News
February 18, 2015

Navigating Litigation and Tort Liability Risks for Mobile Health and Health IT Applications

Arnold & Porter Advisory

In the last ten years, mobile applications ("apps") have become an integral part of daily life for people throughout the world.  Manufacturers have capitalized on advancements in the processing speed, storage and versatility of mobile platforms to develop apps catering to virtually every interest and need.  The speed of innovation, combined with an increasingly tech-savvy and health-conscious population, has spurred an explosion of medical and health apps.  These apps range from consumer-directed calorie counters and exercise trackers to sophisticated diagnostic and "Clinical Decision Support" apps designed to help physicians care for patients.  Many of these apps also collect, store, analyze and transfer individual health information and data previously available only through face-to-face consultations with a healthcare professional. 

While the potential benefits of medical and health apps are well-documented, the potential legal risks associated with these emerging technologies also warrant consideration.  In addition to the many regulatory considerations associated with the development and distribution of mobile apps, manufacturers, developers and retailers should consider potential litigation and tort liability risks associated with marketing and distribution of medical and health apps that may not perform as intended or advertised.

Product and Tort Liability Risks for Mobile Apps: Are Apps Actually Products?

Characterizing apps as "products" in the traditional sense could, at first glance, seem open to debate.  Products are often thought of as tangible objects or things, whereas many people characterize software and software development as a "service."  While the prevalence of mobile apps is a relatively recent phenomenon, the law governing transactions for software has developed over the past thirty years.  In the mid-1980s, the Ninth Circuit considered whether a contract for the supply of a software system was the sale of a "good," and thus covered by the Uniform Commercial Code ("UCC" or "the Code"), or whether it was the rendition of a "service" falling outside of the scope of the UCC.1  The Ninth Circuit noted that deciding whether a software transaction involves goods or services is not a one-size-fits-all determination, but rather requires a case-by-case analysis of the "essence of the agreement," because "software packages vary depending on the needs of the individual consumer."2  Where the predominant factor of the software transaction is the exchange or provision of goods, and services such as employee training, repair and system upgrades are merely "incidental to sale," the software is properly characterized as a good, the sale of which is governed by the UCC.3

Courts applying this "predominate factor" test in the years since have generally found that "mass-produced, standardized, or generally available software, even with modification and ancillary services included in the agreement, is a good that is covered by the UCC."4  Apps fit these criteria because they are standardized applications available to any mobile device user through online marketplaces.  Accordingly, it is likely that courts will view transactions involving the sale or transfer of medical or health apps as a transfer of goods under the predominate factor test, and by extension, "products."5

The likely characterization of apps, including medical and health apps, as goods has broad implications for potential litigation given the widespread adoption and application of the UCC, a comprehensive set of rules governing the sale of goods and other commercial transactions.  The UCC is intended to address differences in respective state laws regarding the legal and contractual requirements of doing business, and it has been enacted in whole or in part (with some local variation) in all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands.  Accordingly, courts look to the UCC, its official comments and its interpretation to inform their decisions. 

Are Product Liability Suits Involving Health-Related Apps Preempted?

Though several Federal and State regulators have authority over medical and health apps, the United States Food and Drug Administration ("FDA") has asserted primary jurisdiction over apps and software pursuant to its authority to regulate medical devices.  The FDA has stated, however, that it intends to exercise its oversight authority over a small subset of health-related apps.6  The Agency's most recent nonbinding guidance regarding health-related apps explains that FDA "intends to apply its regulatory oversight to only those medical apps that are medical devices and whose functionality could pose a risk to a patient's safety if the mobile app were not to function as intended."7  The Agency also clarified that the intended use of an app, as demonstrated by labeling and promotional claims, determines whether it meets the Federal Food, Drug and Cosmetic Act's ("FDCA's") definition of a "device."  "When the intended use of the mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure of any function of the body of man, the mobile app is a device."8

The FDA's stated intent to regulate a subset of the apps deemed medical devices ("mobile medical apps" or "MMAs") is especially relevant because the FDCA "expressly preempts a state-law claim where specific federal requirements apply to the particular medical device that is the subject of the claim, and the state-law claim imposes a standard of care or behavior that is 'different from, or in addition to' the specific federal requirements relating to the safety and effectiveness of the device."9  Though courts have held that this provision applies only to devices marketed under the premarket approval ("PMA") provisions of the FDCA,10 it is likely that manufacturers of the relatively small subset of apps marketed under a PMA can benefit from preemption.  For the vast majority of app manufacturers, however, the preemption provision may not bar state-law claims because most FDA-regulated apps either are exempt from PMA or are subject to the premarket notification (510(k)) process reserved for moderate to low-risk devices.

The FDA has stated that MMAs pose potential risks analogous to those posed by traditional medical devices performing the same or similar functions.  Accordingly, the Agency identified three kinds of MMAs it intends to regulate as medical devices: (1) apps that connect to one or more medical device(s) for purposes of controlling the device(s) or for use in active patient monitoring or data analysis (e.g., apps that control the delivery of insulin on an insulin pump); (2) apps that transform the mobile platform into a regulated medical device through the use of attachments, display screens, or sensors, or by including functionalities similar to those of currently regulated devices (e.g., apps that use sensors on a mobile platform to create a stethoscope function); and (3) apps that become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis or treatment recommendations (e.g., apps that use patient information to calculate dosage therapies for radiation therapy).11  The FDA's decision to regulate these MMAs would not provide a credible basis to assert the preemption defense in a product liability action, unless they are marketed under a PMA.  Accordingly, the majority of FDA-regulated apps will fall outside the purview of the preemption provision as it is currently interpreted.

The FDA has identified a second category of health-related apps over which it intends only to exercise enforcement discretion.  Regardless of whether certain apps in this category meet the definition of a medical device, the agency does not intend to enforce the FDCA's requirements for these apps "because they pose a low risk to patients."12 

Examples include: (1) apps that facilitate supplemental clinical care by coaching patients to manage their health in their daily environment (e.g., apps that promote proper weight maintenance); (2) apps that provide tools for users to organize and track their health information, without providing recommendations to alter or change a previously prescribed treatment (e.g., apps that track blood pressure measurements); (3) apps that provide easy access to information related to users' health conditions (e.g., apps that are drug-to-drug interaction or drug-allergy look-up tools); (4) apps that are specifically marketed to help patients document, show, or communicate to providers potential medical conditions (e.g., apps intended for medical use that utilize the mobile device's built-in camera for purposes of documenting or transmitting pictures); (5) apps that perform simple calculations routinely used in clinical practice (e.g., body mass index calculators); (6) apps that enable individuals to interact with personal health record ("PHR") systems or electronic health record ("EHR") systems (e.g., apps that allow users to download EHR data); and (7) apps that meet the definition of Medical Device Data Systems (e.g., apps that are intended to transfer, store, convert, format, and display medical device data).13  Because the FDA has determined that these apps "will not be subject to regulatory requirements at this time," they fall outside the purview of the FDCA's preemption provision and could give rise to product liability litigation, notwithstanding the fact that the FDA perceives them as "lower risk to the public."14

Similarly, apps that the FDA expressly considers not to be medical devices do not implicate the preemption provision.  Unless these apps qualify for preemption on some other ground,15 they could give rise to tort or other forms of liability arising from false or misleading product claims or express or implied warranties related to the product's performance.  They include: (1) apps that are intended to provide access to electronic "copies" of medical textbooks or other reference materials with generic text search capabilities (e.g., apps that are medical dictionaries); (2) apps intended for health care providers to use as educational tools for medical training or to reinforce training previously received (e.g., apps that are interactive anatomy diagrams); (3) apps intended for general patient education and to facilitate patient access to commonly used reference information (e.g., apps that find the closest medical facilities to the user's location); (4) apps that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease (e.g., apps that manage shifts for doctors); and (5) apps that are generic aids or general purpose products (e.g., apps that provide turn-by-turn directions to medical facilities).16

What are Potential Theories of Liability for Regulated and Non-Regulated Apps?

Because MMAs are medical devices, they are potentially subject to the same theories of tort liability that apply to traditional medical devices, including, for example, breach of express or implied warranty, strict products liability, negligence and misrepresentation.17  For example, the FDA has classified as MMAs "apps that use patient information to calculate dosage therapies for radiation therapy."18  If a patient alleges that he was injured as a result of exposure to incorrect levels of therapeutic radiation arising from a defect or failure of the dosing app, it is conceivable that the patient could sue the manufacturer under numerous theories of tort liability. 

The same is true with respect to health-related apps that the FDA has declined to regulate because they are deemed to be low-risk.19  The Agency's description of these apps as low-risk may strengthen certain defenses available to manufacturers in the event of tort litigation.  For example, a low-risk designation could theoretically lessen the extent to which an app-related hazard is deemed foreseeable.  However, it is unlikely that the FDA's assessment of an app as low-risk would eliminate the risk of liability altogether.  At a minimum, health-related apps are products,20 which means that regardless of the FDA's risk assessment, non-regulated apps may be subject to relevant State consumer product laws that provide a private right of action for both economic and non-economic injuries caused by violations of Federal or state consumer protection statues.21 

Although manufacturers of medical and health apps face many of the same liability risks as manufacturers of traditional medical devices and consumer goods,22 there are a number of practical steps manufacturers can take to manage and possibly mitigate liability risks.  These include, but are not limited to:

  • Robust software design and development protocols, to reduce the risk of defects or "bugs" that may lead to user injury;
  • Appropriate processes for documenting and investigating consumer complaints regarding apps;
  • Robust systems for assessing the potential impact of significant software "updates" or "patches" designed to improve or alter the app's performance;
  • Procedures for validating and verifying corrections or design changes;
  • Accurate, verifiable and appropriately substantiated quality and performance claims;
  • Proper labeling and instructions that clearly articulate the intended use of the app;
  • Legal and medical review of promotional materials, labeling and advertising for apps;
  • Clear and conspicuous disclosure of warnings, contraindications and disclaimers, especially where such language may limit the scope of express and implied warranties;23
  • Consumer comprehension studies to confirm that app instructions, warnings and warranties can be readily understood by app-users; and Ongoing training of developers and other personnel, and audits of third-party vendors, suppliers and service-providers.

Lauren Miller, an associate in the firm's FDA/Healthcare Practice Group, assisted in the publication of this advisory.

  1. See RRX Indus., Inc. v. Lab-Con, Inc., 772 F.2d 543 (9th Cir. 1985).

  2. Id. at 546.

  3. Id.

  4. Simulados Software, Ltd. v. Photon Infotech Private, Ltd., No. 5:12-CV-04382-EJD , 2014 WL 1728705, at *5 (N.D. Cal. May 1, 2014); see also Executone of Columbus, Inc. v. Inter-Tel, 665 F. Supp. 2d 899, at 919 n.3 (S.D. Ohio 2009); Advent Sys. Ltd. v. Unisys Corp., 925 F.2d 670, 675-76 (3d Cir. 1991).

  5. See Restatement (Third) of Torts: Products Liability, § 19 cmt. d (1998) ("When a court will have to decide whether to extend strict liability to computer software, it may draw an analogy between the treatment of software under the Uniform Commercial Code and under products liability law.").

  6. See generally U.S. Food and Drug Admin., Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff ("MMA Guidance") (issued Feb. 9, 2015).  The 2015 MMA Guidance is available from FDA's website here.

  7. Id. at 4 (emphasis added).

  8. Id. at 8.

  9. Johnson v. Hologic, Inc., No. 2:14-cv-0794-JAM-KJN-PS, 2015 WL 75240, at *3 (E.D. Cal. Jan. 6, 2015) (quoting 21 U.S.C.A § 360k); see also id. ("Furthermore, a claim may be subject to implied preemption under the MDA when it 'seek(s) to enforce an exclusively federal requirement not grounded in traditional state tort law.'  'Together, express preemption and implied preemption leave only a 'narrow gap' through which plaintiff's claims must fit in order to survive.'") (internal citations omitted).

  10. See Riegel v. Medtronic, Inc., 552 U.S. 312 (2008) (holding that the MDA's preemption clause bars state common-law claims that challenge the effectiveness or safety of a medical device that is marketed pursuant to PMA, in which FDA reviews and approves the labeling and safety information for the product); see also Stengel v. Medtronic Inc., 704 F.3d 1224, 1231 (9th Cir. 2013) (noting that in cases dealing with violations of the MDA outside the premarket approval process, the MDA does not preempt state law causes of action for damages); Erickson v. Boston Scientific Corp., 846 F. Supp. 2d 1085, 1093 (C.D. Cal. 2011) (holding that plaintiff's state law claims were preempted under the MDA because the device, a pacemaker, was subject to the FDA's PMA approval process).  Because the premarket notification (510(k)) process through which most moderate risk medical devices come to market does not expressly require the submission or approval of product labeling, courts have reasoned that the preemption provision only applies to PMA devices.

  11. See MMA Guidance at 13-15.

  12. See id. at 16.

  13. See id. at 16-18.

  14.  Id. at 23.

  15. Courts recognize three types of preemption: (1) express preemption, (2) field preemption, and (3) conflict preemption.  See McClellan v. I-Flow Corp., Nos. 11-35109, 11-35134, 2015 WL 294292, at *3 (9th. Cir. Jan. 23, 2015).  This advisory focuses on the MDA's express preemption provision for medical devices, see Wyeth v. Levine, 555 U.S. 555, 574 (2009), and does not separately address the potential applicability of field or conflict preemption theories.

  16. See id. at 20-22.

  17. See James v. Diva Int'l, Inc., 803 F. Supp. 2d 945 (S.D. Ind. 2011).

  18. See MMA Guidance at 13-15.

  19. See MMA Guidance at 16. 

  20. See supra at 1-3.

  21. See, e.g., 15 U.S.C. § 2072(a).

  22. Because the economic loss rule generally bars recovery in tort for purely economic losses, a prospective plaintiff would have to allege that a non-regulated app or a non-PMA regulated app caused physical injury to his or her person or property in order to sue the app manufacturer under a tort theory.  Given the intangible nature of software, establishing causation may prove more difficult here than in other product contexts.

  23. The authors recognize the inherent tension between the need to disclaim warranties that could form the basis for liability, and the need to effectively promote the performance capabilities of the app.

Email Disclaimer