USA

In the USA, medical device regulators consider wearable devices to be low-risk devices and therefore do not label them.

For example, the U.S. Food and Drug Administration (FDA) considers such products to be “general wellness” products. The FDA believes that wearable devices pose low risks to user safety and therefore refrains from regulating them. Manufacturers either self-regulate the production and sale of their products, or follow FDA guidelines and requirements for medical devices.

We are talking about wearable devices which do not require medical intervention. Although these wearable devices are not regulated by any U.S. law, any protected health information (PHI)¹ processing is regulated by the Office of Civil Rights (OCR). That is, organizations providing cloud services to wearable device manufacturers must adhere to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

However, devices which require medical intervention are registered by the FDA. For example, external pacemakers are classified as Class II (moderate or moderately high risk). Based on the information on the service website, the device manufacturer needs to make a premarket notification in the form of 510(k). According to the Code of Federal Regulations (CFR), Title 21, Part 860, Class II medical devices are subject to general and specific controls. Special control refers to the confirmation of the safety and effectiveness of a medical device by the FDA. According to the service clarifications, such confirmation may include premarket surveillance, random manufacturing inspections, and postmarket surveillance.

And implantable pacemakers are Class 3 devices (high risk). According to CFR, Title 21, Class III medical devices are subject to general controls and premarket approval. Premarket approval is issued by the FDA. Its issuance is governed by the CFR, Title 21, Part 814, and the FD&C Act, Sections 513 and 515. Thus, the regulation of wearable devices differs depending on their use and the risk to the wearer.

EU

In the EU, although there are some nuances and differences from the USA, the situation with the regulation of wearable devices is similar:

• Devices requiring medical intervention are regulated according to the rules described in the Medical Device Regulation (MDR), also known as Regulation (EU) 2017/745;
• The rest (accessories, smart clothes, skin patches, etc.) fall only under the control of mHealth data protection² (since according to the medical device classification they are in Class I, the regulatory procedure for them will be the simplest. In fact, such a product can be placed on the market without the regulatory approval).

The General Data Protection Regulation³ (GDPR) obliges companies to notify users of wearable devices of what information the applications have access to. Article 25 GDPR obliges companies to create systems with privacy by design and privacy by default. Privacy by design is the obligation to proactively consider the personal data protection in all the company’s actions, undertakings and decisions. Privacy by default implies that the user does not need to take any action to protect his/her privacy. The privacy settings and, accordingly, data protection settings are set by default.

The GDPR requires that only the personal data to be processed are the data necessary for each specific processing purpose. Regulation concerns the amount of data collected, storage time, processing level and data availability.

China

The regulatory policy in Asia is slightly different from Western policy. In China, for example, some companies in collaboration with the China Public Health Association create remote health monitoring systems for people living away from hospitals. One such project is the Wireless Heart Health program. Each participant has a smartphone and wearable sensors which automatically record ECG values. The information processed by the smartphone is sent via the network to local clinics. Then specialists hold remote consultations or invite program participants to undergo a more thorough examination if necessary. This way of interacting with a patient is called mHealth. Also, offline clinics are currently being created in China, that is, companies that provide hospitals with Internet services to transmit and process data using mobile applications, remote monitoring devices (such as wearables) and technologies to book a doctor’s appointment online.

However, wearables are still not widely certified as many companies are entering the market and investment is rising strongly. There are only a few steps towards the standardization of wearable devices.

There are organizations that have already begun to do this, such as the Federation of China (Shenzhen) Wearable Industry which has developed methods for testing certain types of wearable devices⁴. Some Chinese hospitals are also working towards certification of devices which can control the quality of data collection, transmission and storage.

In order to scale up certification, the National Institute of Metrology of China encourages organizations to join the standardization project for wearable devices with potential applications in healthcare. The institute has identified the following standards, guidelines and specifications to be developed:

1) minimum requirements for wearable medical devices;

2) terminology;

3) rules to perform calibration;

4) guidelines on assessing the data effectiveness and reliability;

5) guidelines on data collection and transmission;

6) guidelines on data exchange and application;

7) guidelines on data storage and distribution of information;

8) and etc.

The institute also emphasizes that manufacturers, healthcare facilities and society as a whole will benefit from the standardization of the wearable device market. It is expected that a number of standards and principles, including terminology, device assessment methods, data reliability assessment methods, specification of data collection, transmission and exchange, will be developed and published.

Regarding personal data, the National People’s Congress adopted the Personal Information Protection Law (PIPL) which imposes legal restrictions on the collection, use and management of personal data, and which entered into force on November 1, 2021. PIPL aims to protect individuals and the public from the harm which can be caused by abuse and violation when processing information related to the identity of a particular person.

China’s PIPL applies to:

• Processing of personal information within the borders of China;
• Processing of personal data outside of China, if it is related to the sale of goods or services to people in China.

Under China’s PIPL, the definition of “sensitive personal information” is broadly in line with the GDPR. However, the PIPL definition goes a little further, classifying sensitive personal information as any information that could cause material damage to an individual if such information were leaked or misused.

Some of the examples of personal data given in the PIPL include:

• Financial account information;
• Biometric characteristics;
• Medical health;
• Religious beliefs.

South Korea

Since 2019, the so-called “Regulatory sandbox” (i.e. experiment) has been operating in South Korea.

Regulatory sandboxes are special operational conditions under which banks and companies can test new innovative technologies and services in a limited environment without risking violations of the law. At the same time, the regulator, together with the participants in the experiment, will examine how the new technology works, and whether or not it is necessary to change the regulation. And a decision will be made only based on the results of the “pilot”.

Thus, in Korea, some wearable devices included in the regulatory sandbox list are now actively used in the healthcare sector. For example, a smart watch is capable of sending a wearer’s electrocardiogram to a doctor when recording any abnormalities. The smart device will also refer the wearer to the hospital for a consultation, if necessary.

That is, South Korea is taking more serious steps in terms of certification and use of wearable devices (which do not require medical intervention) in healthcare.

For example, some universities and hospitals in Korea are conducting randomized trials to evaluate the effectiveness of wearable devices in healthcare.

At the same time, the Korean Ministry of Food and Drug Safety (MFDS) is conducting certification of some wearables as medical devices. For example, the blood pressure app and the smart watch based on this app have been registered as medical equipment.

MFDS has also developed guidelines on reporting clinical trial results of wearable technologies to standardize the conduct of studies on this topic.

That is, in Korea, wearable devices are recognized as medical devices and are being certified.

Regulation of wearable devices also affects personal data. In Korea, this is related to the Personal Information Protection Act (PIPA). According to this law, any personal information (a voice, a photo, a virtual image, a national identification number, etc. —in general, everything that can identify you as an individual) is considered personal data. Wearable device manufacturers must protect the users’ personal data according to the same principles that exist in the above countries; otherwise a fine will be imposed. In general, the European GDPR, the Chinese PIPL and the Korean PIPA are similar to each other and serve the same purposes: similar clauses and rules can be found in each document. Thus, South Korea is actively rebuilding its personal data protection system to comply with EU requirements.

But we will not delve into all the details and differences between personal data protection laws. The main thing is that they all regulate the manufacture and use of wearable devices; namely, how data are collected, processed and exchanged using wearable devices.

References

1. Navigator po bar’eram i trebovaniyam rynkov :: Analiticheskij portal [Electronic resource]. URL: http://test.navigator.exportcenter.ru/requirements/industries/43/

2. Kol’cova M. Privacy by design i privacy by default (sproektirovannaya zashchita dannyh i konfidencial’nost’ po umolchaniyu po GDPR) [Electronic resource] // Habr, 2019. URL: https://habr.com/ru/company/digitalrightscenter/blog/479514/#post-content-body

3. GlobalData Thematic Research. Wearable Technology: Regulatory Trends [Electronic resource] // Mining Technology. 2021. URL: https://www.mining-technology.com/comment/wearable-technology-regulatory-trends/

4. mHealth in China and the United States URL: https://www.brookings.edu/wp-content/uploads/2016/06/mHealth_finalx.pdf

5. What three companies are dominating China’s mHealth market? [Electronic resource]. 2020. URL: https://healthcareglobal.com/technology-and-ai/what-three-companies-are-dominating-chinas-mhealth-market

6. Cvetkova L.A., Kuznecov P.P., Kurakova N.G. Ocenka perspektiv razvitiya mobil’noj mediciny – mHealth na osnovanii dannyh naukometricheskogo i patentnogo analiza // Vrach i informacionnye tekhnologii. Rossiya, Moskva: Obshchestvo s ogranichennoj otvetstvennost’yu Izdatel’skij dom «Menedzher zdravoohraneniya», 2014. № 4. Pp. 66–77.

7. mHealth in China [Electronic resource]. URL: https://www.asianhhm.com/healthcare-management/mhealth-in-china

8. Telecommunication standardization sector [Electronic resource]. URL: https://www.itu.int/en/ITU-T/focusgroups/ai4h/Documents/all/FGAI4H-D-017.docx

9. The comparison between China’s PIPL and EU’s GDPR: Practitioners’ perspective [Electronic resource] // JD Supra. URL: https://www.jdsupra.com/legalnews/the-comparison-between-china-s-pipl-and-2189482/

10. CB sozdast «pesochnicy» dlya testirovaniya novyh tekhnologij [Electronic resource] // RBK. URL: https://www.rbc.ru/finances/21/09/2016/57e29fd59a7947665ff96782

11. Briefing on regulatory sandboxes [Electronic resource]. URL: https://www.unsgsa.org/sites/default/files/resources-files/2020-09/Fintech_Briefing_Paper_Regulatory_Sandboxes.pdf

12. Wearable medical device earns gov’t’s 1st regulatory waiver [Electronic resource]. URL: https://www.korea.net/NewsFocus/Sci-Tech/view?articleId=168047.

13. Kim J.-W. и др. Impact of Personal Health Records and Wearables on Health Outcomes and Patient Response: Three-Arm Randomized Controlled Trial // JMIR mHealth and uHealth. JMIR Publications Inc., 2019. Т. 7, № 1.

14. The World’s First Blood Pressure Measurement Mobile App Approved As Medical Device [Electronic resource]. URL: https://www.mfds.go.kr/eng/brd/m_61/view.do?seq=9

15. 2020 Ministry of Food and Drug Safety White Paper. URL: https://www.mfds.go.kr/eng/brd/m_60/view.do?seq=74498

16. Digital health in South Korea URL: https://www.intralinkgroup.com/getmedia/3153c79b-463d-47c7-84e6-56848c98aab7/Intralink-ReportLife

Notes:

1. Under U.S. law, this is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
2. Mobile health is the sub-segment of e-Health which covers medical care (monitoring, disease prevention, diagnostics, etc.) using mobile devices and wireless data transfer technologies.
3. The GDPR (General Data Protection Regulation) is a set of regulations for companies that collect and process data from EU users on the Internet. The new regulation is aimed at increasing the level of protection and giving citizens control over their data. If companies fail to comply with the regulation, substantial fines will be imposed on them (up to 4% of the company’s worldwide annual revenue or 20 million Euros). The Act’s requirements apply to both organizations registered in the EU and companies located in other countries, so long as they provide services to EU citizens or otherwise collect data from such users.
4. For example, T/FSW 001—2019 Test method for smart wearable products (or devices) based on ECG/PPG technology.

Text: Anthony Belokopytov

Feedback

e-mail: anton.belokopytov@beawire.com