if the medication has been skipped. For instance, Grandson gets a text message informing him that Grandma has not taken her Tuesday morning pill according to the data received from the device sensors. He calls Grandma and tells her to take her pill. Grandma takes a pill and suffers a massive stroke. How did it happen? Did Grandma really forget to take her pill? Did she get confused and accidentally make a mistake, having relied on both the device and her Grandson? Did the device malfunction? Did the app malfunction? Who is to blame? These are questions the lawyers will ask after the lawsuit has been filed and the costly investigations and legal maneuvers have begun.

When the Music Stops

MMA failures are inevitable, and where failure occurs, lawsuits follow. Even if your company is not directly in the path of the flowing lava, the ash cloud could, and probably will, cast a very long shadow. (Remember Super Bowl XXXVIII? One little “wardrobe malfunction” triggered a massive FCC crackdown that is still in force today.) Not to sound crass, but all it will take to trigger the eruption is one dead Grandma, a viral video of her great-granddaughter sobbing, and a social media backlash. The question for you is where do you want to be when the music stops and the gods announce from above that unregulated MMA are no longer allowed to run free and wild? Tens of thousands of well-meaning but incompliant MMA companies are going be scrambling for the few available chairs. If your company already has a quality program in place, if your products and your processes are already in compliance with applicable regulations, congratulations. You’re already seated comfortably. (But we still recommend you keep your lawyers on standby.) But if you’re not yet compliant, we have some work to do. Keep calm and don’t panic. We’ll help you get there. Just stick out your thumb and we’ll pick you up.

The Final Frontier

We know where we’re going. We know how to get there. We can only imagine what awaits us. Imagination is our privilege, our gift. We can build anything in our minds and almost anything with our hands. If we do this right, if we handle the future of medical technology with care, we’ll change the world. If we pair our enthusiasm with caution and our ambition with responsibility, MMA will pave the way for the next generation of doers and darers and dreamers…

Somewhere in a laboratory sits a young scientist, weary from a long day of trial and error, nodding off to the soft glow of a tablet display. In a dream comes a vision of a future version of Dr. McCoy, leaning over another fallen ensign. (And the ensigns will keep falling; there’s no stopping that.) Perhaps the setting is some distant planet in another universe, perhaps it’s right here on Earth. Dr. McCoy pulls from his pocket a tricorder (it looks a lot like an iPhone), passes it over his prone patient, and reads the results as they are beeped back to him in a familiar warble. He makes a selection on the display with his finger. The device sings again, performing some function unseen, not yet understood, not yet conceived, but entirely possible. The ensign stirs. The good doctor looks to his captain and says, “He’s alive, Jim.”

References

Cohen, Ronnie. “Blood pressure apps may be dangerously wrong.” Reuters Health 23 Dec. 2014. http://www.reuters.com/article/2014/12/23/us-bp-apps-idUSKBN0K11QF20141223

Cortez, Nathan G. “FDA Regulation of Mobile Health Technologies.” New England Journal of Medicine 24 Jul. 2014. http://www.law.smu.edu/getmedia/c5412c9e-b58b-4461-a725-f900ddf56127/Nathan-Cortez–NEJM-article-072414

“Health Information Privacy (HIPAA).” http://www.hhs.gov/ocr/privacy/

Kumar, Nilay. “A content analysis of smartphone–based applications for hypertension management.” The Journal of the American Society of Hypertension 9.2 (2014). 130-136. http://www.ashjournal.com/article/S1933-1711%2814%2900899-7/fulltext

Meyers, Arlen. “Think of MMAs as DME.” LinkedIn 3 Apr. 2015. https://www.linkedin.com/pulse/think-mmas-dme-arlen-meyers-md-mba

“Mobile Medical Applications: Guidance for Industry and Foodand Drug Administration Staff.” http://www.fda.gov/downloads/MedicalDevices/…/UCM263366.pdf

“ISO 13485:2003 Medical devices – Quality management systems – Requirements for regulatory purposes.” http://www.iso.org/iso/catalogue_detail?csnumber=36786