Proposed research involving mobile medical applications (apps) may require additional regulatory determinations if the intended use of the app meets the FDA’s definition of a medical device. The guidance below provides the following:
- FDA Regulatory background for these requirements.
- Steps to take before submitting your proposal for IRB review.
- Best practices for submitting your application for review.
Per the FDA’s guidance, and specifically per the FDA’s Policy for Device Software Functions and Mobile Medical Applications (9/27/2019):
A “mobile medical app” is a mobile app that incorporates device software functionality that meets the definition of device in section 201(h) of the FD&C Act11; and either is intended:
- to be used as an accessory to a regulated medical device; or
- to transform a mobile platform into a regulated medical device.
The intended use of a mobile app determines whether it meets the definition of a “device.” As stated in 21 CFR 801.4,12, intended use may be shown by labeling claims, advertising materials, or oral or written statements by manufacturers or their representatives. When the intended use of a mobile app is for the diagnosis of disease or other conditions, or for the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a device under section 201(h) of the FD&C Act if it is not a software function excluded from the device definition by section 520(o) of the FD&C Act.
FDA defines a medical device as "an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is
- Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
- Intended to affect the structure or any function of the human body or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the human body or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”
Medical devices may include software applications that run on a desktop computer, laptop computer, remotely on a website or “cloud,” or on a handheld computer, and would be subject to these regulations.
If the mobile app is intended to be used in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, it likely meets the definition of a mobile medical app.
If you are unsure whether the app meets the definition of a Mobile Medical App, contact UCSF’s Regulatory Support Office at [email protected] or submit a Consultation Request Form for a consultation with Regulatory Support.
See “Appendix C. Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps),” starting on page 24 of Policy for Device Software Functions and Mobile Medical Applications.
Please review the UCSF Device Checklist to determine what regulatory determinations your mobile health app needs.
Before you submit to the IRB:
For apps that transmit or receive UCSF patient data, please submit the software to the ITS Data Security Group for approval prior to submitting your IRB application. Click here to begin the ITS data security submission process.
Please take the following into consideration when submitting research involving mobile health apps for IRB review:
- Depending on the details of your project, check the box for “Use of mobile health apps or other apps,” “Collection of data from wearable tech such as Fitbit, Apple Watch, Garmin, motion actigraphs, etc.)” or both.
Procedures/Methods question (Q9):
- Provide the name of the app and indicate whether it is commercially available or being developed for the current study.
- Identify the type of device(s) where the app will be supported (iOS, Android, Windows mobile).
- Indicate how the participant is accessing the app or software. For example, are participants using their own device (e.g., phone, tablet, computer) or does the study team provide it? If the study provides the device, explain what happens to the device when the study is complete.
- Provide detailed information about what the app does, how the participant interacts with the app, and the app’s role in the study.
- Include the name and institutional affiliation of the app developer. (Note: If it is a non-UCSF developer, contact the Office of Research as a Data Use Agreement or contract may be required)
- If applicable: If any of the results from the app are returned to participants, discuss:
-What results will be returned?
-What is the justification for sharing these results with participants?
-When will results be returned?
-Discuss what is being communicated to participants about the meaning and reliability of the information provided to them.
- If applicable: Discuss whether use of the app is mandatory or optional for all participants in the study, or if it is only applicable to various subject populations or secondary study aims apart from using/testing the application. If optional, state whether there are alternatives to using the app.
If your completed Device checklist meets the FDA definition of a medical device, please list the device in this section.
- Potential Breaches in Confidentiality – Consider the implications for potential breaches of confidentiality, given the identifiability and sensitivity of the data.
- Address the risk of a 3rd party accessing and/or intercepting research and non-research data. A 3rd party includes makers of the research app, other installed apps, other users of the device, and any other outside actors.
- Discuss how participating in the research may impact the participants Data Usage Plan. Will participants incur expenses if using their personal device?
- Discuss if there are any risks associated with the app not working as intended. Examples: If the app is designed to transmit important vitals or labs but does not function as intended, or if the app fails to accept participant input or transmit as intended. Describe what participants are expected to do and any risks associated with this type of system malfunction.
In the Minimizing Risks section:
Address the data security controls that prevent interception of information.
- Discuss who has access to the data and in what format (identifiable, coded, anonymized).
- Address where the data are stored. Are data stored on the device or transmitted immediately upon receipt (or both)?
- If data are stored locally on the device, are they password protected or encrypted? Note that it may be necessary to define encryption for participants in the Informed Consent Document.
- If data are transmitted to a server, is that exchange encrypted? Where is the server located and how it is secured? Are data transmitted to a server behind the UCSF firewall (MyAccess) or another site?
- If a participant downloads the app, does the app have a Coded ID or password that a participant must enter before accessing the app and any information they may have entered?
- If a phone or other device is loaned by the study team to the participant, is the phone password protected and usage restricted?
- Does the app collect incidental data about participants, including contacts, texts, geo-location information, photos, or other data from the device with 3rd parties, which is a common practice for commercially available apps? Be sure to address and account for these components.
- Address the plan to prevent interception of data by a 3rd party, even if no personally identifiable information is being collected by the investigator.
- Discuss how participants are supported in using the app during study initiation and during the course of the study. Is there a support hotline or contact information? This should be included in the Informed Consent as well.
If not already discussed in the minimizing risks section, please discuss other precautions and security controls used to maintain the confidentiality of identifiable information during collection, transmission and storage (encryption methods).
- If data are transmitted immediately, where are they being transmitted and what confidentiality protections are in place? If a participant withdraws their participation, what mechanisms are in place to protect or withdraw already collected data?
Suggested information to add to the “What will happen” section:
- Discuss if participants will be loaned a device to download the app, or if they will need to download the app on their personal devices.
- If participants will be loaned a device, discuss logistics for returning the device (if applicable) and what to do if the device is not working.
- As indicated above, address whether participants should anticipate incurring data usage fees.
- If results are being returned to participants, provide details on what information is being shared, when it will be shared, and with whom it will be shared.
Suggested language to add to the “What side effects or risks can I expect from being in the study?” section: “Although every reasonable effort has been made, confidentiality during internet communication procedures cannot be guaranteed and it is possible that additional information beyond that collected for research purposes may be captured and used by others not associated with this study.”
Suggested language to add to the Risks section if there are potential data use expenses: “Participating in the research may impact your mobile device’s Data Usage Plan. You may incur expenses for which you are responsible.
If you are requesting an IDE exemption or NSR determination, please attach a completed copy of the device checklist.
Recipients of NIH funds are reminded of their vital responsibility to protect sensitive and confidential data as part of proper stewardship of federally funded research, and take all reasonable and appropriate actions to prevent the inadvertent disclosure, release or loss of sensitive personal information. NIH advises that personally identifiable, sensitive, and confidential information about NIH-supported research or research participants not be housed on portable electronic devices. If portable electronic devices must be used, they should be encrypted to safeguard data and information. These devices include laptops, CDs, disc drives, flash drives, etc. Researchers and institutions also should limit access to personally identifiable information through proper access controls such as password protection and other means. Research data should be transmitted only when the security of the recipient’s systems is known and is satisfactory to the transmitter. Refer to the links below for more information.
Regulatory Guidance and Policies
- Federal Trade Commission: Developing a Mobile Health App?: Retrieved from: https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool#what
- US. Food and Drug Administration (FDA): https://www.fda.gov/medical-devices/digital-health-center-excellence/what-digital-health
- U.S. Food and Drug Administration (FDA): https://www.fda.gov/medical-devices/digital-health-center-excellence/dig...
- US. Food and Drug Administration (FDA): Guidances with Digital Health Content. Retrieved from https://www.fda.gov/medical-devices/digital-health/guidances-digital-health-content
- U.S. Food and Drug Administration (FDA): https://www.fda.gov/medical-devices/digital-health/device-software-functions-including-mobile-medical-applications
- National Institutes of Health (NIH) 2.3.12: Protecting Sensitive Data and Information Used in Research http://grants.nih.gov/grants/policy/nihgps_2013/nihgps_ch2.htm#protecting_sensitive_data
- 4.1.9 Federal Information Security Management Act http://grants.nih.gov/grants/policy/nihgps_2013/nihgps_ch4.htm#fed_info_security_management_act
- U.S. Department of Health & Human Services: “Human Subjects Research and the Internet” http://google2.fda.gov/search?q=mobile+medical+applications+guidance&client=FDAgov&site=FDAgov&lr=&proxystylesheet=FDAgov&requiredfields=-archive%3AYes&output=xml_no_dtd&getfields=*
Resources on Design Considerations and Privacy Protections
- Sage Bionetworks – Privacy Toolkit for Mobile Health Research Studies: https://sagebionetworks.org/tools_resources/privacy-toolkit-for-mobile-health-research-studies/
- ReCODE Health/UC San Diego - The CORE Platform: https://thecore-platform.ucsd.edu/