CE marking for health and medical apps?
Regulatory requirements for manufacturers and 'placers on the market' of health apps
The 'new' Medical Device Regulation (Regulation (EU) 2017/745), which came into force in May last year, throws up the question of what regulatory treatment so-called health or medical apps are to receive as compared with so-called lifestyle apps. Software with a medical intended purpose is subject to the regulations that apply to medical devices. It thus requires a CE marking as a matter of basic principle before it can be placed on the market in the EU. The actual requirements are derived from the respective classification in accordance with the MDR, and that in turn depends on the risks the user may potentially incur when actually using the software.
'Mobile applications' are software applications that run on mobile platforms (hand-held computers). Characterisation as a 'medical device' or 'non-medical device' is determined according to the intended purpose as defined by the manufacturer. Apps with a clearly therapeutic or diagnostic – medical – intended purpose, for example that of reading values off other medical devices, warning of interactions between medicines or identifying their dosage, can clearly be classified as 'medical devices'. By contrast, apps without that kind of intended purpose, for example apps which merely reproduce the contents of specialist literature word for word, are 'non-medical devices'. And then there are apps which are difficult to classify: it has to be decided from case to case whether or not apps which provide assistance in everyday life and definitely do have a medical connection (for example by reminding the patient to take his or her medication or providing assistance in the documentation of blood parameters or BMI calculations) are 'medical devices'.
What is always more essential to classification is the intended purpose of the app as declared by the manufacturer (Art. 2 (12) of Regulation (EU) 2017/745: Intended purpose means the use for which a device is intended according to the data supplied by the manufacturer on the label, in the instructions for use or in promotional or sales materials or statements and as specified by the manufacturer in the clinical evaluation). However, the fact is that qualification as a medical device, which must as a matter of necessity be followed by a conformity assessment in accordance with the MDR and a CE marking, cannot simply be evaded by the manufacturer if he declares the intended purpose to be non-medical – perhaps even for the sole purpose of avoiding the cost and effort involved – whilst in practical terms, because of the way it functions and / or its risk profile, the app does in fact have a medical purpose after all and thus constitutes a medical device.
If an app is to be classified as a medical device, its classification depends among other things on the damage that its failure or malfunction can cause. What is actually assessed is the potential risk to the health of the user that can be caused by use or malfunction. The classification rules in accordance with Annex VIII of the Regulation routinely prescribe the classification of health apps to Class IIa. The involvement of a notified body in the conformity assessment is thus absolutely mandatory (Annex IX, Chapter I, 2.1. of the MDR). Finally, however, the classification is also to be made individually from case to case. Medical apps which have already been placed on the market as Class I products must be reassessed based on the rules of the MDR: it is then very likely that they will have to be put in a higher class. Manufacturers should allow for this possibility and get in touch with a notified body as soon as possible so as to be able to conduct a conformity assessment procedure as required by the MDR and ensure that their app complies with it.
The initial placing on the market of medical devices, and thus also that of apps classified as such, is subject to much more stringent control under the MDR than under the rules applied to date. This applies in particular to the classification of software. The requirements for the conformity assessment procedure have thus also been tightened for the manufacturers of software with a view to patients' safety, and this will in future require them to maintain a higher standard of diligence and carry out even more precise testing of the actual product in question.