Research Involving: Mobile Medical Apps

PrintPrintPDFPDF

Overview

IRB Submission and Reporting Requirements

UCSF Device Checklist

NIH Funded Studies

Resources

 

 

Overview

Proposed research involving mobile medical applications (apps) may require additional regulatory determinations if the intended use of the app meets the FDA’s definition of a medical device. The guidance below provides the following:

  • FDA Regulatory background for these requirements.
  • Steps to take before submitting your proposal for IRB review.
  • Best practices for submitting your application for review.

Per the FDA’s guidance, and specifically per the FDA’s Policy for Device Software Functions and Mobile Medical Applications (9/27/2019):

A “mobile medical app” is a mobile app that incorporates device software functionality that meets the definition of device in section 201(h) of the FD&C Act11; and either is intended:

  • to be used as an accessory to a regulated medical device; or
  • to transform a mobile platform into a regulated medical device.

The intended use of a mobile app determines whether it meets the definition of a “device.” As stated in 21 CFR 801.4,12, intended use may be shown by labeling claims, advertising materials, or oral or written statements by manufacturers or their representatives. When the intended use of a mobile app is for the diagnosis of disease or other conditions, or for the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a device under section 201(h) of the FD&C Act if it is not a software function excluded from the device definition by section 520(o) of the FD&C Act.

FDA defines a medical device as "an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is

  • Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
  • Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
  • Intended to affect the structure or any function of the human body or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the human body or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”

Medical devices may include software applications that run on a desktop computer, laptop computer, remotely on a website or “cloud,” or on a handheld computer, and would be subject to these regulations.

If the mobile app is intended to be used in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, it likely meets the definition of a mobile medical app.

If you are unsure whether the app meets the definition of a Mobile Medical App, contact UCSF’s Regulatory Support Office at [email protected] or submit a Consultation Request Form for a consultation with Regulatory Support.

See “Appendix C. Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps),” starting on page 24 of Policy for Device Software Functions and Mobile Medical Applications.

 

Please review the UCSF Device Checklist to determine what regulatory determinations your mobile health app needs.

 

IRB Submission and Reporting Requirements

Before you submit to the IRB:

For apps that transmit or receive UCSF patient data, please submit the software to the ITS Data Security Group for approval prior to submitting your IRB application. Click here to begin the ITS data security submission process.

Please take the following into consideration when submitting research involving mobile health apps for IRB review:

IRB Study Application
The IRB Study Application Form utilizes dynamic branching to include additional applicable sections and/or questions based on answers provided earlier in the form. Because of this, section numbers after Section 5.0, “Funding” will vary from study to study. The instructions below reference the section name only since that will not vary.
 
Research Plan and Procedures Section:
Common Research Activities question (Q8):
  • Depending on the details of your project, check the box for “Use of mobile health apps or other apps,” “Collection of data from wearable tech such as Fitbit, Apple Watch, Garmin, motion actigraphs, etc.)” or both.

Procedures/Methods question (Q9):

  • Provide the name of the app and indicate whether it is commercially available or being developed for the current study.
  • Identify the type of device(s) where the app will be supported (iOS, Android, Windows mobile).
  • Indicate how the participant is accessing the app or software. For example, are participants using their own device (e.g., phone, tablet, computer) or does the study team provide it? If the study provides the device, explain what happens to the device when the study is complete.
  • Provide detailed information about what the app does, how the participant interacts with the app, and the app’s role in the study.
  • Include the name and institutional affiliation of the app developer. (Note: If it is a non-UCSF developer, contact the Office of Research as a Data Use Agreement or contract may be required)
  • If applicable: If any of the results from the app are returned to participants, discuss:

-What results will be returned?

-What is the justification for sharing these results with participants?

-When will results be returned?

-Discuss what is being communicated to participants about the meaning and reliability of the information provided to them.

  • If applicable: Discuss whether use of the app is mandatory or optional for all participants in the study, or if it is only applicable to various subject populations or secondary study aims apart from using/testing the application. If optional, state whether there are alternatives to using the app.

 

Drugs and Devices Section:
  • If your completed Device checklist meets the FDA definition of a medical device, please list the device in this section.
 
Confidentiality, Privacy, and Data Security Section:
Address risks associated with use of the app, including:
  • Potential Breaches in Confidentiality – Consider the implications for potential breaches of confidentiality, given the identifiability and sensitivity of the data.
  • Address the risk of a 3rd party accessing and/or intercepting research and non-research data. A 3rd party includes makers of the research app, other installed apps, other users of the device, and any other outside actors.
  • Discuss how participating in the research may impact the participants Data Usage Plan. Will participants incur expenses if using their personal device?
  • Discuss if there are any risks associated with the app not working as intended. Examples: If the app is designed to transmit important vitals or labs but does not function as intended, or if the app fails to accept participant input or transmit as intended. Describe what participants are expected to do and any risks associated with this type of system malfunction.

In the Minimizing Risks section:

  • Address the data security controls that prevent interception of information.
  • Discuss who has access to the data and in what format (identifiable, coded, anonymized).
  • Address where the data are stored. Are data stored on the device or transmitted immediately upon receipt (or both)?
  • If data are stored locally on the device, are they password protected or encrypted? Note that it may be necessary to define encryption for participants in the Informed Consent Document.
  • If data are transmitted to a server, is that exchange encrypted? Where is the server located and how it is secured? Are data transmitted to a server behind the UCSF firewall (MyAccess) or another site?
  • If a participant downloads the app, does the app have a Coded ID or password that a participant must enter before accessing the app and any information they may have entered?
  • If a phone or other device is loaned by the study team to the participant, is the phone password protected and usage restricted?
  • Confirm that UCSF IT has reviewed the Terms of Agreement and/or Privacy Policy and/or End-user License Agreement and will continue to review updates of the agreement.
  • Does the app collect incidental data about participants, including contacts, texts, geo-location information, photos, or other data from the device with 3rd parties, which is a common practice for commercially available apps? Be sure to address and account for these components.
  • Address the plan to prevent interception of data by a 3rd party, even if no personally identifiable information is being collected by the investigator.
  • Address how the participant will be informed that the data are subject to the app’s terms of use agreement, which may change over time.
  • Discuss how participants are supported in using the app during study initiation and during the course of the study. Is there a support hotline or contact information? This should be included in the Informed Consent as well.

 

In the Extra Confidentiality Measures section:
  • If not already discussed in the minimizing risks section, please discuss other precautions and security controls used to maintain the confidentiality of identifiable information during collection, transmission and storage (encryption methods).
  • If data are transmitted immediately, where are they being transmitted and what confidentiality protections are in place? If a participant withdraws their participation, what mechanisms are in place to protect or withdraw already collected data?

 

Informed Consent Form:
The consent form should provide enough details about the mobile app and potential risks to allow for an informed decision. This is especially important if the participant is asked to download an app to their personal device. The Informed Consent Form should reflect many of the elements of the application (Methods, Risks, Minimizing Risks, Costs, and how participant privacy and confidentiality will be maintained).

Suggested information to add to the “What will happen” section:

  • Discuss if participants will be loaned a device to download the app, or if they will need to download the app on their personal devices.
  • If participants will be loaned a device, discuss logistics for returning the device (if applicable) and what to do if the device is not working.
  • As indicated above, address whether participants should anticipate incurring data usage fees.
  • If results are being returned to participants, provide details on what information is being shared, when it will be shared, and with whom it will be shared.

If they are asked to sign a terms of use or privacy policy or end user license agreement, add a statement such as the following: “While using the app, information about you, including personal health information, location, and internet usage, will be collected and transmitted to the researchers and may also be shared with people outside of the research study. A complete description of this data collection and sharing is found in the Terms of Use. The Terms of Use provide instructions on how to request deletion of your personal data if you decide to do that in the future. While the Terms of Use may include statements limiting your rights if you are injured in this study, you do not release the investigator, sponsor, institution, or its agents from responsibility for negligence and these statements do not apply to the use of the app in this research study.” Note: Who the information will be shared with, and for what purposes, should be specified.

Suggested language to add to the “What side effects or risks can I expect from being in the study?” section: “Although every reasonable effort has been made, confidentiality during internet communication procedures cannot be guaranteed and it is possible that additional information beyond that collected for research purposes may be captured and used by others not associated with this study.”

Suggested language to add to the Risks section if there are potential data use expenses: “Participating in the research may impact your mobile device’s Data Usage Plan. You may incur expenses for which you are responsible.

Other Study Documents:
If participants are asked to agree to any end user license agreements, privacy policies or terms of use in order to download or access the app, please attach copies of those documents to your IRB application.

If you are requesting an IDE exemption or NSR determination, please attach a completed copy of the device checklist.

 

NIH Funded Studies

Recipients of NIH funds are reminded of their vital responsibility to protect sensitive and confidential data as part of proper stewardship of federally funded research, and take all reasonable and appropriate actions to prevent the inadvertent disclosure, release or loss of sensitive personal information. NIH advises that personally identifiable, sensitive, and confidential information about NIH-supported research or research participants not be housed on portable electronic devices. If portable electronic devices must be used, they should be encrypted to safeguard data and information. These devices include laptops, CDs, disc drives, flash drives, etc. Researchers and institutions also should limit access to personally identifiable information through proper access controls such as password protection and other means. Research data should be transmitted only when the security of the recipient’s systems is known and is satisfactory to the transmitter. Refer to the links below for more information.

 

Resources

Regulatory Guidance and Policies

Resources on Design Considerations and Privacy Protections