The U.S. National Institutes of Health (NIH) Consensus Group has defined mHealth as “the use of mobile and wireless devices to improve health outcomes, health care services and health research." The mHealth landscape is expanding with over 97,000 apps (mobile applications) as of 2013. Yet the vast majority of these apps have not been through the FDA medical device review process. Full stop? Not necessarily. A quick search on Clinicaltrials.gov reveals 131 interventional trials are in someway relying on mHealth technology (over 1,000 trials when searching on “mobile health"). Add in the splash of the Apple ResearchKit announcements and mHealth beckons further consideration by the research community.
While the potential for mHealth is tantalizing — and holds the promise of providing new insights and research endpoints — its use in the highly regulated, scientific environment of clinical trials merits rigorous diligence and protections well beyond that of general consumer use. This article will survey several regulatory topics that clinical trial researchers need to consider when using mHealth technologies.
Defining the Use Cases
The New England Journal of Medicine outlined several use cases for mHealth technologies. These ranged from increasing the volume and frequency of monitoring to expanding the reach of medical care via monitoring and remote connectivity to hard-to-reach patients.
This could include remote medicine (i.e., telemedicine) or remote monitoring in the most difficult of circumstances as evidenced by the observation of Ebola patients with medical wearables though Scripps’ STAMP2 program.
Whatever the use-case, let’s start with the foundational requirements of Good Clinical Practices (GCP).
GCP is a global standard for the conduct of clinical trials and is officially adopted as guidance by the FDA, the European Medicines Agency (EMA) and others. Although the current version of GCP was published in the mid 1990s, the principles apply today to electronic systems used in clinical trials. Section 5.5.3 outlines key requirements, including systems should be fit for use and secure. Confidentiality of subject data is also paramount to any process and technology as outlined in GCP Principle 2.11 — more on this to follow.
What Are the Regulators Saying about mHealth Technology?
The FDA has issued several recent guidance documents that touch upon mHealth. The agency has devoted considerable efforts clarifying which mobile medical applications (MMA) it intends to regulate under the Federal Food, Drug, and Cosmetic Act (FD&C Act). Related to this is the recent FDA draft guidance on General Wellness: Policy for Low Risk Devices. The diligent sponsor should ensure it uses tools that are fit for use and have met the regulatory requirements as applicable. As mentioned previously, the vast majority of mHealth apps and devices have not gone through medical device review. Yet no one should defer to Apple and Google as surrogate regulators.
Security and Confidentiality:
Ensuring the security, confidentiality, and availability of data captured is key to compliance with GCP. Sponsors must take into account preservation of patient confidentiality and privacy.
More data, more frequently means more data may be at risk. What you collect, you must protect. The FDA’s 2013 Medical Device Cyber Security Guidance offers insights on maintaining security and links various standards to the equation. Other regulatory authorities offer guidance (and rules) on privacy such as the US Federal Trade Commission. When it comes to privacy and security, other regulators come into play including data protection authorities (DPAs) around the world. This should not be new to a sponsor engaged in a global trial, but the degree of data collection and the intimacy of mHealth data should warrant appropriate safeguards and transparency to the patients (via the informed consent process as explained in GCP 4.8.10).
Electronic Records:
Numerous authorities including the FDA, EMA, and others have issued regulations and guidance on computerized clinical data systems covering creation, maintenance, archival and transmittal of electronic clinical records. While these regulations (e.g., 21 CFR part 11) and guidance were focused on data systems designed for clinical data, it remains an open question on how they apply to the mHealth realm.
For instance, the FDA clarified in its Guidance for Industry: Electronic Source Data in Clinical Investigations (2013) that the agency did not intend to enforce the requirements of part 11 on electronic health records systems (EHRs) because the clinical suitability determinations of the EHRs were not under the control of the investigator/sponsor.
Would this extend to an mHealth tool designed for purposes other than clinical investigation? Nevertheless, the guidance states, “Sponsors should include (e.g., in the protocol, data management plan or investigational plan) information about the intended use of computerized systems used during a clinical investigation, a description of the security measures employed to protect the data and a description or diagram of the electronic data flow."
Electronic Source Data (eSource):
mHealth data may be considered eSource data and should comply with the expectations set forth in the various guidance to meet quality, integrity, and traceability expectations.
mHealth End Points and Patient Reported Outcome (PRO) Instruments:
The process for the development of instruments in the PRO context is discussed in the FDA’s 2009 guidance for industry. The topic of PRO instrument creation is beyond the scope of this article, however, the guidance does speak to electronic implementation of instruments and topics of concern (section F) such as integrity, security, availability, data loss prevention, etc.
There are more nuances to regulatory oversight on mHealth than could be discussed here. Recall that mHealth may span multiple regulatory areas from clinical, to health care, to consumer protection.
New tools warrant diligence and engagement. Just as sponsors are evaluating an emerging landscape, so are regulators, ethics committees and other stakeholders. Principles to clinical research still apply as the methods evolve.
As data come in, it will need to be met with the attention and protection that the data (and the patient) deserves.(PV)
Editor’s Note: Please note this article does not render legal advice or establish an attorney client relationship.
Medidata Solutions is the leading global provider of cloud-based solutions for clinical research in life sciences, transforming clinical development through its advanced applications and intelligent data analytics.
For more information, visit mdsol.com.