Post on 26-Mar-2020
1
There’s an App for That! April 13, 2015
Colleen J. Hittle, RAC | Managing Director | Navigant Consulting, Inc.
Sharon R. Klein | Partner | Pepper Hamilton LLP
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
#32302162v.2
2
Conflict of Interest
Sharon R. Klein has no real or apparent conflicts of interest to report. Colleen J. Hittle, RAC, has no real or apparent conflicts of interest to report.
3
Learning Objectives
• Explain what kinds of health care applications are currently regulated and what kinds may be in the future
• Define the current Federal regulatory landscape, including FDA, FTC, and OCR
• Define policies, procedures, training, and compliance strategies to mitigate regulatory risks
• Discuss protocol for taking a mobile medical application through the regulatory process — quality manufacturing practices including risk assessment as well as privacy and security by design
• Explain practical tips for handling PHI in mobile medical applications throughout the cycle of collection, transmission, storage, and destruction of PHI
.
4
An Introduction to the Benefits Realized for the Value of Health IT This presentation addresses the following HIMSS value STEPSTM :
T = Treatment/Clinical Improvement in treatment /clinical outcomes should be achieved by wellness and health applications being in the hands of the consumer/patient.
E = Electronic Information/Data Electronic Information/Data is the foundation of mobile medical applications. A pre-requisite of data sharing is privacy and security best practices.
P = Prevention Many health applications are centered around prevention and patient education. The more a patient takes control of his/her health problems, the better health outcomes can be achieved.
S = Savings Savings will be realized when patients with chronic conditions such as diabetes are engaged in managing their own health through applications.
http://www.himss.org/ValueSuite
5
Today’s Topics
• Mobile Health
• Regulatory Framework
• Compliance Processes
• Questions
6
Mobile Health
7
Mobile Health: A Brave New World Of Regulation
Proliferation of smart medical devices comes with vulnerabilities and a confusing web of regulations
• Cybersecurity incidents increasingly likely in wireless and network-connected devices transferring data electronically
• With increased risk comes increased regulation
8
Expansion Of Regulatory Purview
• Regulatory overlap
• Mobile health and medical devices are subject to multiple privacy/security regulations
– Food and Drug Administration (“FDA”)
– Federal Communications Commission (“FCC”)
– Federal Trade Commission (“FTC”)
– Department of Health & Human Services Office for Civil Rights (“”HHS/OCR”)
– State Law
9
It’s a Regulatory Spider’s Web…
FTC
HHS/OCR
ONC
FDA
States
FCC
10
… that can complicate an App very quickly!
FTC
HHS/OCR
ONC
FDA
States
Securities/ Shareholder Lawsuits
Regulators
Individual Plaintiff
Class Action
Media
Loss of Trust
Customer Loss
Fines
Civil Penalties
Sales/Profitt Loss
HR Issues
Audits
Investigations
Remediation
FCC
11
Regulatory Framework
12
Regulatory Framework
• HIPAA/HITECH/Omnibus Final Rule – Covered Entities
– Business Associates & Subcontractors
– Focused on Protected Health Information • Protected Health Information or PHI is “individually identifiable
health information” (IIHI), including demographic information collected from an individual, that:
– is created or received by a CE
– relates to the health of an individual
HHS – Office of Civil Rights
13
Regulatory Framework
Breach Reporting
Privacy Rule – Patient Access
– Permitted disclosures for FDA regulated activities
– Sale and marketing of information
– Research
Security Rule – Risk assessment
– Technical, Physical, Administrative Safeguards
– Policies & Procedures
HHS – Office of Civil Rights
14
Regulatory Framework Non-HIPAA Regulated Medical Data • Information sharing not from CE • Wellness Tracking • Data to person directly from medical device • Mobile medical applications
15
Regulatory Framework
• Congress has been unable to pass a Federal Privacy Bill
• Protecting Consumer Privacy in Era of Rapid Change (Report, Mar 2012)
• Mobile Privacy Disclosures, Building Trust Through Transparency (Report, Feb 2013)
• Internet of Things – Privacy & Security in a Connected World (Report, January 2015)
Federal Trade Commission
16
Regulatory Framework
• Protecting Consumer Privacy in Era of Rapid Change (Report, Mar 2012)
– Privacy by Design: • Promote privacy throughout the organization and at every
stage of development of products and services • Delete consumer data no longer needed and allow
consumers to do the same • Provide reasonable security for data • Limit collection of data (consistent with context of particular
transaction) • Implement reasonable data retention and disposal policies • Maintain reasonable accuracy of data
Federal Trade Commission
17
Regulatory Framework
• Protecting Consumer Privacy in Era of Rapid Change – Simplify Consumer Choice:
• Simplify Consumer Choice: • Provide Consumer choice for any communications not
related to original transaction • “Do Not Track” mechanisms allow consumer to control
collection and use of their online data • Certain choices require consumer to “opt in”
– Improve Transparency to Consumers: • Clearer and shorter privacy notices • Provide access to consumer data • Educate consumers about company’s data privacy practices
Federal Trade Commission
18
Regulatory Framework
IOT – Benefits of Mobile Devices Connected health devices can “improve quality of life and safety by providing a richer source of data to the patient’s doctor for diagnosis and treatment[.] . . . improve disease prevention, making the healthcare system more efficient and driving costs down],] . . . [and] provide an incredible wealth of data, revolutionizing medical research and allowing the medical community to better treat, and ultimately eradicate, diseases.”
Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 16.
19
Regulatory Framework
• Regulates the airwaves
• Wireless technology issues
• Wireless co-existence with electromagnetic compatibility
• Root cause analysis of problems with connectivity
• 802.11 wireless data security not robust
Federal Communications Commission
20
Regulatory Framework
• Mobile Medical Applications (Final Guidance, Sep 25, 2013)
– Software as a Medical Device
– FDA intends to regulate mobile medical software that poses a threat to public safety
– The key regulatory factor is the intended use of the mobile health application
– Software application is what it claims
Food & Drug Administration
21
Regulatory Framework
• Mobile Medical Applications – Regulated Applications:
• Extending the medical device to control the device or to display device data
• Using attachments, screens, sensors to transform a mobile platform into a medical device
• Performing patient specific analysis
• Assisting with diagnosis or treatment recommendations
Food & Drug Administration
Visual Acuity Test
22
Regulatory Framework
• Mobile Medical Applications – Non-Regulated Applications
• Supplementing clinical care by helping patients manage their health
• Providing patients with tools to organize/track health information
• Providing easy access to patient’s health conditions
• Helping patients document or communicate medical information to providers
• Performing simple calculations used in clinical practice
• Enabling individuals to interact with Personal Health Records (“PHRs”) and Electronic Health Records (“EHRs”)
Food & Drug Administration
EHR / PHR
23
Regulatory Framework
• Remote Urine Analyzer—FDA regulated – Uses mobile phone to
• analyze reagent dipstick
• communicate with analyzer device
– Intended Use • extension of medical device analyzer
• efficient remote way to analyze dipstick
Food & Drug Administration
24
Regulatory Framework
• Wellness Tracking—Not FDA regulated – Uses mobile phone to
• track steps
• monitor sleep
• bio feedback
– Intended Use • fitness information
• lifestyle changes not part of treatment
Food & Drug Administration
25
Regulatory Framework
• Mobile Diabetes Manager—FDA regulated – Uses mobile phone to
• input data about glucose level
• communicate with provider
– Intended Use • medication adherence
• treatment plan
• data analytics
Food & Drug Administration
26
Regulatory Framework
• Mobile Medical Applications – Regulatory Requirements
• Establishment Registration and Medical Device Listing
• Investigational Device Exemption requirements
• Labeling requirements
• Premarket submission for approval or clearance
• Quality System Regulation
• Medical Device Reporting (Adverse event reporting)
• Correcting Problems
Food & Drug Administration
27
Compliance with FDA Regulatory and Quality
Systems
28
Bringing a regulated app to FDA
• If you’re reasonably confident in your pathway: – Request an alignment meeting with FDA to
outline approval strategy
• FDA Guidance Documents govern, but typically held with 60 days of request
– Telecon, face to face, written response
• Provides non-binding feedback on approval pathway, predicate selection if applicable, feedback on clinical studies and overall validation of performance data strategy
29
Bringing a regulated app to FDA
• If you’re NOT confident in your pathway: – File a 513(g)
• 60 day review, minimal filing fee
• Provides non-binding feedback on whether or not the product is regulated, and how
• Most successfully executed when the submitter presents a strategy and asks for comments
30
SOFTWARE AS A MEDICAL DEVICE
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
Software Type Classification
Lab Information Software Class I
Medical Device Data Systems Class I
Blood Banking Software Class II
Imaging Software (Radiology) Most are Class II
Drug Dosing Calculator Class II
Software for Diagnosis/Treatment Class II
Medical Computers and Software for Ophthalmic Use Class III
Medical Computers and Software Unclassified
Software that Controls a Device Firmware
31
UNDERSTANDING RISK
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
BMI calculator
Trending algorithm for determining next clinical action
Radiation dose calculator
Medical image analyzer for disease/anomaly detection
Medication reminder
Drug-drug interaction/ allergy verification
Cancer treatment recommendation
Complex analyzer for untrained user
Low Risk High Risk
Influenced by: • General acceptance • Pervasiveness • Complexity • Extent of Reliance
32
510(k) clearance process • Predicate selection • Intended Use • Validation data • Labeling • Performance Data • Software details
33
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
Mobile MIM – medical image software (K103785)
Mobile MIM is a professional use diagnostic imaging app for the iPad®, iPhone®, and iPod touch®
Mobile MIM provides wireless and portable access to medical images
Review X-rays and ultrasounds as well as PSECT, PET, CT and MRI
This device is not intended to replace full workstations and should be used only when there is no access to a workstation
This device is not to be used for mammography
http://www.mimsoftware.com/products/mobile/
34
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
AliveCorp ECG
A clinical-quality, low-cost mobile, single-lead ECG device
Can send GPS data with ECG and accelerometer and gyroscope readings from phone
Available for sale. Recently cleared for sale as a medical device in the USA (K122356)
http://alivecor.com/
35
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
ResolutionMD Mobile – radiological image processing
Delivers anytime, anywhere full-functionality advanced visualization of medical images without storing patient data on the mobile device
ResolutionMD Mobile is approved by Health Canada and CE Mark for diagnostic use
Calgary Scientific also has FDA clearance for ResolutionMD Mobile within the United States (K111346)
Product requires access to a configured ResolutionMD Server
Web version cleared in April 2012 (K120076)
http://itunes.apple.com/ca/app/resolutionmd-mobile/id354551580?mt=8
36
iVitals
Manual entry of healthcare information
Demonstration highlights cardiovascular and diabetes information and trend reports/graphs
http://myvitalsigns.com/
37
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
MBC Burn Care
Stand-alone and interactive tool developed by Euro-Mediterranean Council for Burns and Fire Disasters for the Emergency/Critical Care Burn Management
It is intended to be a support for not specialized medical staff of emergency wards, peripheral hospitals and general medicine
App allows rapid calculation of %TBSA and the personal fluid requirements considering all patient’s data (adult & child)
http://itunes.apple.com/app/mbc-burn-care/id539490121?mt=8
38
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
iStethescope Pro
Turns your iPhone into a stethoscope, allowing you to listen to your heat beat and see your heart waveform, or listen to other quiet sounds around you
The professional version includes the ability to see and email a spectrogram of the audio, shows tips and information, and has no advertisements
Please note that this app is intended to be used for entertainment purposes and as a demonstration of the technology. It is not intended to be used for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease and should not be used as a medical device
http://itunes.apple.com/us/app/istethoscope-pro/id322110006?mt=8
39
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
Medi-Calc
Allows the user to calculate the proper medication infusion rate
Since it is based on infusion rates, (i.e. mcg/kg/min), not specific medications, it is versatile enough to be used with ANY medication
To be used in all clinical environments: EMS, Emergency Department, ICU, medical offices and even veterinary medicine
Also included are weight and temperature conversions, common pediatric calculations, medication bolus calculations, and the Parkland Burn Formula for fluid resuscitation
http://itunes.apple.com/kz/app/medi-calc/id529797939?mt=8
40
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
Easy ECG
Application that helps the user interpret cardiac rhythms in Lead 2 by having the user answer a series of simple questions based on the presence, absence, or measurement of various characteristics on a patient’s ECG printout
While it is intended for case review or studying, EasyECG is written to be easy enough to allow someone with no ECG training whatsoever to interpret an ECG rhythm
http://itunes.apple.com/kz/app/easy-ecg/id400719632?mt=8
41
(1) 2008 comprehensive survey on benchmarking commissioned by The Global Benchmarking Network. Over 450 organizations responded from over 40 countries.
(2) European Centre for Best Practice Management 2010 Research Paper (RP-ECBPM/0005)
Infuse
A medication infusion and bolus calculator built for healthcare providers of all backgrounds. Infuse provides you all the tools you need to quickly calculate drug dosing whether by infusion or bolus.
Medications are able to be added, edited and removed and even remain editable once selected so that the specific concentration or dose/rate can be adjusted.
Bolus section adds items such as route, frequency and duration of administration.
15 common drugs are included to get you started with more coming in future updates.
http://itunes.apple.com/kz/app/infuse/id312617951?mt=8
42
Quality System challenges
43
Design Documentation Considerations
• Development activities must be documented • This needs to start early in the process
– Validation • Software version control
– Documented process • Training, Supplier Controls
44
Practical Takeaways
45
Practical Takeaways
• Appoint committee to monitor relevant regulatory guidance
• Educate developers of mobile medical applications when regulatory line(s) are crossed
• Keep software separate from regulated medical devices
• Follow and document privacy/security and quality principles
• Take precautions to eliminate malware contamination
46
Practical Takeaways
• Monitor network connectivity for misuse
• Perform and update risk analysis for security/privacy
• Develop incident response programs especially for life sustaining devices
• Obtain consent for collection of personally identifiable information
• Look for common compliance principles across regulatory agencies
• Document compliance with privacy/security criteria
47
A Review of Benefits Realized for the Value of Health IT This presentation addressed the following HIMSS value STEPSTM :
T = Treatment/Clinical Improvement in treatment /clinical outcomes should be achieved by wellness and health applications being in the hands of the consumer/patient.
E = Electronic Information/Data Electronic Information/Data is the foundation of mobile medical applications. A pre-requisite of data sharing is privacy and security best practices.
P = Prevention Many health applications are centered around prevention and patient education. The more a patient takes control of his/her health problems, the better health outcomes can be achieved.
S = Savings Savings will be realized when patients with chronic conditions such as diabetes are engaged in managing their own health through applications.
http://www.himss.org/ValueSuite
48
Questions?
Sharon R. Klein Pepper Hamilton LLP kleins@pepperlaw.com 949.567.3506
Colleen J. Hittle, RAC Managing Director Navigant Consulting, Inc. colleen.hittle@navigant.com 317.228.8730