By: Jonathan C. Young, PhD, MS, CIP, CCRP Senior Research Regulatory Operations Analyst Rush University Medical Center
Abstract: The use of mobile medical devices in clinical research is increasing significantly. This article provides an overview of regulations and guidance related to mobile medical devices including mobile apps. Possible risks and controversy that may arise from the use of mobile medical devices and how to improve submissions to institutional review boards for research involving mobile medical devices are also discussed. Examples of institutional review board review of real studies involving mobile medical devices at Rush University Medical Center are provided.
Disclosure: The author has no professional, personal, or financial conflicts of interest with any of the material that is covered in this article.
The Future of Mobile Medical Devices
Worldwide, mobile health was expected to grow from $5.1 billion in 2013 to $41.8 billion in 2023. This is a huge increase. In 2013, there were more than 97,000 mobile apps related to health and fitness and 52% of all smartphone users gathered health-related information on their phones. Both of these statistics have increased significantly in recent years. The most common types of apps in 2013 were:
- Weight loss apps: 50 million downloads
- Exercise apps: 26.5 million downloads
- Women’s health: 10.5 million downloads
- Sleep and meditation: 8 million downloads
- Pregnancy: 7.5 million downloads
- Tools and instruments for tracking health and getting health information from providers: 6 million downloads.
The growing market for these apps and devices will inevitably translate to more novel research. This article seeks to help ready clinical research and IRB professionals for the deluge of new studies by discussing current regulations and guidelines as well as offering a simple rubric for review of these new app and device studies.
Definition of Mobile Medical Devices
Table 1 highlights definitions related to mobile medical devices. In this article, the terms “mobile medical device” and “mobile medical application” (app) are used interchangeably.
The Federal Food, Drug, and Cosmetic Act 201(h) defines a regulated medical device as: “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals…”
This definition can be distilled down into a mechanical or electrical object that can diagnose, prevent, make less severe, or cure a disease or condition. Examples of simple medical devices that are regulated by the U.S. Food and Drug Administration (FDA) include stethoscopes, tongue depressors, and anti-snoring devices available off the shelf. Drugs such as aspirin, cough syrup, and nasal sprays are also regulated by the FDA. The generally agreed-upon basic difference between a drug and a device is that drugs are chemical in nature and devices are not.
The FDA’s guidance Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff (2015) offers the following definitions related to mobile medical devices. Mobile platforms are “commercial off-the-shelf computing platforms, with or without wireless connectivity, that are handheld in nature.” Mobile platforms include smartphones, smartwatches, Fitbits, iPads, and other small platform devices.
A mobile app is “a software application that can be executed (run) on a mobile platform, …or a web-based software application that is tailored to a mobile platform but is executed on a server.” Even if the app does not compute or maintain the information and is sending it to a cloud server, it can be construed to be a mobile app. Examples of mobile apps are Safari, Angry Birds, and Google Drive.
A mobile medical app is an app that can be run on a mobile platform and is either intended to:
- Be used as an accessory to a regulated medical device, or
- Transform a mobile platform into a regulated medical device.
Thus, there are two tests as to whether a mobile app is a mobile medical app.
Enforcement of Mobile Medical Devices
Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff (2015) lists two types of medical apps: enforced and unenforced (Table 2). Mobile medical apps that pose a risk to patient safety are enforced and must go through the normal regulatory process for devices. The first criterion for enforcement is that a mobile medical app is an extension of a medical device and controls that device, monitors the patient, or analyzes medical data. For example, an app that is downloaded to a smartphone to control a pacemaker in some manner would probably be enforced.
Mobile medical apps are also enforced if they transform by use of attachments, displays, and sensors or provide patient-specific analysis, diagnosis, or treatment recommendations. For example, providing recommendations using data gathered through a device or mobile platform means that the app analyzes personal data and provides a way to control a condition; thus the device would likely be enforced.
Unenforced mobile medical apps pose a low risk to patients. Simple tools to organize and track health information are unenforced. MyFitnessPal, where people can enter the food they eat and see the calories consumed, is an example. Mobile medical apps that allow access to health records are increasing as more medical centers provide electronic health records via apps or servers with apps for browsing. Secondary displays to regulated medical devices, such as an app that displays the heart rate of a patient with a pacemaker but does not control the pacemaker, are another type of unenforced mobile medical app.
Other types of unenforced mobile medical apps:
- Facilitate clinical care by coaching, prompting, or managing
- Provide access to condition or treatment information
- Help patients document potential medical conditions, such as a medical diary app
- Perform simple calculations used in clinical practice, such as a body mass index calculator.
Benefits and Risks of Mobile Medical Devices
Mobile medical apps provide easy access to data. For example, they can be used to pull information from electronic health records for a particular subject. Mobile medical apps also provide access to information on more potential subjects and allow researchers to consent subjects electronically. Institutional Review Boards (IRBs) can be skittish about researchers not meeting the people they consent to participate in studies. This reluctance on the part of IRBs is usually due to a perceived reduction in the quality of the consent process. Mobile medical apps also enable researchers to conduct studies with a larger sample size, which enables them to reach significance more quickly and reduce the cost of a study.
There are many risks and threats to the use of mobile medical apps in clinical research (Table 3). Researchers may want to address these risks and threats in the informed consent form or the protocol before submission to the IRB. Data security and hacking is the first and most obvious risk. Operating system vulnerabilities can be used to hack into the operating system and get information from apps even if the app does not interface with the operating system of the device that is being used. Control of devices is another risk. Using the example of an app to control a pacemaker, someone can hack into the app and turn the pacemaker off. Many people could die if this were to happen, which potentially can be used as a form of terrorism.
Rush University Medical Center has a large orthopedics department, which was using a medical device for joints that interfaced with an app in order to collect health information. IRB discussion at Rush for this particular study focused around hacking into the mobile medical app to steal protected health information. Studies submitted to the IRB should also address this risk of health information theft.
Misuse by subjects and personal devices versus provided devices are other risks and threats of mobile medical apps. In the examples that will be covered in this article, the study team provided the device containing the app to study participants. Thus, people who did not have an iPhone now had an iPhone and could also use it for other activities. The study team could potentially have some form of liability if study participants use the provided device for criminal activities.
If the study team is not providing the device and instead asks study participants to download the app to their own device, there is a potential risk that the app could destroy or damage the device if it is not compatible in some way. As an example, Rush University Medical Center recently required employees to download a new app in order to get their email via a mobile device. This app was reportedly destroying or damaging some peoples’ devices. The cost of devices is another risk, so study teams should preemptively build the potential cost of this risk into the study budget.
Coercion and peer pressure are also risks of mobile medical apps. Enrolling in a study that provides participants with an iPad or iPhone with the app loaded confers a sort of prestige onto the participant. This can create peer pressure to participate. The IRB may interpret this as coercion.
Electronic consent in studies using mobile medical apps is also a risk. Study teams can ask study participants to come into the clinical research site to consent in person before downloading the app or they can ask them to download the app and consent on the app.
If study participants consent on the app, IRBs recommend follow up. For example, the author is participating in an asthma study. He downloaded the app, which provided the informed consent form. After reading the informed consent form, the author had to take a 10-question quiz to ensure that he understood what he had read. At the end of the quiz, the app provided a name and telephone number for any questions. This is a good process; however, it may require alteration of informed consent from the IRB and must be documented appropriately in the IRB application.
Example: Mobile Device A
A graduate student developed an app to relieve nightmares and post-traumatic stress disorder (PTSD). The app was aimed toward veterans with PTSD who have a history of PTSD-induced nightmares. It was designed to be downloaded to an Android device and used with a smartwatch. The app would know whether the person was having a nightmare and send a vibration through the smartwatch to wake the person up or at least jar him/her out of the nightmare.
The graduate student wanted to conduct a study of the app at Rush University Medical Center. He had not thought out the study, however, when he submitted it to the IRB. The IRB had many questions and concerns, including how the study investigators would know if the device woke him/her up during a nightmare and not a normal dream. The protocol did not state this. The IRB was also concerned about privacy because the app interfaced with the electronic health record and downloaded some of that information. The device had some type of artificial intelligence that learned whether a person was having a nightmare. The IRB did not fully understand, through the documentation provided, how the artificial intelligence worked or know whether it was accurate.
The IRB sent the study back to the investigator and asked for more information. The author talked to the investigator, who had helped initiate the study. He said that the graduate student decided to do other smaller clinical trials before this clinical trial. The graduate student was trying to ensure that the machine learning worked before conducting a larger clinical trial.
There is a rubric when reviewing research involving mobile devices:
- Intent of the study
- Whether the device is a regulated medical device
- Whether the device is enforceable
- Security of the data.
The intent of this study was to treat a condition, PTSD. In that case, the mobile device falls under the definition of a regulated medical device. The next question is whether the mobile device is an enforceable device. This is not as clear. Since there is a risk with this device of waking the person during a regular dream or normal sleep and the person not getting enough sleep and perhaps causing depression, it might be enforceable. This was the author’s thinking when he contacted the FDA, which said this was probably not an enforceable device.
Data security is an issue. During the initial IRB review, there was no information about the security of the data or the encryption used. The IRB was also concerned about the efficacy of haptic feedback. Another concern is whether the IRB has the necessary expertise to understand data security on mobile apps, such as a staff member from the technology department. Rush University Medical Center has a staff member from its technology department on the IRB.
Example: Mobile Device B
Purple Robot is an app developed by Northwestern University that is downloaded to a mobile platform and then tracks the person’s location and activities. The app tracks where the person is geographically, what he/she is typing into the phone or device, and how often the person moves, amongst other things. Purple Robot has been proven to effectively determine whether a person is at risk of depression and informs researchers whether the person is at risk for depression.
In this study, researchers wanted people in Chicago who are homeless and who were abused as children to download the app to smartphones, which the study team provided. After the study was completed, participants could keep the smartphones. The first problem was that the study team was providing the smartphones to the study participants. This could create ethical problems and problems controlling the devices, which could easily be stolen. The devices had health information about the study participants, which would be available to anyone who stole the device.
This was a longitudinal study that would send push notifications to the people in the study so they could then do remote sessions with their psychologist. The intent of this study was to treat, mitigate, or perhaps cure this type of psychological distress. Thus, the mobile device falls under the definition of a regulated medical device.
The next question was whether the device was enforceable. If the device stopped working or the person did not get the push notifications, it would not put the person at more risk than the risk of daily life. The author believes that the device was unenforceable.
The IRB needs to worry about the security of the data and the provision of the smartphones and data plans. Whether the study participants would be comfortable being tracked by the app was a concern, and the IRB needed to determine whether the study required a certificate of confidentiality. If a subject is at risk for criminal harm by participating in a study, the study should have a certificate of confidentiality, which protects subjects from having their research information subpoenaed. In this case, the researchers had a certificate of confidentiality from the National Institutes of Health and submitted it with the IRB submission.
Example: Mobile Device C
The third study was also a psychological study, in HIV and substance use. Researchers wanted to adapt the standard of care, the Screening & Brief Intervention (SBI), into an electronic format, using an app that sent the information to a server. Researchers wanted to see if the electronic version of the SBI plus the standard of care was superior to the standard of care only. They would provide study participants with smartphones and data plans.
The intent of the study was to mitigate a psychological condition in the study participants when compared with the standard of care. Thus, the mobile device falls under the definition of a regulated medical device. The next question was whether the device was enforceable. If the device broke or the person did not use it, he/she would still get the standard of care, so it would not harm the study participants. The author believes that the device was unenforceable.
The IRB needs to worry about the security of the data, for example, if the phone was stolen, and the provision of smartphones and data plans. This study used electronic informed consent, which was a concern. The IRB discussed this and did allow the researchers to use electronic informed consent.
Review of Mobile Medical Devices
These three examples illustrate the rubric for reviewing mobile medical devices.
- Determine the intent of the study
- Determine whether the device is a regulated medical device
- Determine whether the device is enforceable
- Assess provisions for the security of the data.
If there is any question about whether a mobile medical device is regulated, it is best to contact the FDA. The 21st Century Cures Act Medical Software Provisions modified the definition of a regulated medical device. Some of the things that are listed as unenforceable are no longer defined as regulated medical devices. The FDA’s guidance Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff (2015) has not been updated yet for consistency with the 21st Century Cures Act.
Considerations before submitting a study involving a mobile medical device for review include whether the IRB has the necessary expertise to review the study. The IRB may not have an expert on data confidentiality or data hacking. It is advisable to contact the IRB office to see if staff members want to find a consultant to help with the review.
IRB review of mobile medical device studies sometimes involves a big brother or creepiness factor. There are discussions about why people want apps to track them. This attitude is changing in the general public. Most people have apps such as Google maps, which track their location. People are getting used to this and are less concerned about geographic location tracking; however, IRBs will most likely be concerned about this.
It is also necessary to determine whether the device is compliant with the Health Insurance Portability and Accountability Act (HIPAA). The graduate student who developed the app to relieve nightmares and PTSD may not have known much about HIPAA, and it is likely that the app was not HIPAA compliant.
The risks related to participating in a study involving a mobile medical device must be disclosed in the informed consent form. The risks must be explained in simple terms so that study participants can understand them. If the IRB is having trouble understanding the protocol, participants will have trouble understanding the study too. It may be necessary to provide extra information or to have someone who understands the app on hand to explain how it works.
Table 4 highlights possible issues in IRB review of mobile medical devices. Assessment of the mobile medical device status is an issue. The FDA can help with this.
Confidentiality of information is a concern. If Rush University Medical Center receives a submission for a study involving a mobile medical device that does not mention encryption, the IRB will send it back to the investigator for more information about data security and encryption.
When preparing to submit a study involving a mobile medical app to the IRB, researchers should pay careful attention to the protocol in general. The IRB is there to help researchers, who should contact their IRB with any questions about review of a mobile medical app study.
The IRB may not know everything about mobile medical apps, and members may need to learn about the apps and regulations pertaining to them. Researchers should inform the IRB in advance that a submission for a mobile medical app study is coming so that the IRB can consider whether the study includes a mobile medical device.
Definitions Related to Mobile Medical Devices
- Regulated medical device:
- Mechanical or electrical object that can diagnose, prevent, make less severe, or cure a disease or condition
- Mobile platform:
- A handheld computing device
- Mobile app:
- Software run on a mobile platform
- Mobile medical app;
- Mobile app that accessorizes or transforms
FDA Enforcement of Mobile Medical Apps
- Enforced mobile medical apps:
- Risk to patient
- Extension of medical device that controls the device, monitors the patient, or analyzes medical data
- Transforms by use of attachments, displays, and sensors
- Provides patient-specific analysis, diagnosis, or treatment recommendations
- Risk to patient safety:
- Unenforced mobile medical apps:
- Low risk to patient safety:
- Facilitates clinical care by coaching or prompting, managing
- Simple tools to organize and track health information
- Provides access to condition or treatment information
- Helps patients document potential medical conditions
- Performs simple calculations used in clinical practice
- Allows access to health records
- Secondary displays to regulated medical devices
Risks and Threats of Mobile Medical Apps
- Data security and hacking:
- Operating system vulnerabilities
- Control of devices
- Theft of protected health information
- Misuse by subjects
- Cost of providing devices and data plans
- Coercion and peer pressure
- Personal device vs. provided device
- Consent/electronic consent
Possible Issues in IRB Review of Mobile Medical Devices
- Assessment of device status
- Confidentiality of information
- Electronic informed consent and risk disclosure
- Provision of devices
- Preparing the IRB for review
- Composition of the IRB
For continued information visit our website to learn more.