Imagine sipping your morning coffee while an app effortlessly syncs with your glucose monitor. These are companion apps, digital tools that extend the functionality of medical devices. But with innovation comes responsibility. So, who ensures these apps are safe, effective, and secure?
Companion apps, particularly in healthcare, are rising fast. But the regulatory frameworks that govern them? In this blog, we’ll break down how these apps are regulated globally and what it means for patients, providers, and developers alike.
U.S. FDA: A Risk-Based, Multi-Agency Model
In the United States, the regulation of companion apps is shaped by a risk-based, function-specific framework led primarily by the Food and Drug Administration (FDA) but supported by agencies like the FTC, HIPAA-regulated entities, and the Consumer Financial Protection Bureau (CFPB). This multi-agency ecosystem ensures that apps across health, wellness, and finance domains are appropriately monitored for safety, privacy, and consumer protection.
FDA Oversight of Medical Device Apps
The FDA regulates digital health applications that meet the definition of a medical device under the Federal Food, Drug, and Cosmetic Act (FD&C Act). This includes software that diagnoses medical conditions, provides treatment recommendations, controls or interfaces with hardware medical devices, or converts a smartphone into a medical diagnostic tool.
The FDA classifies such devices by risk:
- Class I: Low risk (e.g., wellness trackers)
- Class II: Moderate risk (e.g., insulin dose calculators)
- Class III: High risk (e.g., apps controlling pacemakers)
Higher-risk devices require stringent premarket reviews such as 510(k) clearance, De Novo classification, or Premarket Approval (PMA). In recent years, the FDA has also embraced the Software as a Medical Device (SaMD) principle, in line with IMDRF guidance, and launched the Digital Health Center of Excellence to streamline and modernize oversight.
HIPAA and Health Data Privacy
The Health Insurance Portability and Accountability Act (HIPAA) applies when companion apps are developed or offered by covered entities (e.g., hospitals) or their business associates. HIPAA mandates strict standards for the handling, transmission, and storage of protected health information (PHI). However, many consumer health and wellness apps, especially those not affiliated with clinical providers, fall outside HIPAA’s scope, creating potential gaps in data protection.
FTC Enforcement and the Health Breach Notification Rule
To address privacy gaps in non-HIPAA-covered apps, the Federal Trade Commission (FTC) enforces the Health Breach Notification Rule (HBNR). This mandates user and FTC notification in case of a data breach.
CFPB Oversight of Financial Companion Apps
The Consumer Financial Protection Bureau (CFPB) oversees companion apps handling financial data, such as digital wallets or budgeting tools. A 2024 rule expanded its jurisdiction to major nonbank fintech firms, imposing standards for fraud prevention, transparency, and user data protection.
Emerging FDA Frameworks like Prescription Drug Use-Related Software (PDURS)
The PDURS framework applies to software that is marketed in relation to a prescription drug but does not independently qualify as a medical device. PDURS is treated as a prescription drug labeling, not as a medical device—unless its functionality independently meets the medical device definition. This nuanced approach reflects the FDA’s aim to balance innovation with public health safeguards. Under PDUFA VII, the FDA introduced PDURS guidance precisely to clarify how such software integrates with existing drug-labeling authority, without duplicating medical-device review.
EU/Europe: MDR
United Kingdom
Since Brexit, the UK has its regulatory framework under the UK Medical Devices Regulations 2002 (as amended), though it remains largely aligned with the EU MDR for now.
Transitioning from CE to UKCA:
- The CE mark is accepted in Great Britain until June 30, 2028
- Manufacturers must then shift to the UK Conformity Assessed (UKCA) mark
The UK GDPR, mirroring EU GDPR, governs personal health data with similar standards of user consent and security.
International Medical Device Regulators Forum (IMDRF)
The International Medical Device Regulators Forum (IMDRF) brings together regulators from the U.S., EU, Japan, Canada, Australia, and others to harmonize approaches to Software as a Medical Device. The IMDRF’s risk categorization framework, now widely adopted, divides SaMD into four categories. These categories are based on:
- The significance of the information provided by the app
- The severity of the health condition it addresses
This global alignment fosters consistency and innovation while enhancing safety
Conclusion
Companion apps are transforming how patients and providers interact with healthcare but with innovation comes regulatory responsibility. Regulatory oversight ensures these apps are safe, secure, and fair, with frameworks like the EU’s MDR and the U.S.’s FDA and CFPB rules leading the way. However, challenges like rapid innovation, global distribution, and data privacy concerns, especially with AI-powered apps, mean regulators must keep evolving.
How can DDReg Help?
DDReg offers end-to-end regulatory support for products that qualify as medical devices, guiding companies through every stage of the product lifecycle. From initial regulatory strategy development to market authorization, technical documentation, and post-market surveillance, our solutions are tailored to meet local and global standards.
Whether you’re launching a new drug, medical device, managing post-market obligations, or navigating complex regulatory changes, DDReg provides the local insight and global perspective you need to succeed.