On September 25, 2013, the Food and Drug Administration (the “FDA”) released final guidance on the regulatory requirements regarding the introduction of mobile medical applications into the marketplace (the “Final Guidance”). The purpose of the Final Guidance and its Appendices is to assist manufacturers with determining if a product is a mobile medical app and if so the FDA’s expectations for that product. This Alert summarizes some the key components of the Final Guidance.
I. Summary of the Guidance
This Final Guidance informs manufacturers, distributors and other entities on how the FDA intends to apply its regulatory authorities to select software applications intended for use on mobile platforms (mobile applications).1 Some mobile applications may meet the definition of a medical device under section 201 of the Federal Food, Drug, and Cosmetic Act (FD&C Act)), but because some may pose a lower risk to the public, FDA intends to exercise enforcement discretion. A majority of mobile applications either do not meet the definition of the FD&C Act or are in a category where the FDA intends to exercise enforcement discretion.
The FDA intends to apply its regulatory oversight on those mobile applications that are medical devices and whose functionality could post a risk to a patient’s safety if the mobile application does not function appropriately. The Final Guidance is intended to provide clarity and predictability for manufacturers of these mobile applications.
The Final Guidance provides lengthy definitions of the following terms:
- Mobile Platform
- Mobile Application
- Mobile Medical Application
- Regulated Medical Device
- Mobile Medical App Manufacturer
The above-referenced definitions can be found in the full guidance.
The Final Guidance explains the FDA’s intent—to focus its oversight on a segment of mobile apps.
III. Regulatory Approach for Mobile Medical Apps
The FDA intends to apply its regulatory oversight to only those mobile apps that are (1) medical devices; and (2) whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended. The FDA believes that if it fails to function as intended, this subset of mobile medical apps poses potential risks to the public health as currently regulated devices. The FDA strongly recommends that manufacturers who fall within the scope of this guidance follow the Quality System2 regulation (which includes good manufacturing practices) in the design and development of their mobile medical apps and initiate prompt corrections to their mobile medical apps, when appropriate, to prevent patient and user harm. Manufacturers of mobile medical apps must meet the requirements associated with the applicable device classification.
A. Mobile medical apps: Subset of mobile apps that are the focus of the FDA’s regulatory oversight
The FDA currently intends to apply its regulatory oversight to only the subset of mobile apps.3 Of major importance, mobile apps can transform a mobile platform into a regulated medical device by using attachments, display screens, sensors, or other such methods. In spite of the transformation, FDA considers such mobile apps to be mobile medical apps.
The following are mobile apps that the FDA considers to be mobile medical apps that are subject to regulatory oversight:
- Mobile apps that are an extension of one or more medical devices by connecting4 to such device(s) for purposes of controlling5 the device(s) or displaying, storing, analyzing, or transmitting patient-specific medical device data.
- Mobile apps that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Mobile apps that use attachments, display screens, sensors or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform.
- Mobile apps that become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations. These types of mobile medical apps are similar to or perform the same function as those types of software devices that have been previously cleared or approved.
B. Mobile Apps for which the FDA intends to exercise enforcement discretion (meaning that FDA does not intend to enforce requirements under the FD&C Act)
The Final Guidance illustrates the FDA’s exercise of enforcement discretion for mobile apps that: (i) Help patients (i.e., users) self-manage their disease or conditions without providing specific treatment or treatment suggestions; (ii) Provide patients with simple tools to organize and track their health information; (iii) Provide easy access to information related to patients’ health conditions or treatments; (iv) Help patients document, show, or communicate potential medical conditions to health care providers; (v) Automate simple tasks for health care providers; or (vi) Enable patients or providers to interact with Personal Health Record (“PHR”) or Electronic Health Record (“EHR”) systems.
It is important to note that some mobile apps listed above and below may be considered mobile medical apps, and others might not.
The following examples represent mobile apps for which the FDA intends to exercise enforcement discretion:
- Mobile apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment.
- Mobile apps that provide patients with simple tools to organize and track their health information.
- Mobile apps that provide easy access to information related to patients’ health conditions or treatments (beyond providing an electronic “copy” of a medical reference).
- Mobile apps that are specifically marketed to help patients document, show, or communicate to providers potential medical conditions.
- Mobile apps that perform simple calculations routinely used in clinical practice.
- Mobile apps that enable individuals to interact with PHR systems or EHR systems.
IV. Regulatory Requirements
Manufacturers of mobile medical apps are subject to the requirements described in the applicable device classification regulation.6
Our team will continue to provide you with updated information on various aspects of this Final Guidance.
1 While many have suggested that this guidance provides similar views on software, the Agency has taken a more formalized position on certain software requirements and the classification of such products. For example, the FDA has previously clarified that when stand-alone software is used to analyze medical device data, it has traditionally been regulated as an accessory to a medical device or as medical device software. Medical Devices; Medical Device Data Systems Final Rule (76 FR 8637) (Feb. 15, 2011).
2 See 21 CFR part 820.
3 See Appendix C.
4 To meet this criterion, the mobile medical apps need not be physically connected to the regulated medical device (i.e. the connection can be wired or wireless).
5 Controlling the intended use, function, modes, or energy source of the connected medical device.
6 Class I devices: General Controls, including:
- Establishment registration, and Medical Device listing (21 CFR Part 807);
- Quality System (QS) regulation (21 CFR Part 820);
- Labeling requirements (21 CFR Part 801);
- Medical Device Reporting (21 CFR Part 803);
- Premarket notification (21 CFR Part 807);
- Reporting Corrections and Removals (21 CFR Part 806); and
- Investigational Device Exemption (IDE) requirements for clinical studies of investigational devices (21 CFR Part 812).
Class II devices: General Controls (as described for Class I), Special Controls, and (for most Class II devices) Premarket Notification.
Class III devices: General Controls (as described for Class I), and Premarket Approval (21 CFR Part 814).
Rite Aid to Pay $12.3 Million for Failing to Properly Manage Waste Products from its California Stores
Rite Aid Corporation has agreed to pay more than $12.3 million to settle a civil lawsuit alleging that Rite Aid improperly managed, transported, and disposed of hazardous waste at hundreds of its California stores and distribution centers. The hazardous wastes at issue include: pharmaceuticals and over-the-counter medications, bleaches, photo processing chemicals, pool chlorine and acids, pesticides, fertilizers, batteries, electronic devices, mercury containing lamps, paints, lamp oils and other ignitable liquids, aerosol products, oven cleaners and various other cleaning agents, automotive products, and other flammable, reactive, toxic and corrosive materials.
The case against Rite Aid began in 2009 when local environmental health agencies began to investigate Rite Aid facilities’ management of hazardous wastes. Prosecutors, investigators, and environmental regulators statewide conducted a series of waste inspections at Rite Aid stores and local landfills. The inspections revealed that over a six-and-a-half year period, Rite Aid had improperly managed certain hazardous wastes at its facilities, transported hazardous waste without meeting regulatory requirements, and in some cases illegally disposed of hazardous waste in landfills not authorized to accept such waste. On September 17, 2013, fifty-three California district attorneys and two city attorneys filed a joint environmental protection lawsuit against Rite Aid. Pursuant to California Health and Safety Code sections 25516 and 25516.1, the prosecutors brought a civil action in the name of the People of the State of California and sought to enjoin violations of California’s hazardous waste, medical waste, hazardous waste transportation and hazardous materials release response laws and implementing regulations.
The prosecutors asserted that Rite Aid stores engaged in numerous violations of California’s hazardous waste laws and regulations, including:
- Disposal of hazardous waste at unauthorized points, such a trash compactors, dumpsters, drains, sinks, toilets, Rite Aid facilities, and landfills or transfer stations not authorized to receive hazardous waste, in violation of Health and Safety Code sections 25189 and 25189.2;
- Failure to determine whether each waste generated at each facility in question as a result of a spill, container break, or other means of rending the product not useable for its intended purpose was a hazardous waste, as required under the California Code of Regulations (“CCR”), Title 22, sections 66262.11 and 66260.200;
- Transporting or transferring custody of hazardous wastes without a properly licensed and registered transporter, as required by Health and Safety Code section 25163;
- Failure to dispose of accumulated hazardous wastes from facilities at least once during every 90 day period, as required by CCR Title 22, section 66262.34;
- Failure to timely file with the Department of Toxic Substances Control (“DTSC”) a hazardous waste manifest for all hazardous waste transported for offsite handling, treatment, storage, disposal or combination thereof, as required by Health and Safety Code section 25160(b)(3) and CCR Title 22, section 66262.23;
- Failure to contact the transporter or owner/operator of the designated receiving facility to determine the status of hazardous waste in the event of non-receipt of a copy of a manifest with the signature of the owner/operator within 35 days of the date the waste was accepted by the transporter, as required by CCR Title 22, section 66262.42;
- Treatment, storage, disposal, and transport of hazardous waste without receiving and using a proper EPA or DTSC identification number for the originating facility, as required by CCR Title 22, section 66262.12(a);
- Failure to maintain a program for the lawful storage, handling and accumulation of hazardous waste, as required by Health and Safety Code section 25123.3 and CCR Title 22, sections 66262.34, 66265.173 and 662165.177;
- Failure to properly designate hazardous waste storage areas, segregate hazardous wastes, and failure to conduct inspections, as required by CCR Title 22, sections 66262.34 and 66265.174;
- Failure to comply with employee training obligations for the management of hazardous waste, as required by CCR Title 22, section 66262.34;
- Failure to have in place at all times a hazardous waste contingency plan and emergency procedures for each facility, as required by CCR Title 22, section 66262.34;
- Failure to continuously implement, maintain, and submit a complete hazardous materials business plan, as required by Health and Safety Code sections 25503(a), 25504, 25505 and CCR Title 19, sections 2729 et seq.;
- Failure to immediately report any release or threatened release of a reportable quantity of any hazardous material from any facility into the environment, as required by Health and Safety Code sections 25501 and 25507;
- Failure to properly manage, mark, and store universal waste in compliance with management standards in CCR Title 22, sections 66273.1 et seq.;
- Failure to comply with the California Medical Waste Management Act (Health and Safety Code sections 117600 et seq.); and
- Causing to deposit, without permission of the owner, hazardous substances upon the land of another, in violation of California Penal Code section 374.8(b).
The prosecutors sought civil penalties for each violation and reimbursement of the costs of investigation, enforcement, prosecution, and attorneys’ fees.
The Consent Judgment
On September 24, 2013, Judge Linda L. Lofthus issued an order approving the consent judgment negotiated by the parties. Under the agreement, Rite Aid agreed to fully comply with the Code sections and regulations at issue in the Complaint. Moving forward, stores will be required to retain their hazardous waste in segregated, labeled containers so as to minimize the risk of exposure to employees and to ensure that incompatible wastes do not combine to cause dangerous chemical reactions. The company will continue to designate four full-time employees responsible for environmental, health, regulatory and safety compliance assurance in California. California Rite Aid stores will work with state-registered haulers to document, collect and properly dispose of hazardous waste produced through damage, spills and returns. Moreover, Rite Aid has implemented a computerized scanning system and other environmental training to manage its waste.
Rite Aid agreed to pay $9,500,000.00 in civil penalties pursuant to Health and Safety Code sections 25189 and 25514 and Business and Professions Code section 17206, to the prosecuting and regulatory agencies. Rite Aid also agreed to pay $1,974,000 for certain supplemental environmental projects. Finally, Rite Aid will pay $950,000 for reimbursement of attorneys’ fees, costs of investigation, and other costs of enforcement.
According to the Los Angeles County District Attorney’s Office, Rite Aid was cooperative with prosecutors and investigators throughout the case.
The Rite Aid case reflects continued active enforcement by California’s prosecutors and regulators of the state’s environmental protection laws against retailers related to alleged mismanagement of hazardous wastes. Since 2011, California regulators have secured more than seven multi-million dollar settlements in hazardous waste enforcement actions against large retailers.