August 4, 2014

Article Highlights

  • 78 percent of smartphone users have expressed interest in portable health devices, and downloads have skyrocketed in the last two years.Tweet This
  • Medical apps may appear alongside games and social media on a smartphone, but they can seriously harm their users if errors occur.Tweet This
  • The potential gains for human health are too immense to be gambled on poor regulation.Groundbreaking mobile health applications, such as AliveCor’s iPhone-powered electrocardiogram and Proteus’s Digital Health Feedback System, have the potential to reduce health care costs and minimize human error.
  • But US government agencies—particularly the US Food and Drug Administration (FDA)—are not clearly defining what applications should be regulated, who should be regulating them, and how their regulation will be enforced, deterring investors and delaying the applications’ introduction to the market.
  • The FDA can help the United States regain its lead in the mobile health sector by working to streamline the regulatory process and promote innovation, increase its collaboration with the private sector, and reevaluate its risk-based framework.

Imagine you suffer from high blood pressure and are required to take medicine twice a day. As you prepare to take your medication, you grab a small electronic device and swallow it alongside your pills. Powered by your stomach fluids, this sensor tracks the effects of the pill on your body and relays it to your iPad, where the information is presented to you in an accessible form. The information is seamlessly transmitted to your doctor’s computer, through which you can easily review it during your next visit.[1]

While this invention may have belonged in a futuristic novel a decade ago, it is now a reality thanks to the incredible advances made in mobile health over the last five years. The Proteus Digital Health Feedback System is one of many groundbreaking medical applications revolutionizing the relationship between technology and health care.

Smartphones and tablets have been harnessed for medical use by a growing subset of application developers, and their products include Android asthma detectors, smartphone-based glucose meters, and portable stethoscopes. The market potential is huge: 78 percent of smartphone users have expressed interest in portable health devices, and download numbers have skyrocketed in the last two years.[2] Mobile health has the potential to reduce health care costs and to minimize human error.

But what if, for example, the ingestible sensor misreads? Or what if an upgrade in the iPad software causes the display to be incorrect and its patient to ignore an important health risk? Medical applications may appear alongside games and social media applications on a smartphone, but they have the potential to seriously harm their users if errors occur.

US government organizations ranging from the Food and Drug Administration (FDA) to the US House of Representatives are engaged in a wrestling match to define what applications government should regulate, who in government should regulate them, and how this regulation will be enforced. While most of these measures are sensible and designed to protect consumers, regulatory risk has scared off investors and caused delays in introducing valuable applications to the market.

Mobile health has too much potential to allow regulatory concerns to undermine it. By considering feedback from stakeholders and adapting to digital health challenges, the organizations in charge of regulating mobile health can develop a regulatory plan that promotes, rather than inhibits, innovation and consumer safety.

The Current Regulatory Landscape

The regulatory limits surrounding mobile health are being drawn at the same time as mobile health is being defined. Several government agencies are in the process of evaluating the extent to which these new applications fall within those agencies’ regulatory purview.

The Federal Communications Commissions (FCC). The FCC is just one example of an agency that might not appear connected to mobile health but has in fact already played an important role in its regulation. Because many mobile health applications rely on wireless technology for data transmission, network interferences could have disastrous consequences for patients if those interferences are mismanaged.

In 2012, the FCC held its inaugural mHealth Summit to discuss its regulatory approach to this new field.[3] The agency eventually decided to relax FCC experimental licensing rules to promote easier testing of mobile health technologies. It also created the position of health care director within the FCC, hinting at a desire to give full regulatory attention to mobile health as it continues to develop.[4]

Office of the National Coordinator (ONC) for Health Information Technology. The ONC within the US Department of Health and Human Services, formed by George W. Bush in 2004, was also quick to enter the mobile health field. Although ONC lacks any authority to enforce regulation, it has played an important role in harmonizing the actions of other regulatory agencies. It coordinated the writing and distribution of the long-awaited proposed health care regulation strategy, finally released in 2014 in conjunction with the FDA and FCC.

Through its Incentive Programs, the ONC has also incentivized software developers to comply with its data certification programs, which conditions access to government grants.[5] While the ONC is unlikely to dramatically increase its role in mobile health regulation because of the restrictions on the ONC’s regulatory power, it has played an important part in creating the current regulatory landscape.

FDA. The most important player, of course, is none other than the FDA. Following the rise of mobile health applications, the FDA argued that many of the applications in the field met its rather broad definition of “medical devices,” being “contrivances intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.”[6] In 2011, it released an outline of its intended regulatory strategy for mobile health. The FDA took public comments and released a final guidance in 2013 that further clarified its plans for regulation.

In actuality, the FDA does not intend to regulate the majority of applications that would be categorized as health applications by application stores but that do not meet the FDA’s definition of medical devices. This includes medical dictionaries, dietary logbooks, and hospital locators.[7]

For applications that do qualify as medical devices, the FDA created a large category subject to enforcement discretion. This category includes applications that provide medication reminders, claim to help patients cope with depression, provide information about drug interaction, or use the Global Positioning System to alert asthmatics of potential dangers.[8] While the FDA announced that it does not intend to focus its regulatory oversight on these applications, their categorization as subject to enforcement discretion allows the agency to regulate these products in the future, should it wish to do so.

Applications on which the FDA focuses its regulation are categorized according to a risk-based framework:

  • Class I medical devices pose little threat to users should those devices malfunction, and are subject to the most limited set of controls. These include, for example, a scale that measures body-mass index and water concentration and relays it to a smartphone application. Some of these devices may require a 510(k) premarket notification, which takes the form of a letter comparing the proposed device to other devices on the market.[9] If the proposed device is found to be substantially equivalent to similar devices, it is cleared for marketing by the FDA.
  • Class II devices could result in mild to medium injury in case of malfunction. In the context of mobile health, this generally covers applications with an attached hardware part, such as a portable stethoscope that plugs into an iPhone, along with its companion application. These devices are almost automatically subject to the 510(k) premarket notification.[10]
  • Class III devices could result in death or serious injury in case of malfunction, making them subject to the most stringent set of regulations. These include devices that are solely responsible for diagnosing life-threatening conditions, such as an imaging application that claims to diagnose melanoma, or one that monitors concussion symptoms. These devices must obtain FDA premarket approval instead of premarket clearance. The process involves clinical trials that, depending on the product, can take several years and can cost millions of dollars.[11]

There are further subtleties to the FDA regulatory scheme for mobile health. An application may be cleared for prescription use only or for Android smartphones but not for Apple products. MobileCT Viewer, for example, was cleared as a medical-image viewer only for fourth-generation iPads, as earlier models were determined not to have sufficient resolution display for accurate imaging.[12]

FDA classification and marketing decisions are closely linked. Regulation can pose limits on marketing claims, or marketing claims can be used to escape regulation. In 2012, for example, device manufacturer Masimo managed to opt out of regulation for its iSpO2 portable oximeter by arguing that the device was intended for use by climbers and pilots, not clinical patients.[13]

While the FDA hopes most medical-device manufacturers will be proactive about obtaining authorization, the FDA also has the means to, if necessary, enforce these requirements through sanctions and penalties. For example, if Masimo began to market its oximeter in medical journals or to make claims about its oximeter’s benefits in treating heart disease, the agency would have grounds to intervene. The FDA generally begins by sending a private warning letter, followed by a public one, followed by forced removal from the market.[14] Application distributors such as the Apple Store and Android Marketplace are expected to help with such recalls, but they are not responsible for ensuring the quality of the health applications they distribute.[15] The bulk of the regulatory burden falls on the application developers.

An Imperfect Regulatory Framework

US regulation of mobile health has become a growing concern among the mobile health developer community. While the FDA’s current plan constitutes a fairly flexible solution to regulation in a field that is constantly in flux, a number of characteristics of the current regulatory landscape raise concerns.

The Effect of Regulation Uncertainty. The FDA only released its final mobile health strategy in September 2013, almost four years after mobile health took off.[16] Until that date, application developers were left to speculate on what form regulation might take and how they could best approach it in the future.

Some manufacturers, such as AirStrip, were proactive about approaching the FDA and securing market clearance. These negotiations were prototypes and were frayed by uncertainty, delays, and changes in regulatory procedure. For example, Mobile MIM, a diagnostic imaging application released by MIMVista in 2008, was initially classified as a Class III device in January 2010. In 2011, the FDA backtracked on its decision and decided to classify the application as a Class II device. By then, the device had already been on the market for several years in India, Australia, Hong Kong, and the United Kingdom.[17]

The notion of enforcement discretion provides flexibility to the FDA as it continues to fine tune its regulatory policy, but it also creates uncertainty about what applications might be regulated in the future. The difference between a Class II and a Class III certification, for example, is significant: a premarket notification required for Class II devices only costs a small business $2,585,[18] whereas a premarket approval for a Class III device is $154,000 in application fees alone,[19] not to mention the massive costs of clinical trials. Even among identical devices, these standards are not applied consistently and companies frequently escape regulation.

In 2013, Indian medical device company Biosense made headlines after its portable urinalysis kit, uChek, was profiled in a TED Talk. After high-profile figures in the mobile health field drew attention to the device, it turned out that it had not received proper FDA clearance.[20] The FDA immediately sent a warning letter to the company, resulting in its eventual withdrawal from the US market. The fact that the application was sold for years without proper FDA clearance highlights the lack of resources plaguing the agency. Instead of consistently applying standards, the FDA has had to focus its efforts on public prosecution of a few individual cases.

This level of regulatory uncertainty can seriously deter investors and software developers. The chief strategy officer for Rock Health, one of the most prominent digital health incubators, reported that medical device funding had been falling by 13 percent per year.[21] Lack of venture funding has forced application developers to be creative.

In May 2013, medical startup Scanadu hosted an online crowdfunding effort to meet the costs of FDA regulation for the Scanadu Scout. While the campaign met its fundraising goal in two hours, the process was technically illegal: crowdfunding is a form of marketing, which requires premarket notification to the FDA.[22] Biosense Technologies was not as successful as Scanadu, however. After receiving a public warning from the FDA, it attempted to raise funds for online certification but did not gather the necessary resources and eventually withdrew from the US market.[23]

Other developers have responded to regulatory uncertainty by experimenting with less-regulated markets. AliveCor, one of the first portable cardiograms on the market, ended up marketing mainly to veterinarians until it could obtain FDA clearance for human use.[24] Proteus Biomedical, Samsung Health, and other large-scale medical device manufacturers have taken to first releasing their products on the European, Australian, and South Korean markets rather than on the profitable US market.[25]

The Approval Process’s Incompatibility with Software Development. Even when applied consistently, the medical device regulatory process is not adapted to mobile health software. The time required to receive FDA clearance is often the first roadblock. According to Emergo Group, a medical device consulting firm, it took the FDA an average of five months to review and clear a medical device application in 2013.[26] The agency has been making some efforts to more quickly clear medical health technology: mHealthNews found that the average clearance time for mobile medical applications was 110 days, which is 25 days fewer than the overall FDA average.

In developer circles, however, 110 days is an eternity. With 20,000 applications being added to the Apple Store each month, competition for consumers’ attention and for their wallets is fierce.[27] Application developers need to engage in marketing efforts and receive consumer feedback to promote their products, but they cannot do so until they have received FDA clearance.

In addition, the promised 110 days does not include any discussions that might take place between the agency and software developer before the official filing of a premarket notification. For some of the most innovative technologies, these discussions can take years. MIMvista, for example, spent four years in discussions with the FDA before its diagnostic imaging application was approved.[28] Proteus Digital Health likewise had to wait four years to market in the United States.[29]

Even after medical software is initially cleared, several aspects of the mobile application lifecycle are not properly accounted for in the regulatory framework:

  • Software Updates. What happens to an application’s clearance status when a software update is released? Does the application have to go through the entire clearance process again, or is that only necessary for major updates? What qualifies as a major update? In these situations, FDA regulation has functioned on a case-by-case basis and has relied on the goodwill and proactiveness of software developers.
  • Third-Party Modifications. Further problems are introduced when taking into account third parties. If Apple releases an update to its iOS software, do all mobile health applications need to be recertified? Compatibility issues could pose a serious threat to users, and there is a risk-based argument to be made here.
  • Modularization. Like other mobile applications, medical health applications generally rely on a combination of modules and platforms. A portable glucose reader, for example, might rely on an open-source visualization platform to present data. Should the same code be recertified each time by the FDA or should software modules be independently certified based on the level of risk they present? The FDA currently treats each mobile application as a unit, not taking into account this modular structure.
  • Beta Testing. Software developers often release a beta version of an application before releasing it to the general public, both for efficiency and cost-saving purposes. Advanced users can help troubleshoot final problems, and the beta testing can serve as a marketing tool. Because of the risky nature of this practice in the context of health care, the FDA does not allow any form of beta testing in mobile health.[30] While this is understandable, it makes competition with other digital applications more difficult for mobile health developers.


These aspects of the lifecycle show that reconciling the FDA regulatory process with the unique characteristics of mobile software is no easy task. The FDA regulatory framework was built for medical devices with a very different development cycle from software. Software developers such as Athena Health’s Daniel Haley have described FDA regulation as an attempt to “shoehorn health IT into an existing framework . . . created long before these technologies even existed.”[31]

De Novo Approval and Its Impact on Innovation. One final point worth noting about current mobile health regulation is its approach to groundbreaking medical devices. As previously mentioned, FDA clearance for mobile devices generally relies on proving that the device is substantially equivalent to other devices on the market. Manufacturers of a smartphone-operated blood glucose monitor, such as the already-cleared Dario and the MeterSync, would have to prove that their technical specifications are equivalent to those of already-authorized blood glucose meters.

But what about innovative technologies that have no equivalent on the market? As per FDA guidelines, a device for which there is no substantial equivalent receives a de novo classification and is treated as though it presented the highest level of risk, or that of a Class III device.[32] The manufacturer is therefore subjected not to the premarket notification process, but to the much more costly premarket approval process. This was the case for the Proteus smart pill—described in the introduction of this paper—which eventually received FDA clearance. While Proteus had the means to undertake this certification, the feat would not have been so easy for smaller medical startups, which constitute much of the mobile health landscape.

The de novo regulation process also inadvertently results in a first-mover disadvantage: when several companies are competing against each other to release a groundbreaking new product, being the first one comes with a hefty regulatory price tag. AliveCor, for example, introduced the first iPhone-powered electrocardiogram at the Consumer Electronics Show in 2010. Because of the novelty of the device, it took almost three years for it to be cleared by the FDA, and only then could prescription use begin. Two months later, competitor Cardiac Designs received FDA clearance for a substantially equivalent device called ECG Check and immediately obtained over-the-counter clearance.[33] AliveCor endured most of the costs of initial testing, clearing the path for other competitors to enter the field, and reaped few of the benefits.[34]

This form of first-mover disadvantage discourages innovation and makes it more profitable for device manufacturers to focus on already-regulated fields instead of chartering new ones. The result is detrimental to consumers and manufacturers alike.

International Regulation of Medical Devices

Efforts to regulate the growing mobile health field have not been restricted to the United States. Some countries, such as China or India, have not yet discussed any form of regulation, but others have decidedly opted for deregulation for the time being: in March 2014, for example, South Korea decided against regulating as medical devices Samsung phones with a mobile health component.[35] The EU is the group that has come closest to establishing a definite mobile health regulation framework at this point.

The certification process for mobile health in the EU has been lauded as less centralized and more efficient than that in the United States. The EU relies on more than 70 accrediting bodies throughout its member nations. Once a device is accredited by one body, it is cleared for marketing throughout the EU. Unlike the United States, the EU does not have a category of enforcement discretion.[36] Medical applications either fall within the purview of regulation or entirely outside of it. The EU therefore regulates some devices more closely than the United States, but it regulates a smaller subset of devices overall: whereas in the United States, a new device could be immediately classified as Class III, in the EU, devices are automatically classified as Class I until evidence to the contrary is provided.

Although this regulatory framework could theoretically endanger consumer safety, in the last five years, the EU has seen similar levels of medical device recalls as the United States,[37] with faster approval times for new medical devices.[38] As a result, many mobile health developers are first bringing their products to the EU, helping finance the costs of more restrictive US regulation. This was the case for MIMvista, Samsung Health, Fitbix Flex, and CardioMem, all of which were on sale in Europe for years before they reached the United States.

The United States should pay attention to international developments in mobile health regulation for several reasons. First, there are some lessons to be gleaned from the European model: when properly implemented, decentralization and selective regulation can result in more innovation with no cost to the consumer. Second, the last few years have seen increased efforts at international standardization.

In October 2013, the International Forum for Medical Device Regulators agreed to move toward standardized regulation of medical software in the next five years.[39] The EU is moving toward a more standardized testing system, with a report on electronically supported health care practice due to the European Parliament by 2015.[40] Such standardization would help streamline certification costs and decrease regulatory uncertainty. Given the difficulty of differentiating online consumers by geographical location, such consistency would be particularly welcome in mobile health. Current changes in regulation affect not only each country’s individual market but also the prospects and expectations of mobile health investors worldwide.

The Future of US Mobile Health Regulation

Despite efforts at international standardization, US mobile health regulation is still in flux. Legislators in both the House and US Senate have drafted bills that could drastically modify the regulation of mobile health. In the House, a bipartisan coalition introduced the Sensible Oversight for Technology which Advances Regulatory Efficiency Act in October 2013;[41] in the Senate, the Preventing Regulatory Overreach to Enhance Care Technology Act was introduced in February 2014 by a coalition of Republicans and Independents.[42] The acts shared similar wording and attempted to achieve the same purpose: restricting the regulatory scope of the FDA in mobile health.

The bills created a distinction among clinical, health, and medical software. In the text of the acts, clinical software is defined as that which is used by professional health care providers to recommend courses of clinical actions, whereas health software supports the administrative aspects of health care in a secondary function. Under the new bills, these two categories would not fall within the regulatory purview of the FDA, which would instead renew its focus on patient-specific diagnosis software. Both bills have since been referred to relevant subcommittees and are indicative of the continuing debate surrounding FDA regulation.[43]

In the future, the FDA is unlikely to be cut out of mobile health regulation altogether, given its history of regulation in the field. The agency was already involved in the regulation of portable medical devices before the invention of smartphones.[44]

At several House hearings, expert witnesses from the application developer community indicated that they see the FDA as the body best fit to continue monitoring, even if some aspects of its regulatory framework still need to be fine-tuned.[45] An increase in the number of agencies involved seems more likely than a reduction in the scope of regulation. The National Institute of Standards and Technology (NIST), for example, may come to play a more important role in enforcing quality controls as the FDA continues to deal with a growing number of applications.

Another area where regulation is still in flux is data privacy. Mobile health opens the door to collecting far more continuous patient data than has ever been available. Not only is more data collected, but data is also transmitted and stored online. Developers of blood glucose meters, activity trackers, and other data-collection software have begun building online platforms for consumers to access their information in a convenient manner. As international efforts to increase interoperability continue, information will likely start being shared across different applications.

This has far-reaching implications for improving health, but also raises privacy concerns. Could health insurance providers get access to this data? What about potential employers? Although the issue has yet to receive widespread media coverage, the US government has already laid the foundation to address this concern. The ONC publishes a number of resources on mobile health data privacy aimed both at consumers and device makers. These include installation guides for medical health practitioners, guides to data management for consumers, and news updates for developers.[46]

The ONC also provides financial incentives for protecting data privacy. To meet the ONC data certification requirements and be eligible for certain government grants, for example, medical device manufacturers must prove adequate handling of confidential data. Regulation in the field of data privacy, however, has mostly focused on recommendations and incentives rather than hard-and-fast guidelines. This is likely to change as debate around data privacy continues to rage. Data privacy will become a core regulatory concern in the future, involving both a legislative and an enforcement component.

Supporting Innovation

Mobile health cannot afford to do without regulation. From a consumer safety perspective, products need to be subjected to some form of quality control. From an economic perspective, regulation gives consumers confidence to explore a new and otherwise risk-filled market segment. If smartphone users had no means of distinguishing which applications provide real health benefits, the entire field of mobile health would be at risk.

That said, the current regulatory framework impedes the development of mobile health more than it needs to. As outlined in this paper, mobile health developers are subjected to regulatory uncertainty and delays resulting from a regulatory model that is not adapted to the specificities of application development. There are a number of ways the FDA could improve this in the future, which I detail in this section.

Interoperability, Cooperation, and Optimization. In the short term, the FDA should make use of its unique position at the center of the mobile health community to generate legislation that enhances, rather than restricts, innovation. First, it should expand its efforts in the field of interoperability. Interoperability represents an untapped opportunity for reducing costs and improving efficiency of treatment. For example, how much more useful would the data from an oximeter be in diagnosis if the data could be seamlessly combined with data from a blood pressure monitor?

Better interoperability would also advance the deployment of health informatics in the hospital by making continuously captured data more available to physicians. This fits within the Obama administration’s expansion plans for health informatics. Furthermore, it would reduce redundant work, as developers could more easily build on each other’s platforms instead of recreating the same basic functionalities.

Major market players have the technological knowledge to make this a reality. As part of its iOS 8 release, Apple announced the deployment of HealthKit, a platform integrated into its smartphone software that would present all health data in one convenient dashboard.[47] Samsung equipped the Samsung 4 with S Health, a similar dashboard interface to help separate applications communicate with each other.[48]

FDA regulatory efforts could provide further incentives for collaboration. In 2013, the agency had added to its database 25 standards recognized as having the goal of promoting medical device interoperability.[49] These standards are published and verified by various international organizations, mainly the International Standards Organization and International Electrotechnical Commission.[50] They promote interoperability in key dimensions: device communication, exchange protocols, and communication with health information-technology networks. So far, compliance with these standards is entirely voluntary. At this stage, enforcing mandatory compliance would be costly and unnecessary, but the FDA could still do more to promote compliance.

A system of incentives, be they monetary rewards or promises of shorter market clearance time, could help make interoperability a reality. The FDA should also continue to collaborate with organs such as the ONC and NIST to enforce better interoperability in handling electronic health records. This will not only help alleviate concerns about data privacy but will also serve to integrate mobile health within the professional health care network over the long run. Such measures pose no threat of compromising patient safety and instead serve to promote more innovation.

Along the same lines, the FDA should work on standardizing and optimizing its recall process. Mobile software recalls are markedly different from physical medical device recalls. In digital health, there are no physical copies to track: the consumer may have installed the same software on different platforms or may not have even updated the software to a problematic version, rendering a recall unnecessary.

On the other hand, it is technologically easier to manage recalls of digital products than physical ones. A patch developed by the manufacturer can be distributed almost instantly online, and users can be traced via their login credentials. FDA tracking of software malfunction has so far relied on consumer reporting; it created MedWatcher, a mobile application, for that purpose. Although the application has so far had low download levels, patients with chronic illnesses praised the application’s ease of access to safety information and the application’s streamlined reporting process.[51]Such efforts to increase adverse-effect reporting should be lauded.

But identifying faulty software is only the first half of the equation, as the FDA must then orchestrate its recall. On this front, the FDA would do well to increase collaboration with application distributors, with whom it has so far had very little interaction. Given their ownership of content distribution platforms, companies such as Apple or Google could play an instrumental role in streamlining the recall of faulty software. Not only would this increase consumer confidence in the emerging mobile health market, but it would also represent a better use of limited FDA resources. The core mission of the FDA is, after all, consumer safety. Systematic screening should clearly remain a component of the FDA’s work, but focusing more resources on recalling faulty software would help advance that mission while creating less of a barrier to innovation.

Finally, the FDA can reduce friction with the developer community by creating communication materials that better take into account the needs of the software development community. The 40-page mobile health guidance released in 2013 was at heart a legal document, outlining FDA definitions in the context of law enforcement and redirecting to older FDA documents for further clarification. Independent consortia such as MobiHealthNews and Rock Health were quick to write guides explaining the FDA document from an application developer perspective, clarifying which applications would be monitored and what concrete steps developers should take to receive clearance.

In the future, the FDA should ensure that the documentation it releases is more appropriately crafted for its target audience. FDA guidance documents should answer the questions that developers and investors want to know: For example, at what stage in the development cycle should they begin the approval process? How are development procedures, such as beta testing and modularization, affected by regulation? Enhancing communication on this front would help build a more productive relationship with application developers.

Decentralization and Collaboration with the Private Sector. As the mobile health field continues to grow, the FDA will have to do more than simply implement the small changes suggested earlier to maintain a durable regulatory framework. In particular, the agency will need to rethink its approach to third-party certification. The FDA currently allows a small subset of medical device manufacturers to complete their clearance through a non-FDA-affiliated Accredited Person. The manufacturer must submit a request for third-party accreditation to the FDA, which has 30 days to reply to the demand; the authorization is considered granted if the FDA does not reply within that timeframe. The third-party accreditor then files a report on the system quality and the requirement compliance of the medical manufacturer inspected, subsequently making a recommendation for clearance. The FDA then has another 30 days to approve or deny market clearance, but usually completes this step in less time.[52]

The third-party certification process is entirely voluntary and can be costly for the manufacturer. However, it allows vendors to get their devices to the market considerably faster: according to Emergo Group, in 2013, the average clearance time for a medical device inspected by a third party was 72 days, roughly half the days required in the regular FDA clearance process.[53]

Third-party certification provides a number of benefits. First, it allows the FDA to focus its limited resources on creating a sound regulatory framework rather than on performing routine enforcement tasks. Second, it could provide better certification services to medical manufacturers. Not only do third-party accrediting bodies have an incentive to stay competitive with each other, but they are often also more familiar with the unique demands of mobile health development than the FDA. This makes for faster, more efficient regulation. Third, independent certification provides manufacturers with the ability to evaluate the cost they would incur from market delays. Reaching the market two months earlier may not always be worth the cost of third-party certification, but in the cases where it is, medical device manufacturers have the option of bypassing standard FDA certification.

The agency should therefore be lauded for these efforts to decentralize its market clearance system, which has worked so well for the EU. However, much remains to be done. FDA guidance for third-party certification has not been updated since 2001, a time when the smartphones that now power mobile health had not even been invented.[54] Since then, third-party certification has remained costly and ineffective. Becoming an Accredited Person for medical device reviews is a difficult process: since the introduction of the program in 1997, the FDA has only allowed seven businesses to employ Accredited Persons, limiting competition in the field.[55]

Despite this stringent certification process, medical manufacturers must still individually submit a request to the FDA for a third-party inspection and wait for a response, which accounts for half of the average clearance time of using a third party. Because the same accreditor cannot inspect the same medical facility twice in a row, forming business relationships is difficult, and the FDA approval process must be renewed every time. The price of third-party certification therefore remains high: businesses can expect to pay anywhere from $4,700 to more than $10,000 for their initial market clearance using this method.[56]

To accelerate the third-party clearance process, the FDA should undertake a number of steps. First, it should focus some of its energy on promoting third-party review and certifying more reviewers. While it may incur some costs in the process, this would free up its resources in the long term. Second, it should either streamline or eliminate its requirement to have each third-party certification request examined by the agency before the party can complete the inspection. If Accredited Persons have already been cleared by the FDA to provide clearance recommendations, having each initial certification request examined by the agency amounts to performing the certification process twice. It would be equivalent to providing a doctor with a license to practice medicine and then requiring that doctor to seek clearance to treat each individual patient.

Of course, the FDA should remain attentive to the risks inherent in third-party certification. Forbidding two consecutive certifications by a third party might be somewhat drastic, but some maximum should still be implemented to prevent potential corruption. The FDA should also continue to inspect the most dangerous Class III devices, leaving Class I and Class II devices to third parties. If well implemented, the expansion of the third-party certification program could eventually result in a form of meta-regulation whereby the FDA draws the rules and private groups help enforce them.

Moving Away from a Risk-Based Framework. In the long term, the advent of mobile health might cause the FDA to carefully reevaluate the principles underlying its regulatory strategy. Until now, the medical device regulation process has operated on a risk-based framework (the Class I, II, and II classification system). The extent to which devices are subjected to regulatory oversight is entirely contingent on this classification. Following the introduction of artificial intelligence into health care, this framework may no longer be adequate.

As the CDS Coalition wrote in a public letter, the FDA should begin to take into account the extent to which users are dependent on a medical device.[57] For example, the same portable pulse oximeter may be used for both long-term monitoring and for medical emergencies. Although the device has the same potential to malfunction in both situations, the difference in risk is important: the long-term user may have time to double check the results provided by the oximeter and to seek the advice of a health care professional, but an emergency physician will not have time to second guess the results provided by the application.

The user’s level of medical expertise should also be taken into account. When using a medical imaging application that diagnoses melanoma, for example, the consumer and physician are in different positions: the physician may have the medical training to spot melanoma and will therefore only use the application as a supportive device, whereas the lay user is entirely reliant on the recommendation of the application. The FDA should work on developing a model to evaluate medical device reliance and to incorporate that element into its risk classification framework.

In the longer term, the FDA may also want to consider benefit assessment, the flipside of risk assessment. The newest, most radical medical devices are often the ones that carry the most risk, but they are also the ones that carry the most benefits. For some patients, the potential health benefits may significantly outweigh the risks of an experimental technology. This is the rationale behind allowing terminally ill patients to adopt experimental treatments. According to economist Richard Epstein, the first round of innovation is often the one that results in the largest benefits. In treating diabetes, the first round of innovation contributed the most to raising life expectancy, whereas the second one cost more and achieved far less.[58]However, Epstein argues that under the current regulatory framework, this first round of diabetes treatment would not have even managed to obtain government clearance.

The current FDA framework does not properly consider situations where the potential benefits outweigh the risks. In 2011, the agency made some headway when it introduced the Medical Device Innovation Initiative, which created an Innovation Pathway program for medical devices that present an extraordinary potential to improve human health. Devices placed on this pathway are assigned an FDA case manager who helps its developers undertake the market approval process much earlier than usual.

The companies selected for this track also get access to a suite of online collaboration tools to help them through regulation, a network of relevant experts, and a map of regulatory pathways developed by the FDA. These devices may also be cleared earlier because human trials and costlier FDA fees will be waived.[59] So far, only a handful of devices have been selected for this pilot program, which includes such innovations as brain-controlled prosthetic arms and speech-correcting microchips.[60]

Although Innovation Pathway is a tremendous step in the right direction, the FDA should eventually aim to apply a cost-benefit analysis to all the medical devices under its regulatory purview, not simply the most prominent ones. The benefits offered by medical innovation form a continuum; to treat them as a threshold, as is the case with the Innovation Pathway, favors high-risk, high-reward innovations over very low-risk, moderately high-reward innovations.

As part of its Innovation Initiative, the FDA is experimenting with a decision support tool to measure the potential benefits of breakthrough innovations.[61] The tool relies on clinical data and patient testimonies. The implementation of this tool would allow the FDA to be more consistent in its estimation of benefits and to eventually move from a risk-based framework to one of risk-benefit analysis. This would require a public discussion and would likely involve other branches of government. However, the outcome would ultimately help promote innovation.


Concern over health regulation in the United States has grown along with the promises offered by mobile health. The regulatory framework that has emerged around mobile health over the last few years suffers from some important flaws. In particular, the approval process required by the FDA is plagued with long wait times, inconsistency in enforcement standards, and a risk-based mentality that discourages innovation. Breakthrough medical devices are marketed in Europe and South Korea years before they reach the United States, where funding for mobile health has been falling in the last few years. Mobile health presents enough potential danger to patients that it cannot be left completely unregulated, but the United States needs to act fast to fix its regulatory environment, or risk being left behind.

In the short term, the FDA should focus its resources on simple fixes that would streamline the regulatory process and promote innovation. Promoting interoperability, standardizing the recall process, and improving communication could strengthen innovation without sacrificing consumer safety. In the medium term, the FDA should increase its collaboration with the private sector to diminish the strain on the FDA’s limited resources.

Clearing the way for more decentralized certification, which has already been implemented in Europe, would both help reduce waiting times and increase consistency in enforcement. In the short term, this can be done by sensibly extending the existing but outdated third-party certification program. In the long term, the FDA should reevaluate its risk-based regulatory framework to incorporate elements such as software reliance and cost-benefit analysis. By implementing sensible regulation, the FDA and other relevant government agencies can promote health innovation and competitiveness, helping the US regain its lead in the mobile health sector. The potential gains for human health are too immense to be gambled on poor regulation.

Sarah Fellay ( was the summer 2014 intern at AEI’s Center for Internet, Communications, and Technology Policy. She is a junior at Harvard University, studying political science.


1. Proteus Digital Health, “Digital Health Feedback System,”
2. Daniel Schulke, “The Regulatory Arms Race: Mobile—Health Applications and Agency Posturing,” Boston University Law Review 95, no. 5 (October 2013): 1707.
3. Federal Communications Commission, “FCC Health Care Initiatives,”
4. Federal Communications Commission, “Fact Sheet—mHealth Task Force Recommendations,”
5. Schulke, “The Regulatory Arms Race,” 1725.
6. US Food and Drug Administration, “What Is a Medical Device?”
7. US Food and Drug Administration, FDA Guidance on Mobile Health (November 2013), 20–22.
8. Ibid., 23–24.
9. Ibid., 39.
10. Ibid.
11. Bradley Merrill Thompson, FDA Regulation of Mobile Health (MobiHealthNews, 2013), 11.
12. US Food and Drug Administration, 510(k) Clearance Summary: MobileCTViewer (May 16, 2013),
13. Jonah Comstock, “Masimo Offers iPhone-Enabled Pulse Ox to Climbers, Pilots,” MobiHealthNews, December 17, 2012,
14. Thompson, FDA Regulation of Mobile Health, 57.
15. FDA Guidance on Mobile Health, 10.
16. Aditi Pai, Jonah Comstock, and Brian Dolan, “Timeline of Smartphone Enabled Medical Devices,” MobiHealthNews. June 7 2013,
17. Brian Dolan, “Interview: The iPhone Medical App Denied 510(K),” MobiHealthNews, March 15, 2010,
18. US Food and Drug Administration, “Premarket Notification [510(K)] Review Fees,”
19. US Food and Drug Administration, “Assessing User Fees: PMA Supplement Definitions, Modular PMA Fees, BLA and Efficacy Supplement Definitions, Bundling Multiple Devices in a Single Application, and Fees for Combination Products,”
20. Thompson, FDA Regulation of Mobile Health, 57.
21. Christina Farr, “Entrepreneurs Say the FDA is Killing Medical Innovation,” Venture Beat, April 30, 2013,
22. Jonah Comstock, “Scanadu to Crowdfund Its Tricorder Device Pre-FDA Clearance,” MobiHealthNews, May 22, 2013,
23. Brian Dolan, “FDA Wants to Know Why uCheck App Doesn’t Have Clearance,” MobiHealthNews, May 22, 2013,
24. Farr, “Entrepreneurs Say the FDA Is Killing Medical Innovation.”
25. Aditi Pai, Jonah Comstock, and Brian Dolan, “Timeline of Smartphone Enabled Medical Devices,” MobiHealthNews. June 7 2013,
26. How Long Does It Take for a 510(k) Submission to Be Cleared by the US FDA? (Emergo Group, February 2014),
27. Dan Rowinski, “Apple iOS App Store Adding 20,000 Apps a Month, Hits 40 Billion Downloads,” ReadWrite, January 7, 2013,
28. Brian Dolan, “MIM Vista,” MobiHealthNews, May 2013,
29. Brian Edwards, “After Four-Year Wait, Proteus earns FDA Approval for Ingestible Pill Sensor,” August 8, 2012,
30. Thompson, FDA Regulation of Mobile Health, 45.
31. Christina Farr, “Congress Wants to Kick the FDA out of Digital Health with This New Bill,” Venture Beat, February 26, 2014,
32. FDA Guidance on Mobile Health, 9.
33. Jonah Comstock, “AliceCor Competitor Gets OTC Clearance from FDA,” MobiHealthNews, March 12, 2013,
34. AliveCor, AliveCor Receives FDA Over-the-Counter Clearance for Its Heart Monitor (February 10, 2014),
35. Stewart Eisenhart, Korean Regulators Waive Registration Requirements for Some Mobile Medical Devices (Emergo Group, March 18, 2014),
36. Thompson, FDA Regulation of Mobile Health, 79.
37. Alex Krouse, “iPads, iPhones, and Smartphones: FDA Regulation of Mobile Phone Applications as Medical Devices,” Indiana Health Law Review, 761.
38. Ibid., 760.
39. Thompson, FDA Regulation of Mobile Health, 80.
40. Ibid., 81.
41. Mike Reynard, Representatives Blackburn, Green, Gingrey, Degette, Walden and Butterfield Introduce SOFTWARE Act (October 22, 2013),
42. Deb Fischer, Fischer, King Introduce Legislation to Protect Jobs, Prevent Overregulation in Growing Health IT Industry (February 10, 2014),
43. GovTrack, Text of the Preventing Regulatory Overreach to Enhance Care Technology Act of 2014 (February 10, 2014),
44. US Food and Drug Administration, “Mobile Medical Applications,”
45. US House of Representatives, Committee on Small Business’s Subcommittee on Health and Technology, Mobile Medical App Entrepreneurs: Changing the Face of Health Care: Prepared Statement of Mr. Alan Portela, 2013,
46. Health Information Technology, “Mobile Device Privacy and Security,”
47. Apple, “iOS 8—Health,”
48. Samsung, “S Health Service SDK,”
49. “FDA Recognizes Voluntary Medical Device Interoperability Standards,” Federal Register 78, no. 151 (August 6, 2013).
50. US Food and Drug Administration, Modernization Act of 1997: Modifications to the List of Recognized Standards (August 6, 2013).
51. Google Play, “MedWatcher Drug/Device/Vaccine,”
52. US Food and Drug Administration, “Accredited Persons Inspection Program,”
53. Emergo Group, How Long Does It Take for a 510(k) Submission to Be Cleared by the US FDA?
54. US Food and Drug Administration, Implementation of Third Party Programs under the FDA Modernization Act of 1997; Final Guidance for Staff, Industry and Third Parties”(February 2, 2001),
55. US Food and Drug Administration, “Accredited Persons Inspection Program.”
56. Delphi Consulting Group, Consulting Terms and Fees (2009),
57. mHealth Regulatory Coalition, Examples of Software that Would Be Deregulated under the PROTECT Act (February 12, 2014),
58. Richard Epstein, “Can Technological Innovation Survive Government Regulation?” Harvard Journal of Law and Public Policy 36, no. 1 (Winter 2013).
59. US Food and Drug Administration, “Innovation Pathway,”
60. Stone Heart Newsletter, FDA Says Its Innovation Pathway Program Will Get Medical Devices to Market Faster (February 8, 2011).
61. Ibid.

Don’t Miss…

No comments

Be the first one to leave a comment.

Post a Comment