Mobile Medical Apps & Other Digital Health Technologies

Overview

Proposed research involving mobile medical applications (apps) may require additional regulatory determinations if the intended use of the app meets the FDA’s definition of a medical device. The guidance below provides the following:

  • FDA Regulatory background for these requirements.
  • Steps to take before submitting your proposal for IRB review.
  • Best practices for submitting your application for review.

Per the FDA’s guidance, and specifically per the FDA’s Policy for Device Software Functions and Mobile Medical Applications (9/27/2019):

A “mobile medical app” is a mobile app that incorporates device software functionality that meets the definition of device in section 201(h) of the FD&C Act11; and either is intended:

  • to be used as an accessory to a regulated medical device; or
  • to transform a mobile platform into a regulated medical device.

The intended use of a mobile app determines whether it meets the definition of a “device.” As stated in 21 CFR 801.4,12, intended use may be shown by labeling claims, advertising materials, or oral or written statements by manufacturers or their representatives. When the intended use of a mobile app is for the diagnosis of disease or other conditions, or for the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a device under section 201(h) of the FD&C Act if it is not a software function excluded from the device definition by section 520(o) of the FD&C Act.

FDA defines a medical device as "an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is

  • Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
  • Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
  • Intended to affect the structure or any function of the human body or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the human body or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”

Medical devices may include software applications that run on a desktop computer, laptop computer, remotely on a website or “cloud,” or on a handheld computer, and would be subject to these regulations.

If the mobile app is intended to be used in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, it likely meets the definition of a mobile medical app.

If you are unsure whether the app meets the definition of a Mobile Medical App, contact UCSF’s Regulatory Support Office at [email protected] or submit a Consultation Request Form for a consultation with Regulatory Support.

See “Appendix C. Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps),” starting on page 24 of Policy for Device Software Functions and Mobile Medical Applications.

Please review the UCSF Device Checklist to determine what regulatory determinations your mobile health app needs.

Digital Health Technologies

The FDA defines digital health technologies (DHTs) as systems that use computing platforms, connectivity, software, and/or sensors for healthcare and related uses. These technologies span a wide range of uses, from applications in general wellness to applications as a medical device. They include technologies intended for use as a medical product, with, or as an adjunct to other medical products (devices, drugs, and biologics). They may also be used to develop or study medical products. Some DHTs may meet the definition of a medical device, while others do not.

To understand whether FDA regulatory requirements apply to a digital health product, Investigators must understand whether the digital health or software product is a device. 

Determining regulatory applicability:

If you are unsure whether the app or digital health technology must comply with FDA regulatory requirements, contact UCSF’s Regulatory Support Office at [email protected] or submit a Consultation Request Form for a consultation with Regulatory Support.

See “Appendix C. Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps),” starting on page 24 of Policy for Device Software Functions and Mobile Medical Applications.

Please review the UCSF Device Checklist to determine what regulatory determinations your mobile health app needs.

IRB Submission and Reporting Requirements

Before you submit to the IRB:

For apps and DHTs that transmit or receive UCSF patient data, please submit the software to the ITS Data Security Group for approval prior to submitting your IRB application. Review the instructions to begin the ITS data security submission process

Please take the following into consideration when submitting research involving mobile health apps and DHTs for IRB review:

Risk Assessment and Data Sharing Review

A data security Risk Assessment and Data Sharing Review must be completed by UCSF IT and the Office of Sponsored Research, Industry Contracts Division if your study involves: the collection, transmission, or storage of information when that data will be shared with or be accessible to any non-UCSF entity or individual (including use of third-party or vendor-hosted applications). 

To initiate a security risk assessment, please contact the intake team at [email protected]. More information about the assessment process is available at https://it.ucsf.edu/service/it-security-risk-assessment

For Information Sharing Review:  https://data.ucsf.edu/edrp and https://icd.ucsf.edu/material-transfer-and-data-agreements.

IRB Study Application

The IRB Study Application Form utilizes dynamic branching to include additional applicable sections and/or questions based on answers provided earlier in the form. Because of this, section numbers after Section 5.0, “Funding” will vary from study to study. The instructions below reference the section name only since that will not vary.

Research Plan and Procedures Section

Common Research Activities question:
  • Depending on the details of your project, check the box for “Use of mobile health apps or other apps and DHTs,” “Collection of data from wearable tech such as Fitbit, Apple Watch, Garmin, motion actigraphs, etc.)” or both.

Procedures/Methods question:

  • Provide the name of the app/DHT and indicate whether it is commercially available or being developed for the current study
  • Identify the type of device(s) where the technology will be supported (iOS, Android, Windows mobile)
  • Indicate how the participant is accessing the app or software. For example, are participants using their own device (e.g., phone, tablet, computer) or does the study team provide it? If the study provides the device, explain what happens to the device when the study is complete.
  • Provide detailed information about what the app does, how the participant interacts with the app, and the app’s role in the study
  • Include the name and institutional affiliation of the software developer. (Note: If it is a non-UCSF developer, contact the Office of Research as a Data Use Agreement or contract may be required)
  • If applicable: If any of the results from the app are returned to participants, discuss:

-What results will be returned?

-What is the justification for sharing these results with participants?

-When will results be returned?

-Discuss what is being communicated to participants about the meaning and reliability of the information provided to them.

  • If applicable: Discuss whether use of the app is mandatory or optional for all participants in the study, or if it is only applicable to various subject populations or secondary study aims apart from using/testing the application. If optional, state whether there are alternatives to using the app.

Drugs and Devices Section

If your completed Device checklist meets the FDA definition of a medical device, please list the device in this section.

Confidentiality, Privacy, and Data Security Section

Address risks associated with use of the app, including:
  • Potential Breaches in Confidentiality – Consider the implications for potential breaches of confidentiality, given the identifiability and sensitivity of the data
  • Address the risk of a 3rd party accessing and/or intercepting research and non-research data. A 3rd party includes makers of the research app, other installed apps and DHTs, other users of the device, and any other outside actors.
  • Discuss how participating in the research may impact the participants Data Usage Plan. Will participants incur expenses if using their personal device?
  • Discuss if there are any risks associated with the app not working as intended. Examples: If the app is designed to transmit important vitals or labs but does not function as intended, or if the app fails to accept participant input or transmit as intended. Describe what participants are expected to do and any risks associated with this type of system malfunction.

In the Minimizing Risks section

Enter content.

In the Extra Confidentiality Measures section: 

If not already discussed in the minimizing risks section, please discuss other precautions and security controls used to maintain the confidentiality of identifiable information during collection, transmission and storage (encryption methods).

If data are transmitted immediately, where are they being transmitted and what confidentiality protections are in place? If a participant withdraws their participation, what mechanisms are in place to protect or withdraw already collected data?

 

Informed Consent Form:

The consent form should provide enough details about the mobile app/digital health technology and potential risks to allow for an informed decision. This is especially important if the participant is asked to download an app to their personal device. The Informed Consent Form should reflect many of the elements of the application (Methods, Risks, Minimizing Risks, Costs, and how participant privacy and confidentiality will be maintained).

Suggested information to add to the “What will happen” section:

  • Discuss if participants will be loaned a device to download the app, or if they will need to download the app on their personal devices
  • If participants will be loaned a device, discuss logistics for returning the device (if applicable) and what to do if the device is not working
  • As indicated above, address whether participants should anticipate incurring data usage fees
  • If results are being returned to participants, provide details on what information is being shared, when it will be shared, and with whom it will be shared

If they are asked to sign a terms of use or privacy policy or end user license agreement, add a statement such as the following: “While using the app, information about you, including personal health information, location, and internet usage, will be collected and transmitted to the researchers and may also be shared with people outside of the research study. A complete description of this data collection and sharing is found in the Terms of Use. The Terms of Use provide instructions on how to request deletion of your personal data if you decide to do that in the future. While the Terms of Use may include statements limiting your rights if you are injured in this study, you do not release the investigator, sponsor, institution, or its agents from responsibility for negligence and these statements do not apply to the use of the app in this research study.” Note: Who the information will be shared with, and for what purposes, should be specified.

Suggested language to add to the “What side effects or risks can I expect from being in the study?” section: “Although every reasonable effort has been made, confidentiality during internet communication procedures cannot be guaranteed and it is possible that additional information beyond that collected for research purposes may be captured and used by others not associated with this study.”

Include instructions that should be followed when participants choose to withdraw their participation and data from the device/app. This should be added for when the study ends as well.

Suggested language to add to the Risks section if there are potential data use expenses: “Participating in the research may impact your mobile device’s Data Usage Plan. You may incur expenses for which you are responsible.

Other potential risks to consider:

Indicate whether there is any anticipated risk of discomfort or risk of injury (i.e. Wristband causing skin irritation)

Other Study Documents:

If participants are asked to agree to any end user license agreements, privacy policies or terms of use in order to download or access the app, please attach copies of those documents to your IRB application.

If you are requesting an IDE exemption or NSR determination, please attach a completed copy of the device checklist.

NIH Funded Studies

Recipients of NIH funds are reminded of their vital responsibility to protect sensitive and confidential data as part of proper stewardship of federally funded research, and take all reasonable and appropriate actions to prevent the inadvertent disclosure, release or loss of sensitive personal information. NIH advises that personally identifiable, sensitive, and confidential information about NIH-supported research or research participants not be housed on portable electronic devices. If portable electronic devices must be used, they should be encrypted to safeguard data and information. These devices include laptops, CDs, disc drives, flash drives, etc. Researchers and institutions also should limit access to personally identifiable information through proper access controls such as password protection and other means. Research data should be transmitted only when the security of the recipient’s systems is known and is satisfactory to the transmitter. Refer to the links below for more information.

Versa

UCSF Versa – a UCSF IT-supported Artificial Intelligence (AI) ecosystem that connects AI tools with UCSF data and systems. 

For initial applications:

  • If the investigator expects to analyze data on the Versa platform, we’d like to know, but just so we have an idea of how widespread the use is. 
  • Not applicable to new aims

Already Approved Protocols Now Using Versa Platform:

  • There is no need to submit a modification if the study is approved to collect and analyze Electronic Health Record (EHR) or Personally Identifiable Information (PII) data and subsequently the investigator decides to leverage Versa for additional analyses.

Resources

Regulatory Guidance and Policies

Resources on Design Considerations and Privacy Protections

Last updated: May 19, 2025