December 2018

JHM IRB’s Organizational Policy FDA 312/812 establishes the authority of the JHM IRB to review clinical investigations involving test articles subject to Food and Drug Administration (“FDA”) oversight. Some kinds of medical software, including mobile medical applications (“Apps”) may fall under the FDA definitions of medical devices. This guidance assists investigators and IRB members in identifying when various kinds of software come within the FDA definition of a device, and to provide basic data safety guidance, and informed consent guidance, for all software used in human subject research.

Questions that Investigators Should Consider in Protocols to Use Apps or Medical Software:

As a threshold matter, if the App or software function will be the item under evaluation in the study, the investigator should consider whether it may fall within the FDA definitions for a medical device.

I. The Definition of a Medical Device Subject to FDA Oversight

In general, where software functions are intended to provide decision support for the diagnosis, treatment, prevention, cure or mitigation of a disease, they may be medical devices, and any clinical investigation designed to evaluate the safety or efficacy of the software should be conducted in accordance with FDA regulations.

The 21st Century Cures Act substantially revised the definition of “medical device” to exclude from FDA regulation the following kinds of software functions (which may be in app or other software form). If the software or App fits into one of the below categories, it is not subject to the FDA regulations on devices:

a. A software function that is intended ”for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition.” For software that might be directed to lifestyle changes linked to management of a specific, chronic disease or condition, the FDA may exercise oversight discretion. Consult the FDA Digital Health website for examples.

b. A software function that is intended “for administrative support of a health care facility.” Under the Act, in addition to things like processing and maintenance of financial records, claims or billing information, appointment schedules, software that analyzes historical claims data or is used for population health management is also excluded from FDA regulation;

c. A software function that is intended to serve as the electronic patient record; provided that: a) the records are created, stored, transferred or reviewed by health care providers; b) the records are part of an IT system that is properly certified by the ONC Health IT Certification Program (the FDA has indicated it will exercise enforcement discretion on the certification); and c) the software function is not intended for interpretation or analysis of patient records (like medical imaging records). Most apps that are designed to allow patients to access and review their medical records would fall under this exception;

d. A software function that is intended for transferring, storing, converting formats or displaying data and results so long as the software does not interpret or analyze the results;

The FDA has also issued guidance about a specific type of software—“clinical decision support software,” that may be regulated as a medical device. Clinical decision support software may take many forms, and the key inquiry with respect to FDA oversight is whether the software only presents information to a health care professional to inform the independent medical decision making of that health care professional. The FDA has indicated that it will regulate clinical decision support software in cases where the software is not intended to enable the health care professional to independently review the basis for the recommendations provided by the software and exercise his/her own clinical judgment with respect to an individual patient.

The FDA is continuing to revise and issue guidance in this area, and investigators should consult the FDA Digital Health site for the most current guidance: https://www.fda.gov/medicaldevices/digitalhealth/.

II. General Issues Related to Informed Consent for Studies Using Apps

While the specifics of each study are unique, where investigators are using Apps hosted by commercial vendors or other parties outside of JHU, the consent should address any risks that participants should be informed about related to App terms of use. Samples of language that may be appropriate for inclusion are provided below:

This study will use a mobile application to gather information for the researchers as part of this study. This mobile app is provided by [INSERT VENDOR NAME] and there are terms of use that the vendor requires of all users. You should review the vendor’s terms of use and privacy agreement. The vendor may retain some of the data collected through the mobile app, even after the study ends. If you do not want this data collection to continue by the vendor after the study ends, you should deinstall the app. The research team can help explain how to do this.

This study will use a mobile application to gather information for the researchers to use as part of this study. This mobile app is provided by [INSERT VENDOR NAME]. This application can collect information from your mobile phone that would identify your geographic location when data is collected. To help protect your privacy, the research team can help to deactivate the location services if you wish.

This study will use a mobile application to gather information for the researchers to use as part of this study. This mobile app will use the data function on your phone, and, depending on much data you use for other things, you may have data charges.

III. General Issues Related to Data Security for Studies Using Apps and Medical Software

Research data collected via mobile apps is subject to the same data security principles that apply to all human research subject data. Researchers should consider whether data that is collected as part of the app function (e.g. location data) is strictly necessary to the study, and consider stripping that data from the research data set. The Technology Innovation Center at JHM provides guidance on the design of apps intended for use in the health care setting, and investigators should engage with that group for technical guidance.