APPS ARE RULING!

The Burgeoning Of The MHealth App Market And The Emergence Of U.S. And EU Regulation In Response

Authors:

• Jodi G. Daniel: Partner at Crowell & Moring and CHS Managing Director, Washington, D.C.
• Anne Elise Herold Li: Partner at Crowell & Moring, New York
• Jurgen Figys: Senior Counsel at Crowell & Moring, Brussels
• Wietse Vanpoucke: Associate at Crowell & Moring, Brussels

Introduction

The proliferation of the market for mobile health applications (mHealth apps) in the United States (U.S.) and the European Union (EU) has left regulators trying to keep pace with this fast-emerging market, which has led to a complex and dynamic legal landscape that can be difficult for businesses to navigate. The legal complexities are further exacerbated by the overlapping (and sometimes contradictory) regulating government agencies across the globe that creates a particularly tricky situation for mHealth solutions because they enter local markets through non-traditional channels, such as the internet and social media, in some cases before regulators are even aware that they exist.

mHealth apps – what’s in a name?

mHealth is a concept that is generally used to refer to the use of wireless devices and mobile applications in the context fitness, wellness, or patient health. 

For instance, the popular mHealth apps often use gamification to encourage adherence to exercise and diet goals. Such apps are designed for anyone attempting to cut or increase calories and allow monitoring of caloric intake. Another example is the group of apps focused on recovery and rehabilitation that provides a personalized and evidence-based treatment for hip and knee arthroplasty and bariatric patients. These mHealth companies can leverage multidisciplinary teams to follow their patients remotely to that continuously monitors and evaluates their progress as well as their health status. Apps such as these have helped countless patients work towards healthier lives and positive treatment outcomes. But, who is monitoring the monitors? 

A complex and dynamic legal landscape

Regulatory qualification

Broadly speaking, there are two main categories of mHealth apps: fitness and wellness apps – those that have the general aim of improving people’s lifestyle – and medical apps that are intended for medical purposes. Determining which type of app you have is the first step.

Traditionally, fitness and wellness apps were not regulated in the U.S. or in the EU as medical devices. However, recent changes in both jurisdictions have resulted in an increasing number of mHealth apps qualifying as “medical devices” and, therefore, they have become subject to changing and complicated requirements. In the U.S., if an mHealth app qualifies as a medical device under the Food, Drug, and Cosmetic Act, it may require pre-market notification or approval and compliance with other FDA regulatory requirements (including listing, labeling, and quality system management requirements) or it may be subject to regulatory “enforcement discretion”. In the EU, the Medical Device Regulation applies, which means that all medical apps must comply with the rules on CE (“conformité européenne”) marking prior to being placed onto the EU market. These requirements are intended to ensure a high level of safety and health while still supporting innovation. 

Processing of health data

mHealth apps often collect and process large amounts of data to provide qualitative services that is sometimes transferred from the U.S. to the EU and vice-versa. If this data is personal data (e.g., a person’s name) or health data (e.g., a person’s glucose levels), then businesses must be aware that this may subject that data to specific obligations, which vary depending on the applicable legal regime. 

In the U.S., federal privacy regulation is industry-specific. The Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA privacy and security rules might apply to mHealth apps depending on the entity that holds the data. If HIPAA does not apply, the Federal Trade Commission may have authority over the mHealth app. There is also a growing number of U.S. states that have privacy laws that may impose rules on data in mHealth apps not covered by HIPAA. The EU General Data Protection Regulation (GDPR), which is more stringent than U.S. federal privacy regulation, aims to protect data belonging to EU citizens and, as a consequence, applies to businesses that handle such data irrespective of whether they are EU-based. This means that not only EU-based businesses must comply with these stringent requirements but also U.S. businesses that process data of EU citizens. Therefore, businesses should familiarize themselves with the GDPR’s “extra-territorial” application and ensure compliance to avoid possible fines.

Cybersecurity

Considering the quantity and sensitive nature of the data being processed, the mHealth industry is particularly vulnerable to cyber incidents (e.g., unauthorized access or accidental loss) and cyber-attacks (e.g., hacking or ransomware). Businesses are required to implement adequate technical and organizational measures to safeguard any data or confidential documents stored (e.g., by encryption). 

To boost the overall level of cybersecurity in the U.S. and the EU, lawmakers and regulators have adopted several laws and provided guidance intended to improve the resilience and incident response capabilities of businesses while helping them to build stronger IT infrastructures. These laws include, amongst (many) others, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and recently adopted Consolidated Appropriations Act (which improves cybersecurity of medical devices) in the U.S., and the NIS2 Directive, the Medical Device Regulation (Annex 1) and the GDPR in the EU.

Intellectual property

mHealth apps are multilayered products with different features each of which might be protected by multiple layers of intellectual property rights, including copyrights. In both the U.S. and the EU, copyright law protects the software source code and object code as works of authorship, and databases as compilations, provided that the originality criterium is met. However, the interpretation of this criterium depends on the jurisdiction. Whereas the U.S. requires a “modicum of creativity”, in the EU, originality exists provided that e.g., the object code represents the author’s “own intellectual creation” and reflects the author’s “personality” and “free and creative choices.” Therefore, the threshold for copyright protection is lower in the U.S. than in the EU. 

In both the U.S. and the EU, copyright protection is extensive and lasts for the life of the author plus an additional 70 years. Notably, unlike the EU, the U.S. has a formal process to register copyrights, and this is a prerequisite for commencing copyright infringement proceedings. 

In addition, while both the U.S. and EU have patent protection, this differs dramatically between the two jurisdictions. In the U.S., the patent laws were last amended in 2012, which means the majority of governing law for patent protection of mHealth products is actually based on the interpretation of those laws by the U.S. court system. For example, the Supreme Court’s decision on what is even patentable in the U.S. changed dramatically in its Alice holding. As such, these interpretations are subject to have dramatic shifts that implicate an mHealth company’s business. In the EU, pursuant to the European Patent Convention, a computer program is patentable if the patent contains at least one claim that is technical in nature (i.e. a technical solution to a technical problem). So, mHealth companies should consult professionals in both jurisdictions prior to launching the mHealth app to ensure maximum IP protection for its product. 

Product liability

Liability usually arises when mHealth apps are not performing as promised. This may occur when inaccurate claims have been made about their capabilities (e.g., suggesting that an app can detect symptoms of certain types of skin cancer). In a worst-case scenario, liability might arise as a result of bodily injury or physical harm to a patient (e.g., when the mHealth app is used as part of an intervention).

In addition to the general regimes covering contractual and extra-contractual liability, the possibility of product liability must be considered. In both the U.S. and the EU, everyone in the supply chain is at risk of being held liable: manufacturers, distributors, suppliers, retailers, and anyone who puts mHealth apps onto the U.S. or EU market, although a party claiming damages must demonstrate a defect in the product, that damage has been caused, and that there is a causal link between the defect and the damage, they do not need to establish fault (e.g., of the manufacturer).

Conclusion – What do these regulations mean for your business?

Entering the mHealth app market in the U.S. and the EU means entering a highly complex and regulated industry. Companies will need to adapt market strategies to reflect the specific regulatory framework that governs its mHealth apps, including fitness and wellness apps and medical apps that are medical devices. This can be challenging for businesses such as tech companies and start-up ventures that may not be familiar with the complicated and industry-specific legislation that affects the pharmaceutical industry and must be considered in the strategic development phase of any new or modified mHealth product or service. 

Regardless of whether a business intends to enter the mHealth app market in the U.S. or the EU, companies will need to invest in compliance (e.g., as concerns data protection and privacy, cybersecurity and product safety) in order to avoid potential liability, and always bear in mind the extra-territorial scope of the relevant regulations.