Medical devices in the EU are currently regulated under the Medical Devices Directive (93/42/EEC). The Medicines and Healthcare products Regulatory Authority (MHRA) produced guidance in March this year on medical device software, including apps. Health apps are considered a medical device if they have a “medical purpose”. Where an app provides decision support or decision-making software, which applies some form of automated reasoning, such as calculations or symptom tracking, such software is very likely to meet the definition of a medical device and therefore be regulated by the MHRA
Under the EU regulatory framework, there appears to be some uncertainty as to what classifies as a medical app i.e. for diagnosing, treating and performing a medical task and what is for general “wellness” i.e. the FitBit wrist band to track fitness or vital signs monitoring.
In October 2012, the European Commission published a proposal for a new Medical Device Regulation. Discussions surrounding the goals of the new regulation and proposed text have been ongoing for three years. In September 2015, the Council was able to reach an agreement on the general approach covering the substance of the regulations and trilogue talks between Parliament and the Commission are now under way.
According to the Council, software as well as physical instruments, apparatus, appliances and implants, would qualify as a ‘medical device’ and fall subject to safety and performance requirements when they are intended to be used for one of a range of specified medical purposes. Those purposes include “diagnosis, prevention, monitoring, treatment or alleviation of disease”, injury or disability, and the “investigation, replacement or modification of the anatomy or of a physiological or pathological process or state”. However, the Council has proposed that “wellness” and “fitness” apps will not be subject to the new medical devices Regulation.
The Business, Innovation and Skills Minister for Life Sciences, George Freeman MP, is due to provide Parliament with an update following the trilogue talks, which we can expect to finish in early 2016. It is likely that any reform will be parallel with similar changes to data protection regulation, which is due in 2018.
It is estimated that by next year, 500 million people will be using healthcare apps and healthcare professionals expect to monitor the provision of treatment increasingly via apps.
A recent study (September 2015) by Imperial College London found that a number of health apps that are endorsed by the NHS could be at risk of cyber attacks. The NHS has a Health Apps Library which, through its current national accreditation scheme, tests apps to ensure they meet clinical standards and comply with the Data Protection Act. Researchers were able to intercept data sent over the internet via the apps, giving access to patient health data and credit information. A number of apps did not use encryption during transmission of personal data.
With planned reforms to EU data protection laws and medical devices regulation not expected until 2018, healthcare providers will need to think carefully about which devices/apps they endorse and how they are managed.
- Health data from wearable devices could be restricted under EU regulation
- Green paper on mobile health (mHeath)
- NHS approved health apps put patient privacy and health at risk, says study
- “Trust but verify” – Five approaches to ensure safe medical apps
- Final negotiations set to begin on new EU medical device regulations
- Regulation of medical devices
Written by Greg McEwen, healthcare partner