general health apps.184 Despite this, the FDA has the regulatory structure,
function, and focus to effectively regulate the digital health marketplace with
some involvement from OCR, FTC, and ONC partners.185
The FDA first must officially include the digital health products and
services in its definition of medical device. This change will require
compliance with standard quality measures included in a quality system
under the FDCA.186 Today, the FDA does not recognize many potential Class
I devices, like mobile health applications, as medical devices.187 With an
ever-increasing focus on Io T technologies, non-invasive sensor-based care,
and health data loss, the FDA cannot avoid acting in the best interests of
consumers.188 Similar to the extension of the FDCA’s interpretation of
“contrivance” to include computer software in 1989, the FDA should
embrace its responsibility for regulating other computer-based
applications.189 Many benefits to the consumer will naturally extend from
FDCA regulatory controls, including required inclusion of a quality
management system, policy development and standard operating procedures,
accountability, and employee training.190 These general controls map well to
a standardized cybersecurity program.
To fully realize the benefits of an FDA-managed model for the digital
health marketplace, the FDA will need to adjust its use of the 510(k) and
PMA processes as they apply to digital health products. At least initially, the
FDA should consider requiring all Class I and II digital health devices to
submit a 510(k).191 The 510(k) provides a level of additional confidence in
products via required disclosures, and the FDA holds discretion over required
information disclosed via this process.192 The FDA could easily incorporate
184. See FDASIA WHITE PAPER, supra note 125; see also GENERAL WELLNESS, supra
185. See Part II, FDCA, and accompanying notes (explaining that although Class I
medical devices receive no oversight and health mobile apps do not require compliance with
the FDCA, the framework for pre-market disclosures, quality management programs, and
post-market obligations matches most product development lifecycles).
186. See Part II, FDCA, Applicability, and accompanying notes.
187. See GENERAL WELLNESS, supra note 144.
188. See Glaser, supra note 9.
189. John F. Murray, Jr., CDRH Regulated Software, REG. AFF. PROF’L SOC’Y 6 (Oct.
190. See Part II, FDCA, Medical Device Market Obligations and accompanying notes.
191. This author notes that a 501(k) is not without cost: in 2014, the average fees were
$2,585 for small businesses and $5,170 for large businesses. See Alexander Gaffney,
Regulatory Explainer: Why and how is FDA Regulating Mobile Apps? REG. AFF. PROF’L
SOC’Y (Apr. 15, 2014), http://www.raps.org/focus-online/news/news-article-view/article/
4889/. It is recommended that with introduction of Class I devices, average fees could be
reduced with comparatively less scrutiny (than Class II devices) and investment of FDA time.
192. 21 C.F.R. § 807.92 (2016).