Neil Brown and Sandra Brown offer an introduction to the regulation of apps and wearables as medical devices
Phones are increasingly equipped with a range of devices capable of being used as sensors, including gyroscopes, accelerometers, microphones and cameras, and have sufficient processing power to crunch the data which those sensors produce. Similarly, advancement in the battery efficiency of Bluetooth and other short-range radio technology means that ever-smaller devices can be created, capturing and logging data and triggering actions.
As well as use in fitness and exercise contexts, these apps and wearables can be used to provide 'mHealth' services, potentially crossing the line from recreational to medical and healthcare applications.
This article introduces the regulatory framework for medical devices and provides an overview of its key provisions and considerations in respect of apps and wearables.
What is a 'medical device'?
In the UK, the term 'medical device' is defined by reg 2 of the Medical Devices Regulations 2002 (SI 2002/618). In summary, something is a medical device if it is intended by its manufacturer to be used for humans for:
(i) diagnosis, prevention, monitoring, treatment or alleviation of disease,
(ii) diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
(iii) investigation, replacement or modification of the anatomy or of a physiological process, or
(iv) control of conception.
The definition encompasses devices intended to administer a medicinal product, but excludes those which achieve their main function by 'pharmacological, immunological or metabolic means'. (Anything which operates in this manner is likely to be classified as a medicine, and subject to a separate regime.)
The 'intended purpose' of a device is the use to which it is intended according to data supplied by the manufacturer on the labelling, instructions for use, and promotional materials (reg 2). How the manufacturer or app developer advertises and describes the product is therefore very important.
This article looks at the general rules applicable to medical devices; specific rules apply to active implantable medical devices and in vitro diagnostic medical devices.
Can a wearable be a 'medical device'?
A device for data gathering — for example, something which measures heart rate or motion — is unlikely to constitute a medical device in itself. However, where the device performs a medical assessment function, or is used as an accessory to a medical device (such as a wearable intended by the manufacturer to be used with a medical device app), it is likely to fall within the medical device regulatory framework.
For example, a wearable which detects and records body temperature is unlikely to be a medical device on its own. Conversely, a 'smart thermometer' which detects and records body temperature and attempts to indicate whether the user has a medical condition is likely to be treated as a medical device.
Can an app be a 'medical device'?
Software falls within the medical device regime, and both the European Commission and the UK's regulator, the Medicines and Healthcare Products Regulatory Agency — the MHRA — have issued guidance on stand-alone software and medical device regulation.
As a key part of the definition of 'medical device' is the intent of the manufacturer, the MHRA has provided in its guidance a list of keywords which it considers are likely to contribute to a determination that an app is a medical device. This list includes the terms 'diagnoses' and 'monitors', as well as the more anodyne 'alarms' and 'converts'.
For example, an app is likely to be a medical device if it uses a phone's camera to take a photograph of an area of skin, assesses that photograph against a database of known skin conditions and attempts to diagnose from what condition the user is suffering,.
The provision of non-personalised medical advice (such as a first aid app), or an app which integrates with a surgery's booking system to speed up booking a doctor's appointment, would seem to fall outside the definition of 'medical device', although the MHRA advises only that such software is 'unlikely' to be considered a medical device rather than ruling it out altogether.
What about fitness apps and wearables?
Unless an app or wearable is intended by its manufacturer to be used for any of the four regulated purposes set out above, it is not a medical device. As such, an app or wearable, or a combination of the two, may be used in a fitness context — for example, tracking a user's physical activity — without it necessarily falling within the medical device regulatory regime.
The focus on intended use means that one dataset or source of information could be used in two separate ways, one regulated and one not. For example, logging a user's pulse could be a data source for a medical device, monitoring the wearer's circulatory system and flagging when the user is suffering some form of cardiac irregularity, which would likely be regulated, or else as part of a broader, non-medical, fitness tracking app, showing a user the extent to which they are exerting themselves during exercise, which is unlikely to be regulated.
Where a fitness app purports to provide a medical function, such as diagnosis of an injury, it could stray into the regulated sector. As the manufacturer's intended use is a core test as to whether something is a medical device, a company looking to distribute a non-medical fitness app or wearable would be well advised to avoid making claims which indicate that the device has medical function. Aside from general advertising and liability issues, unfounded claims of this nature could attract unwanted and unnecessary regulatory attention, slowing down time to market; moreover, such claims might give rise to criminal sanctions for non-compliance with the medical device regime.
Experience suggests that the MHRA is happy to provide written, albeit informal, guidance as to whether a specific wearable or app is likely to be treated as a medical device.
Implications of being a medical device
Where an app or wearable is a medical device, or an accessory to such a device, it will need to comply with the regulatory framework if it is to be sold or distributed lawfully in Europe (SI 2002/618, regs 5(1), 6 and 61(1). In the UK, by virtue of the Consumer Protection Act 1987, s 12(2), failing to comply with the obligations of the framework is a criminal offence, carrying the risk of both imprisonment and a fine.
The obligations to which a manufacturer must adhere depend on a device's classification (SI 2002, 618, reg 7). There are Classes I, IIa, IIb and III and, generally speaking, the more intrusive or risky a medical device, the more highly it will be classified, with greater obligations being imposed on devices of higher classifications.
A standalone app is unlikely to be more than a Class I device, on the basis that it is inherently non-invasive. Wearables may also be Class I devices but, depending on what they do, could fall within the higher classifications.
For example, the 'smart thermometer' described above, which takes a user's temperature and attempts to assess whether the patient has some form of medical condition, is likely to be classified as an invasive but transient Class I device (see directive 93/42/EC, Annex IX, paras. 1.2 and 1.1 and r 5), whilst a wearable which uses electrical energy to create images for direct diagnosis would be in Class IIa (see Annex IX, r 10).
The core requirements of the framework for a Class I device include:
• designing the device to meet certain 'essential requirements' for design and manufacturing;
• compliant labelling and packaging; and
• declaring conformity with the requirements, registering with the MHRA or other EU authority, and applying a CE marking to the device.
Meeting 'essential requirements'
All medical devices must meet 'essential requirements' as set out in Annex I to the medical devices directive (SI 2002, reg 8(1)) before they can be placed on the market or made available to an end-user. This applies whether the device is to be given away (ie without charge) or sold (reg 2).
These requirements include designing and manufacturing devices in such a way as to minimise the possibility that the device might compromise the condition or safety of patients and users (directive 93/42/EC, Annex I, para 1), as well as obligations around mandatory information supply (para 13), including instructions where needed.
Labelling and packaging requirements
Information on packaging and labels must be in English (SI 2002/618, reg 9(3)(a)). Instructions must either be in English or in a Community language. Where the instructions are in a non-English Community language, the device's packaging, label or promotional literature must state in English the language in which the instructions are written (reg 9(3)(b)).
As the 'essential requirements' for medical devices prescribe the provision of certain information, care will need to be taken in the context of apps that descriptions and screenshots within app store environments are sufficient to bring about compliance, perhaps necessitating greater legal review than might be the case with non-medical device apps.
Medical devices require a CE marking before they can be put onto the market or sold (reg 10). To be eligible to apply a CE marking to a Class I device, the manufacturer must fulfil the relevant 'declaration of conformity' requirements and ensure that the device meets the 'essential requirements' which apply to it.
For most Class I devices, a manufacturer can (and must) make its own declaration of conformity with the essential requirements (reg 13(1)), but any parts of a device with a measuring function (such as the smart thermometer) require approval and certification from a notified body (directive 93/42/EC, Annex VII, para 5).
There are two elements to the conformity requirement for Class I devices:
• preparing and retaining appropriate technical documentation (Annex VII, para 2), and
• operating a systematic procedure for monitoring the devices after supply or download and applying any necessary corrective actions, as well as notifying certain adverse incidents to the regulator (Annex VII, para 4).
These are ongoing obligations and, in the case of incident notification, require immediate action, and so will need appropriate resource allocation.
Once the relevant requirements have been satisfied, the manufacturer will need to register with the MHRA or other competent EU authority, if it has not already done so (SI 2002, reg 19). Once registered, the manufacturer can apply the CE marking to its device, and put the device onto the market.
The CE marking must appear in a visible, legible and indelible form on the device, instructions, and sales packaging (directive 93/42/EC, Article 17).
Updates to an app, or firmware updates for wearables, may well require new declarations of conformity.
In addition to obligations arising under the medical device framework, lawyers advising clients looking at developing medical device apps or wearables will also need to bear in mind more general principles of law.
For example, health-related data is most likely to be 'sensitive personal data' within the data protection framework, requiring appropriate treatment by the data controller, and the CAP code contains specific rules on the advertising of medical devices (r 12). Developers will also need to be mindful of the potential liability arising from end users relying on their app, or on the performance of a wearable, and make appropriate provision for liability arising if the device fails or causes harm.
Clients considering opening an app store will need to bear in mind that the MHRA considers that the medical device requirements apply to app store operators as well as to manufacturers. The client would need to consider how it would comply with these obligations, or whether it would prohibit medical devices from being distributed through its store.
The regulation of medical devices is a relatively complex area, with strong incentives for getting things right.
The rules around medical devices are perhaps traditionally the territory of medical companies, with legal and compliance teams used to reviewing their company's activities and products. Since the barrier to entry for developing apps is very low, and, thanks to the growing use of 3D printing, increasingly low in the case of physical device production, the regulations may be more relevant to smaller companies and private individuals than they have been to date — one coder's hobbyist app or 3D-printed wearable may be a medical device in the eyes of the MHRA.
It will be interesting to see how the MHRA approaches these, considering the potential for criminal sanctions for non-compliance: if nothing else, it would be most helpful if the MHRA would produce an accessible compliance checklist, helping people navigate the relatively cumbersome framework of regulations, directives and Commission guidance documents.
For lawyers, the application of the medical devices regulatory framework may provide a new source of work, with apps and wearables which could fall within the definition of 'medical devices' requiring careful legal scrutiny throughout the device's lifecycle, even more so than for most apps, including the design and development phase, marketing and promotion, and potentially ongoing regulatory obligations.
Neil Brown is an experienced telecoms and technology lawyer at a global communications company and is writing his PhD on the regulation of over the top communications services.
Sandra Brown is a solicitor at an international healthcare company.
 'Guidelines on the qualification and classification of stand alone software used in healthcare within the regulatory framework of medical devices' (MEDDEV 2.1/6, January 2012)
 The MHRA's 'Medical device stand-alone software including apps', August 2014
 MEDDEV 2.1/5, June 1998: guidelines relating to medical devices with a measuring function
 See the MHRA's 'Medical device stand-alone software including apps', August 2014