Some technology companies are sitting on the sidelines, or just dipping their toes in the mHealth waters, out of fear of the unknown. Will FDA regulate this space? If we get into healthcare, will we get sued if someone breaks a finger nail using our app? Will the FTC come after us if we don’t have a bunch of clinical trials to support every claim we make? Will a patient come after us if personal health information somehow gets into the wrong hands? What about the company’s reputation if something goes wrong? And don’t get me started if your product triggers Medicare reimbursement. In many ways, the healthcare field seems scary at first, just based on the headlines we all read concerning regulatory and legal landmines.
Equally troubling, some technology companies are diving in without understanding the risks or having a plan to mitigate them. Indeed some just seem to be in a state of denial, as if not thinking about these issues makes them go away. Something akin to don’t ask, don’t tell. Others figure that as long as they don’t intend any harm, nothing bad can happen to them.
Both approaches are equally misguided. Instead of those approaches, I suggest you deal with the risk--understand and address it. This isn’t rocket science. I promise you can handle this, and make money doing so if your idea is good.
I am not going to do a treatise and describe all of the obscure legal and regulatory risks. If you like reading statutes and regulations, you’re in the wrong place. I’m not even going to paraphrase the law most of the time. My goal is simply to give you practical guidelines for how to navigate these uncertain waters.
I’m also not going to cover the myriad of legal and regulatory risks including product liability, HIPAA compliance, fraud and abuse, and the FTC. Instead I’m going to focus on FDA, partly because it’s representative of the other risks, and partly because it’s the area I know best. If your product doesn’t work well and someone gets hurt, you will have to both deal with FDA and face product liability.
A technology company new to the potentially regulated mHealth space needs to start by understanding: (1) the regulatory risk-- its sources, nature, magnitude and likelihood and then (2) more importantly, the primary risk mitigation strategies-- how to avoid getting in trouble with FDA. I’m calling the second topic risk mitigation probably just because I’m a lawyer; most people would refer to it as best business practices. It also has elements of strategic planning, in that you can think of it as considering all of the possible threats, and also looking at the possible opportunities.
At its heart, FDA regulatory risk is fairly intuitive because you only need to remember one thing: it’s all about putting the patient first. Every FDA requirement can be explained by reference to what’s necessary to protect the patient. And that includes protecting the patient from misleading information, not just physical harm.
To make this more manageable, I thought in part one I would address the regulatory risk, and save the mitigation strategies for part two to be published soon.
Root Cause of Regulatory Risk
I’ve been doing this stuff nearly 30 years, and it’s been my observation that companies get in trouble for one of three reasons:
1.FDA has not spelled out the regulatory requirements clearly enough so you know what to do. Now this has quite obvious applicability to mHealth, considering we don’t have a final guidance yet from FDA. But even after we receive that guidance, there will still be many issues of interpretation left open. Consider the list of open issues I previously posted. In the case of extreme ambiguity, this could even be a defense, because criminal statutes are supposed to be clear enough that a person knows what they need to do to comply. As a practical matter, out of fairness, FDA is usually reluctant to proceed with enforcement if the rules are not clear. Indeed, FDA has been very slow to enforce the rules in the mobile app space since they haven’t yet published their guidance, frankly even when the violations appear reasonably clear.
2.You don’t know what you don’t know. It’s possible that the FDA requirements are clearly specified somewhere, for example, on the agency’s website, but you don’t know what those requirements are out of simple ignorance. As probably everyone in America knows, though, ignorance of the law is no excuse. So this represents one of the most dangerous pitfalls.
3. You screw up the execution. Here, I’m assuming the law is clear and that you know what it was, but in a big organization sometimes the left hand doesn’t know what the right is doing, or you simply do a poor job of complying. These can be hard cases to defend if the violation itself is clear. It all comes down to the facts and what you did or didn’t do.