When does software become a medical device? In some cases, it’s clear-cut. If your software is used to diagnose or treat patients, then it’s a medical device. But what about less clear-cut cases? Like a software that automates hospital operations-related tasks.
This is a question that many founders in the SaaS world are wondering these days, as they eye the market for healthcare software.
In this guide, we’ll explore when software becomes a medical device, and offer some tips to help you stay on the right side of the law.
When Does Software Become a Medical Device?
Section 201(h) of the Federal Food, Drug, and Cosmetic Act, 21 U.S.C. 321(h)(1), defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component or accessory, which is . . . (b) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or (c) intended to affect the structure or any function of the body of man or other animals.” Thus, to be considered a medical device and therefore subject to FDA regulation, your software must meet one of two criteria:
- It must be intended for use in diagnosing or treating a patient; or
- It must be intended to affect the structure or any function of the body
You can probably see how this analysis may be nuanced – many SaaS applications could potentially fall into either category, depending on the features they offer. While the FDA has provided some resources on how to make this and related determinations (for example, resources on device software functions including mobile devices and SaMD devices, and even draft guidance on device software functions and on cybersecurity in medical devices ), there is still a lot of ambiguity.
For example, what if your software is intended for use by healthcare professionals in diagnosing or treating patients? What if your software is used by hospitals to manage patient data? In both of these cases, it’s likely that your software would be considered a medical device.
There are three types of software-related medical devices:
- SaMD: Software-as-a-Medical-Device is software that on its own is a medical device
- SiMD: Software-in-a-Medical-Device is software that is integral to (embedded in) a medical device
- Software used in the manufacture or maintenance of a medical device
According to the FDA, device software functions may include SaMD and SiMD. Regardless of the role or function of your SaaS/software, it is possible that it is a “medical device” for purposes of FDA regulation. “Medical device” determinations by the FDA can be more complicated than they appear at first blush, even for a relatively simple product.
Examples of Software as a Medical Device
The following is a list of examples provided by the FDA to assist in the determination of whether software functions are medical devices:
Examples of Software that are NOT Medical Devices
- Software that is intended for health care providers to use as educational tools for medical training or to reinforce training previously received
- Software that is intended for health care providers to use as educational tools for medical training or to reinforce training previously received
- Software that displays patient-specific medical device data
Examples of Software for which FDA intends to exercise enforcement discretion
(These are examples of software functions that, even though they might otherwise qualify under the definition of “medical device,” the FDA exercises enforcement discretion because they pose a lower risk to the public.)
- Software that provides periodic educational information, reminders, or motivational guidance to smokers trying to quit, patients recovering from addiction, or pregnant women
- Software that uses video and video games to motivate patients to do their physical therapy exercises at home
- Software function that uses a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a health care provider
Examples of Software that are the focus of FDA’s regulatory oversight (Device Software and Mobile Medical Apps)
- Software (typically mobile apps) that transform a mobile platform into a regulated medical device, including:
- Software that uses a sensor or lead that is connected to a mobile platform to measure and display the electrical signal produced by the heart (electrocardiograph or ECG)
- Software that uses a sensor attached to the mobile platform or tools within the mobile platform itself to record, view, or analyze eye movements for use in the diagnosis of balance disorders
- Software that presents donor history questions to a potential blood donor and record and/or transmits the responses to those questions for a blood collection facility to use in determining blood donor eligibility prior to the collection of blood or blood components
- Software that connects to an existing device type for purposes of controlling its operation, function, or energy source, including:
- Software that alters the function or settings of an infusion pump
- Software that controls the inflation or deflation of a blood-pressure cuff
- Software that is used to calibrate hearing aids and assess the electroacoustic frequency and sound intensity characteristics emanating from a hearing aid, master hearing aid, group hearing aid, or group auditory trainer
A full list of examples to assist in the determination of whether software functions are medical devices is available here: Policy for Device Software Functions and Mobile Medical Applications
WARNING:
Even if your product is not a medical device, it may still be regulated by an office or department within the FDA. Examples include:
- Center for Biologics Evaluation and Research (CBER) regulates biological products.
- Center for Drug Evaluation and Research (CDER) regulates human drugs. If the primary intended use of the product is achieved through chemical action or by being metabolized by the body, the product may be considered a drug.
- Center for Veterinary Medicine (CVM) regulates products intended for animal use.
- Center for Tobacco (CTP) regulates tobacco product
What does it mean if your software/SaaS qualifies as a medical device under FDA regulations?
In general, the FDA regulates software/SaaS medical devices in the same manner as other medical devices. As such, if your software/SaaS is classified as a medical device by the FDA, you will be subject to all applicable requirements, including pre-market review and approval, post-market surveillance, and labeling requirements. The type of premarketing submission/application required for FDA clearance to market depends on the classification of the medical device (and any applicable exemptions).
The FDA classifies medical devices according to risk, based on the level of control necessary to assure the safety and effectiveness of the device. These classifications include:
1. Class I General Controls (With or Without Exemptions)
2. Class II General Controls and Special Controls (With or Without Exemptions)
3. Class III General Controls and Premarket Approval
There are several compliance risks associated with medical devices that SaaS founders should be aware of. One of the most significant is the risk of data breaches. Because medical devices are subject to such strict regulation, they often contain large amounts of sensitive patient data. If this data were to fall into the wrong hands, it could have devastating consequences. As a result, SaaS companies that develop medical devices must take extra care to ensure that their products are secure.
Another compliance risk associated with medical devices is the potential for recalls. If a problem is discovered with your device (including due to mandatory self-reporting), you may be required to submit explanatory information as to the nature, severity, and extent of the problem and to recall the device from the market and provide replacement or repair services at the company’s expense. This can be very costly, so it is important to make sure that your product is thoroughly tested before releasing it to the market.
Finally, it is worth noting that SaaS companies that specifically develop medical devices may be subject to increased liability risks due to a variety of circumstances. If a device is used in the diagnosis or treatment of a patient and the diagnosis or treatment fails or suffers from complications, the SaaS company that helped develop the device could be held liable for any resulting damages. This is why it is so important to have comprehensive insurance coverage if you are developing medical devices.
My software/SaaS is a medical device/SaMD/SiMD. Once I file all required documents and comply with the FDA regulations, am I ready to go to market?
There are at least three things you should take into consideration before going to market:
- Your business legal structure, including issues like:
- Company / Corporation formation
- Contracts
- Software licensing / Terms of service
- Insurance
- HIPAA, security, and information management
- Software documentation
- Money:
- Anti-kickback / Stark law issues
- Compensation structures
- Intellectual Property
- Patents
- Trademarks
- Copyrights
- Trade Secrets
Although all of these topics are important and require careful consideration, we will focus on patents to show how a lack of planning and careless drafting can cause problems.
How To Protect Your SaMD Startup’s Intellectual Property
First, file a patent
Filing compliance or other documents with any government agency could be considered disclosure to a third party and potentially make the document publicly available. Generally, disclosures to third parties and/or public availability of an invention will trigger a one-year statutory bar in which you must file a patent application for your invention. A failure to file within the appropriate timeframe could preclude you from ever protecting your invention.
Furthermore, even if the compliance or other filed document is not publicly available, the government agency could potentially publish or make publicly available a different document that you filed that contains information you previously provided about your invention.
For example, the FDA has various databases (510k, DeNovo, PMA, etc.) that provide online summaries of decisions, orders, and other documents that contain information about the products and devices currently under evaluation at the FDA. Even if the published information does not include an in-depth disclosure of your device’s inventive features, the FDA frequently receives FOIA (Freedom of Information Act) requests for information about 510k Premarket Notifications and other filings, which may include further disclosures of your invention.
Mind what you write in your patent application
When drafting your patent application, be mindful of whether you disclose a stated purpose, intended use, or solution provided by your software/SaaS. As stated above, medical device classification hinges on whether the software/SaaS in question is intended for use in diagnosing or treating a patient or intended to affect the structure or any function of the body.
Any discussion or comments in a patent application about the software/SaaS’s intended use could be construed as the intent required to classify your software/SaaS as a medical device for purposes of FDA regulations. Once you file your patent application, you should carefully consider whether to file with the FDA if you believe your software might be classified as a medical device.
Prepare for talking with your patent attorney
Software/SaaS inventions often have multiple novel features. Make a list of those features and conduct a brainstorming session about what you believe your invention is about.
Conclusion
An experienced attorney can help you navigate the regulatory landscape and make sure that you comply all applicable laws and regulations. This is a complex and evolving area of law, so it is important to seek legal counsel if you are unsure about whether your software needs to be registered with the FDA. The Rapacke Law Group is a business and intellectual property law firm built for the speed of startups, with business and patent attorneys experienced in the software, SaaS, and medical device technologies. No hourly billing and no charges for calls or emails. We offer startup, business, and intellectual property legal services for a transparent flat fee.
Our experience ranges from helping startups in their infancy to advising established businesses regarding regulatory and intellectual property matters. Our lawyers have experience assisting fast-moving, entrepreneurial companies seeking legal counsel in company formation agreements, liability, equity issuance, venture financing, IP asset protection, and infringement resolution and litigation. Contact us to schedule a free consultation with one of our experienced attorneys.
If you found this article informative, please check our articles on Patenting AI in Software as a Medical Device Innovations and on Common Patent Eligibility Rejections for Medical Device Inventions for more information on patenting medical devices.