Medical Devices in the App Store? U.S. Regulation of Mobile Medical Applications

By Gregory T. Measer

August 20, 2021 | Articles

Since the start of the COVID-19 pandemic, more people than ever have downloaded and used mobile applications, or apps, to communicate with their doctors, manage prescriptions, and streamline much of the healthcare activity traditionally done in hospitals and clinics. “Vaccine passports” included as part of a mobile phone’s digital wallet may soon be the norm to verify one’s vaccination status for international travel or attendance at large events.  What once seemed novel is now commonplace as “digital health” technology has exploded across the U.S. and Canada. 
With the proliferation of mobile medical apps on the market, one would be hard-pressed to find someone who has not used an app to count their steps, track their sleep, manage their diet, or improve their general health and wellness. Technology growth has enabled apps to be capable of more and more each year. Canada’s digital health market has seen unprecedented growth as Canadian-based digital health startups raised substantially more funding in 2020 than in 2019. 
It is critical for developers and manufacturers to assess, however, whether their apps are not merely unregulated software functions but rather regulated medical devices.
As often happens, while technology growth proliferates laws and regulations struggle to catch up. Rather than creating entirely new regulatory schemes, the U.S. Food and Drug Administration (“FDA”) and Health Canada have attempted to fit software functions, including mobile medical apps, into their existing regulatory structures. This has caused confusion given both agencies’ broad definitions of “medical devices.” 
While classification of a device varies between the U.S. and Canada, both define a “medical device” broadly as an instrument intended for the diagnosis, treatment, or prevention of disease that does not achieve its primary purpose through chemical action. Many, if not all, mobile medical apps could fall into this definition, no matter how innocuous. After passage of the 21st Century Cures Act, the U.S. exempted several software functions from the “medical device" definition, including those intended to maintain or encourage a healthy lifestyle that are unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition. However, it would be impossible to enumerate all potential software functions in statute. 
To address industry and consumer confusion, both the FDA and Health Canada issued guidance documents in 2019 outlining their respective approaches to regulatory interpretation of “device software functions,” including software as a medical device, software in a medical device, and mobile medical apps. In an effort to improve harmonization, both countries have joined as members to the International Medical Device Regulators Forum (“IMDRF”) and have adopted the IMDRF definition of “Software as a Medical Device” as "software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device." 
The FDA has taken a streamlined regulatory approach, categorizing software functions into three distinct groups: (1) not a medical device; (2) a medical device, but not subject to FDA enforcement; and (3) a medical device subject to FDA enforcement. The FDA only intends to apply regulatory oversight to software functions that are medical devices and whose functionality could pose a risk to a patient’s safety if the device were to not function as intended. It is possible then that an app could be a medical device, but the FDA has chosen to exercise enforcement discretion in not regulating it as such. 
For software functions that are considered medical devices, the FDA’s specific regulatory focus is on software functions that: 
  1. are an extension of one or more medical devices by connecting to such devices for the purpose of controlling the device or analyzing the device data (e.g., mobile apps that control delivery of insulin); 
  2. transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors, or by including functionalities similar to those regulated medical devices (e.g., a glucose meter attachment on a mobile phone); and
  3. become a regulated medical device by performing or providing patient-specific analysis, diagnosis, or treatment recommendations (e.g., device that calculates or creates a dosage plan for radiation therapy).  
On the other hand, the FDA does not intend to enforce device requirements on software functions that help patients manage diseases or conditions without providing specific treatment suggestions, or those that automate routine tasks for health care providers. For example, mobile apps that perform simple calculations, such as BMI trackers, nutrition coaching, or medication prompts, would not be subject to regulation. The FDA has published a long list of examples as appendices to their guidance, which help to outline their enforcement focus.[1]
If the FDA chooses to regulate a company’s software function as a medical device, the company will need to obtain the appropriate agency approval, licensure, or clearance prior to marketing the device. The company may also need to satisfy specific registration and listing requirements, and any other regulatory requirements applicable to a device’s manufacturer or distributor. Failure to follow these steps could pose a significant risk to consumers and result in enforcement activity by the FDA such as issuance of a warning letter, seizure, injunction, or even criminal prosecution. For particularly egregious violations of the Federal Food, Drug, and Cosmetic Act misdemeanor fines may reach up to $500,000.
The FDA’s interest in the regulation of software functions has increased significantly in recent years. Over 250 digital health products have been authorized, cleared, or approved by the FDA since 2017. The FDA created a precertification program for software technologies through its Digital Health Center of Excellence to inform development of a more streamlined regulatory model in the future. In April 2021, the FDA authorized the marketing of an artificial intelligence (“AI”) device that uses machine learning in  
screening for colon cancer. Similarly, legislation passed in 2019 gave Health Canada a “regulatory sandbox” through which the agency can experiment with the intricacies of AI regulation.  
For companies with devices that fall into a regulatory gray area of enforcement, it is important they seek assistance to assess the device’s regulatory status and the potential risks associated with marketing it to consumers.  No matter what the future holds, mobile medical apps are here to stay, and as companies and products evolve, the regulatory landscape will too. 
Key Takeaways 
  1. Unprecedented Growth. Digital health technology, and mobile medical apps in particular, are experiencing unprecedented growth and are here to stay. 
  2. Regulatory Landscape. The U.S. and Canada have issued guidance documents and provided enforcement examples to try to clarify a broad and confusing regulatory space. 
  3. Marketing Matters. An app that “treats” or “diagnoses” or “cures” a specific disease or condition will be regulated differently than one that “improves” or “tracks” general health and wellness. 
  4. Risk Awareness. If app misuse or malfunction can cause significant risk to the health and well-being of a user, then it is likely to be treated as a regulated device. 
  5. Mind the Border. While the FDA and Health Canada have published many examples of the types of software functions that may be subject to regulation, both agencies have left ambiguity in their respective regulatory approaches. When moving between the Canadian to U.S. market, it is important to assess whether and how your product will be regulated in each country. 

Gregory T. Measer focuses his practice on assisting clients with matters involving FDA regulatory compliance, medical product research and development, public health law, and healthcare transactions. 

Prior to joining Lippes Mathias, Mr. Measer was a Regulatory Counsel with the FDA where he worked on legal and policy issues related to research, development, and availability of investigational medical products, and advised on legislation involving medical countermeasures and emergency preparedness and response. 
For more information on this topic, please contact Gregory T. Measer ( or Thomas J. Keable ( at 716.853.5100. 

[1] See FDA Policy for Device Software Functions and Mobile Medical Applications (September 27, 2019), available at
This website uses cookies to enhance user experience and to analyze traffic. To learn more about cookies and how we use them, please review our Privacy Policy. To continue use of this website, you must provide your consent to its use of cookies by clicking the "Accept" button.