narrow statutory entity definitions and lack of comprehensive required
technical security controls illustrate a need for more comprehensive
regulation of the digital health marketplace.
B. Federal Food, Drug, and Cosmetic Act
In contrast to the clear application of HIPAA to limited organizational
entities, the FDA establishes comprehensive medical device process
requirements to ensure safety in the health marketplace for devices subject to
the FDCA.95 The FDCA establishes a compliance framework for products
considered medical devices under the statute.
Under the FDCA, a device is defined as:
An instrument, apparatus, implement, machine, contrivance, implant . . .
including any component, part, or accessory, which is . . . intended for use
in the diagnosis of disease or other conditions, or in the cure, mitigation,
treatment, or prevention of disease . . . or intended to affect the structure
or function of the body.96
Coupled with case law interpretation, the FDCA defines medical devices
broadly, including a large variety of devices within the digital health sector.97
Whether a device is considered a medical device depends on multiple
factors.98 Not remarkably, then, medical device manufacturers or sellers must
a/for-professionals/compliance-enforcement/ (last visited Oct. 13, 2016).
95. See What does FDA Regulate?, U.S. FOOD & DRUG ADMIN., http://www.fda.gov/
AboutFDA/Transparency/Basics/ ucm194879.htm (last updated Mar. 4, 2016) (explaining that
the scope of the FDA’s regulatory authority includes jurisdiction over medical devices such
as tongue depressors, heart pacemakers, dental devices, surgical implants, and prosthetics).
96. 21 U.S. C. § 321(h) (2009); U.S. v. Undetermined No. of Unlabeled Cases, 21 F.3d
1026, 1028 (10th Cir. 1994); JAMES T. O’REILLY & KATHARINE A. VAN TASSEL, FOOD AND
DRUG ADMINISTRATION § 18. 2 (4th ed. 2016) (explaining that the definition of device now
includes computer software and diagnosis aids, but the device must serve a diagnostic or
therapeutic purposes, “regardless of whether medical treatment will follow”).
97. O’REILLY & VAN TASSEL, supra note 96; see also Adam Candeub, Digital Medicine,
the FDA, and the First Amendment, 49 GA. L. REV. 933, 937–38 (2015) (noting the
complexities and impact of broad FDA regulation of medical devices, including the chilling
of innovation. While this Author does not aim to redraw FDA determinations of in-scope
medical devices according to the FDCA here, the lack of suitable alternatives for regulation
of digital health applications, such as partial regulation under HIPAA or general, non-specific
regulation under the FTC does not effectively manage very real patient safety and data privacy
concerns); see generally Gary E. Gamerman, Intended Use and Medical Devices:
Distinguishing Nonmedical “Devices” from Medical “Devices” under 21 U.S. C. § 32(H), 61
GEO. WASH. L. REV. 806 (1993) (explaining medical device definitions until 1993).
98. U.S. v. An Article of Device, 731 F.2d 1253, 1261 (7th Cir. 1984) (explaining that
although the intention of manufacturer in labeling is not dispositive, it may give some