chevron-down Created with Sketch Beta.
December 12, 2018 Article

How Did My Watch Become a Medical Device?

By Katrina Long

The announcement on September 12, 2018, that the Apple Watch, Series 4, will have proactive health monitoring, including electrocardiogram (ECG) features, may leave lawyers (and patients) thinking about what the future of health care will look like. The new Apple Watch features a digital crown with built-in electrodes, which, when paired with an ECG app, can read the user’s heart’s electrical signals after only a 30-second touch. Apple touts that the data can warn users when the readings show irregular heart rhythms (arrhythmias) and unusually high or low heart rates. The data could alert users to serious heart problems and, in Apple’s words, serve as a platform for “better-informed conversation[s] about [a user’s] health.”

The “shelves” of app stores are filled with health apps, and regulators are trying to keep pace—applying a risk-based analysis with respect to what and how to regulate everything from step counters to ECGs. Meanwhile, pharmaceutical and medical device manufacturers are looking to use these data sources falling outside traditional clinical trials (in other words, real-world data) to demonstrate the safety, efficacy, and value of their products. This article is a primer on key changes in the United States regulatory environment that helps answer the now blurrier questions: What is a medical device and how can the data it generates be put to use?

Is the Product a Medical Device?

The definition of a medical device—“for use in the diagnosis or other conditions, or in the cure, mitigation, treatment, or preventions of disease,” see Federal Food, Drug, and Cosmetic Act § 201(h)—did not originally contemplate an app store brimming with health apps. Once a product is defined as a “medical device,” a complex set of registration, quality, and reporting regulations attach, depending on the device classification, ranging from Class 1 (requiring the least control) to Class III (requiring the most control, including pre-market approval). The Apple Watch, for example, was cleared as a Class II device. Taken quite literally, many health apps fit within the broad definition of a “device” but do not require extensive regulatory obligations to protect the public health. Of course, competition and consumer protection laws could still apply and protect consumers from false and misleading claims.

In December 2016, Congress passed the 21st Century Cures Act, designed to help accelerate medical product development and bring new innovations and advances to patients faster and more efficiently. One notable change was the exclusion of certain software functions, including “low risk” health technologies, from the definition of “device,” placing those technologies outside the scope of regulation by the Food and Drug Administration (FDA). See 21st Century Cures Act § 3060(a). A year later, in December 2017, the FDA issued draft guidance interpreting the act and clarifying which types of software fall within the new definition of “device” and which fall outside the definition, analyzing software intended for administrative support of a health care facility; maintaining or encouraging a healthy lifestyle; serving as electronic patient records; or transferring, storing, converting formats, or displaying data and results. For example, apps displaying clinical laboratory test data, providing meal planners and recipes, and tracking a normal baby’s sleeping and feeding habits would not fall within the FDA’s regulation. This gives app developers the freedom to design products fitting within these categories without FDA restriction, provided they make sure that their promotional efforts don’t assert functions that would place the products back within the scope of regulation. Some software, however, is still subject to regulation as a “medical device” and is commonly referred to as “software as a medical device” (SaMD). Some examples of SaMD are software that allows a commercially available smartphone to view images for diagnostic purposes obtained from an MRI scan, software that processes images from hardware medical devices for aiding in the detection of breast cancer, or software that provides parameters that become the input for a different hardware medical device or other SaMD.

If a Product Is a Medical Device,
What Criteria Must Be Met for Approval?

For those software functions that do fall within the definition of “device,” the FDA issued guidance in December 2017 specifically pertaining to SaMD. The guidance sets forth risk-based criteria for recommending how a SaMD manufacturer must gather, analyze, and evaluate data, and develop evidence to demonstrate the safety, effectiveness, and performance of the SaMD. For example, the FDA may require evidence of analytical viability, scientific validity, and clinical performance, and may also require independent review of that evidence. The risk level of the product—determined by the significance of the information it generates and the seriousness of the disease it supports—dictates how much independent review and evidence are required for the FDA to evaluate a device.

Cybersecurity also has become an issue that must be addressed as part of the regulatory process and about which the FDA has issued guidance documents relating both to the preapproval stage and the post-approval stage, as risks continue to emerge and evolve. See also FDA, Ctr. for Devices & Radiological Health, Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. Thus, software manufacturers may also be subject to liability with respect to cybersecurity if they have not implemented adequate protections. To date, cyber attack cases have centered on loss of data or exposure of personal information, but the public has also speculated about the potential for personal injuries that could result if a hacker were able to access and manipulate a medical device. The fear was even dramatized in the TV series Homeland, in which terrorists plotted to kill America’s vice president by hacking into his pacemaker. While not legally binding, the FDA’s guidance documents on cybersecurity (mentioned above) are instructive as to the standard of care and best practices.

How Can Companies Use
Data Generated by These Devices?

Devices with software components are now capturing an unprecedented quality and quantity of data. But this data is not coming from controlled clinical trials that account for variables, such as bias. The 21st Century Cures Act broadly provides for the greater use of this data, as existing laws make it challenging to provide real-world data to payors, who make reimbursement decisions, or to doctors, treating patients. For example, the act sets forth the wide array of health economic data that can be shared with payors to make reimbursement decisions, requiring a less stringent standard of “competent and reliable scientific evidence.” See 21st Century Cures Act § 3037. It also clarifies the definition of health care economic information (HCEI), which includes “any analysis (including clinical data, inputs, clinical or other assumptions, methods, results, and other components underlying or comprising the analysis) that identifies, measures, or describes the economic consequences.”

A relatively recent FDA guidance, Drug and Device Manufacturer Communications with Payors, Formulary Committees, and Similar Entities—Questions and Answers (June 2018), further addresses questions that relate to communications with payors. Notably, the final version of the guidance clarifies that the safe harbor for manufacturers to provide HCEI extends to investigational products and new uses of legally marketed products for both drugs and medical devices. The guidance also expands on the definition of “competent and reliable scientific evidence” (mentioned above), noting it must be developed using generally accepted scientific standards, appropriate for the information being conveyed, that yield accurate and reliable results. Plus, this evidence should be accompanied by information such as study design and methodology, generalizability, limitations, sensitivity analyses, and information relevant to providing a balanced and complete presentation.

As for providing information to doctors, the regulatory regime was previously restrictive and created uncertainty on how to communicate real-world data. Despite well-founded First Amendment challenges to truthful, non-misleading speech, see, e.g., Amarin Pharma, Inc. v. FDA, 119 F. Supp. 3d 196 (S.D.N.Y. 2015), the FDA’s position is that the Food, Drug, and Cosmetic Act prohibits dissemination of information that is not contained in the product’s approved labeling. However, the FDA did provide some additional guidance, without conceding (or even referencing) these First Amendment issues. A separate guidance, entitled Medical Product Communications That Are Consistent With the FDA Required Labeling—Questions and Answers, focuses on recommendations for conveying information to physicians that is not contained in the approved product labeling in a truthful and non-misleading way, consistent with the FDA-required labeling. Perhaps most importantly, the guidance provides suggestions for ensuring that the communications are not considered false or misleading. The suggestions include prominently disclosing study design and methodology for any studies relied on, accurately characterizing and contextualizing the relevant information about the product, and including data or information from the FDA-required labeling when presenting other data or information related to what is represented in the labeling (to provide the audience appropriate context). Further, any data, studies, or analyses relied on should be “scientifically appropriate and statistically sound” to support the representations made in the promotional communication. Accordingly, real-world data may qualify as “scientifically appropriate and statistically sound” for purposes of these communications consistent with FDA-required labeling.


The digital health revolution will continue as new technologies are developed, and new legal issues associated with the regulation of those technologies and the data that they generate will follow. The regulatory landscape leaves open some questions, but new developments like the 21st Century Cures Act and corresponding guidance from the FDA provide an initial road map to approach these complex issues in the digital health age.

Katrina Long is an associate director at Regeneron Pharmaceuticals, Inc. in Philadelphia, Pennsylvania.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).