During the July 25th opening session of the 4th mHealth World Congress held in Boston, a heated discussion highlighted the level of interest in the upcoming FDA mobile app guidance, and the agency’s regulation of other new healthcare technologies.

According to Bakul Patel, MS, MBA, a policy advisor with the FDA’s Center for Devices and Radiological Devices, the regulatory agency must strike an appropriate balance between encouraging innovation and promoting public health and ensuring that patients are given the same level of confidence in mHealth tools as they are in other FDA-regulated medical devices. This is a difficult challenge, said Patel.

Brad Merrill Thompson, JD, the general counsel to the mHealth Regulatory Commission, said that an in-house study of 100 mHealth apps found that 8% definitely needed regulation, 56% likely wouldn’t need it, and 36% fell into an ambiguous gray-zone that may require regulation. Whether an app will attract the FDA’s attention and require regulation will also depend to a large degree on the promotional language it uses, said Thompson. Some health apps are moving away from language like improve and monitor to claims of diagnosis, a move that would certainly be more likely to attract the attention of the FDA, according to Thompson.

The final draft of the FDA mobile app guidance is expected this fall, and most likely it will extend to health apps with diagnostic claims and other clinical decision support (CDS) functions. The FDA’s Patel also stated that the agency is working on a CDS guidance that will have big implications for the EHR ecosystem.

Security and privacy in mHealth apps were also big topics of discussion during the opening session. David Harlow, JD, MPH of the Harlow Group, a Massachusetts law firm specializing in healthcare, said that a significant problem in determining appropriate security requirements is the alphabet soup of federal agencies involved in privacy and security that want to exert control over mHealth.

Escavo has previously reported on some of the agencies in this alphabet soup in a previous posting on this blog. Ultimately, we believe that applying the sound software security principles and solid human resource and physical security policies already used in other non-health sectors, should be sufficient to satisfy the regulatory requirements imposed by healthcare agencies.