satisfy FDA requirements under the FDCA, in contrast with CEs under
Although previously unclear,100 the FDA recognizes a category of digital
health medical devices involving modern technology: mHealth, IT, wearable
devices, telehealth, telemedicine, and personalized medicine.101 Digital
health medical devices span panels, which are groupings created by the FDA
to create specific requirements and provide informed oversight by medical
The FDA classifies devices as Class I, II, or III, and this classification
determines medical device controls, including exemptions.103 From Class I
to III, medical devices are organized from requiring least regulatory oversight
to most, with Class I devices requiring only compliance with general controls
in the FDCA.104 Classes II and III require a showing of “performance
standards” beyond general controls, and the FDA classifies new medical
devices as Class III by default.105 How the device is used and its connection
indication of the device’s use and that the intention of the seller or manufacturer is just one of
many factors determining status as a medical device).
99. See infra Part III (adding further discussion on proposed responsibilities for digital
health cybersecurity); Compare O’REILLY & VAN TASSEL, supra note 96 (explaining the
definition of medical device), with supra Part II, Health Insurance Portability and
Accountability Act, Classification and Applicability (describing parties that largely comply
with HIPAA regulation). Covered Entities, frequently health care providers or recipients of
devices, must comply with HIPAA regulations. In contrast, the FDCA regulates manufacturers
and sellers of medical devices. In some circumstances, a Covered Entity may also be a medical
device manufacturer. This may mandate co-compliance with divergent requirements. When
organizations are not subject to both regulations, they may be held to comparatively different
security schemes, despite reasonably similar risk to individuals.
100. See Alex Krouse, IPads, IPhones, Androids, and Smartphones: FDA Regulation of
Mobile Phone Applications as Medical Devices, 9 IND. HEALTH L. REV. 731, 751–52 (2012)
(“[M]ethods of defining when software must be regulated as a medical device creates
difficulties with new mHealth companies developing mobile applications. The three FDA
software guidance documents still leave considerable questions as to whether an application
requires regulation and if so, what regulation is necessary.”).
101. Device Classification Panels, U.S. FOOD & DRUG ADMIN. (Jun. 24, 2014),
Device/ ucm051530.htm [hereinafter Device Classification Panels]; see also Digital Health,
supra note 18.
102. 21 C.F.R. §§ 868.1–892.6500 (2016); see Device Classification Panels, supra note
101 (identifying the medical device classification panels).
103.Cl assify Your Medical Device, U.S.FO OD & DRUG ADMIN., http://www.
(last updated July 29, 2014) [hereinafter Classify Your Medical Device].
104. Paul M. Coltoff et al., Regulation of Medical Devices, 28 C.J.S. Drugs and Narcotics
§ 26 (2016).
105. Id.; Clinical Reference Lab., Inc. v. Sullivan, 791 F. Supp. 1499 ( D. Kan. 1992),