How Do iComply? Regulatory Topics Surrounding mHealth in Clinical Trials

June 13, 2016
Philip Coran
Applied Clinical Trials

Outlining several critical areas of regulatory oversight that clinical trial researchers need to consider when using mHealth technologies.

The U.S. National Institutes of Health (NIH) Consensus Group has defined mHealth as “the use of mobile and wireless devices to improve health outcomes, healthcare services, and health research.”1 The mHealth landscape is expanding, with over 100,000 apps (i.e., mobile applications), as of 2014.Yet the vast majority of these apps have not been through the FDA medical device review process.3 Does this negate their use in the clinical trial space? Not necessarily. A quick search of the term “mHealth” on revealed that 131 interventional trials are in some way relying on mHealth technology; a quick search of the term “mobile health” returned over 1,000 trials.4 Add in the splash of recent Apple ResearchKit announcements5 and mHealth beckons further consideration from the research community.

While the potential for mHealth is tantalizing-and holds the promise of providing new insights and research endpoints-its use in the highly regulated, scientific environment of clinical trials merits rigorous attention, diligent examination, and protections well beyond those of general consumer use. This article surveys several pressing regulatory topics that clinical trial researchers need to consider when using mHealth technologies, including good clinical practice (GCP), fitness of use, security/privacy, electronic records (and eSource data), researcher oversight, and inspection preparedness.


Are we there yet?

The New England Journal of Medicine outlines several use cases for mHealth technologies.6 These range from increasing the volume and frequency of monitoring to extending the reach of medical care via remote connectivity7 to hard-to-reach patients. This could include remote medicine, that is, telemedicine, or remote monitoring in the most difficult of circumstances, as was exemplified by the observation of Ebola patients with medical wearables through Scripps’ STAMP2 program.8

Similar themes resonated at the 2015 Drug Information Association (DIA) Annual Meeting in Washington, DC, as mHealth was the primary topic of several sessions, including a late-breaking FDA panel discussion chaired by Dr. Leonard Sacks, Associate Director of Clinical Methodologies in the Center for Drug Evaluation and Research’s Office of Medical Policy, titled Mobile Health, Telemedicine, and Remote Sensors in Clinical Investigations: A New Era in Clinical Trial Design?9

While acknowledging, with some astonishment, that mobile health technologies had yet to significantly impact clinical trials, Dr. Sacks explained that mHealth can enable unobtrusive physiological measurements that could be transmitted electronically. This, in turn, could offer continuous monitoring, a reduction in missing data, performance capture before and during a trial intervention, provisioning of quantitative measurements, and capture of rare or sporadic events.10

When regulatory panels suggest use cases, it raises the question, why are we not there yet? To get “there” and beyond, mapping a compliant approach is paramount. And a good place to start is good clinical practice (GCP).

GCP is a global standard for clinical trial conduct and has been officially adopted by the FDA,11 the Japanese Ministry of Health, Labour, and Welfare (MHLW), the European Medicines Agency12 (EMA), and others.13 Although the current version (revision 1) of ICH GCP was published in the mid-1990s, the principles apply today to electronic systems used in clinical trials.14 ICH GCP Section 5.5.3 outlines key requirements, including a provision that electronic trial data handling systems should be fit for use and secure.15 Also integral to any process and technology is confidentiality of subject data, as outlined in GCP Principle 2.11-more on this to follow.


Types of devices

The FDA has issued several recent guidance documents that touch upon mHealth. The agency has devoted considerable effort to clarifying which mobile medical applications (MMA)16 it intends to regulate under the Federal Food, Drug, and Cosmetic Act (FD&C Act). Related to this is the recent 2015 FDA draft guidance, General Wellness: Policy for Low Risk Devices.17 These publications are helpful but do not directly answer what types of mHealth devices may be used in the regulated clinical trial setting. With respect to consumer grade mHealth devices, sponsors are likely to face a higher threshold in demonstrating that such devices produce reliable, reproducible, sensitive, and specific measurements.18 While a higher threshold may dissuade some, consumer grade devices remain a promising option depending on the circumstances.

The diligent sponsor should be respectful of the principles already applied to traditional clinical systems, ensuring its tools are fit for use and meet the applicable regulatory requirements. Though the vast majority of mHealth apps and devices have not gone through medical device review, Apple and Google should not be seen as surrogate regulators via their storefronts.19


Security and confidentiality

Ensuring the security, attribution, and confidentiality of data captured is key to regulatory and GCP compliance. Sponsors must take into account the preservation of patient confidentiality and privacy. More data being captured more frequently means more data may be at risk of loss or overexposure. The FDA’s 2014 medical device cyber security guidance20 offers recommendations on maintaining security and links various standards to the equation-the US National Institute of Standards and Technology (NIST), for example. Other regulatory authorities offer guidance and rules for privacy, such as the US Federal Trade Commission (FTC).21 When it comes to privacy and security, other regulators come into play, including data protection authorities (DPAs) around the world. This should not be new to a sponsor engaged in global trials, but the potential degree of data collection and the intimacy of mHealth data should warrant appropriate safeguards and transparency to the patients via the informed consent process as explained in ICH GCP Section 4.8.10. This includes subjects consenting to their data being shared internationally and with third parties. 

The Oct. 6, 2015 Court of Justice of the European Union (Schrems) Opinion22 invalidating the EU-US Safe Harbor framework further complicates the abilities for sponsors and their partners to transfer EU data (clinical and otherwise) to the U.S. The life sciences industry has heavily relied on Safe Harbor framework since 2000-some 568 Safe Harbor-certified biotechnology, drug and pharmaceuticals, and medical equipment entities were self-certified to the framework.23 The impact of Schrems is compounded across multiple sectors that touch upon clinical research in one way or another, including mHealth. While US and EU national authorities continue to negotiate compromise arrangements to succeed Safe Harbor, data flows may continue under alternate (and more burdensome) methods, such as standard contractual clauses and binding corporate rules.

The sponsor should be aware of how its mHealth partners may house and possibly use data collected on third-party sensors. Ethics committees and institutional review boards may assess mHealth privacy policies. It would be problematic if these terms and practices conflict with the patient’s expectations of privacy and confidentiality.



Electronic records

Numerous agencies, including the FDA and EMA, have issued regulations and guidance documents24 on computerized clinical data systems covering creation, maintenance, archiving, and transmission of electronic clinical records. While these regulations and guidance (e.g., FDA 21 CFR part 11, EMA Annex 11: Computerized Systems, etc.) are focused on systems designed for clinical data, how they apply in the realm of mHealth remains an open question.

For instance, the FDA clarified in its 2013 Guidance for Industry: Electronic Source Data in Clinical Investigations that it did not intend to enforce the requirements of part 11 on electronic health records systems (EHRs), in part because the clinical suitability determinations of the EHRs were not under the control of the investigator/sponsor.25

Would this extend to an mHealth tool designed for purposes other than clinical investigation? Nevertheless, the guidance states, “Sponsors should include (e.g., in the protocol, data management plan, or investigational plan) information about the intended use of computerized systems used during a clinical investigation, a description of the security measures employed to protect the data, and a description or diagram of the electronic data flow.”26


Electronic source data (eSource)

mHealth data may be considered source and eSource data and should comply with the expectations set forth in the various guidelines to meet quality, integrity, and traceability expectations. The FDA 2013 eSource Guidance27 defined source data as: “All information in original records and certified copies of original records of clinical findings, observations, or other activities (in a clinical investigation) used for the reconstruction and evaluation of the trial...” The guidance then identifies eSource data as data initially captured electronically.

With any source data-including those originating from an mHealth tool or service-the integrity principles of ALCOA should be considered and demonstrated to regulators and other stakeholders. ALCOA stands for the concept that source data should be attributable, legible, contemporaneous, original, and accurate, and the data must meet the regulatory requirements for recordkeeping.28 Note that the EMA in its 2010 eSource reflection paper29 refers to the ALCOA principles and further specifies that source data should be complete, consistent, enduring, and available when needed. In addition, the sponsor should be prepared to demonstrate how the mHealth tools/sensors would provide reliable, reproducible, sensitive, and specific measurements as electronic source data. Last, the proposed update to GCP (ICH GCP Integrated Addendum (r2) section 4.9.0) explicitly mentions the ALCOA principles and adds complete30 to the set of expectations.


mHealth endpoints and PRO instruments

The FDA’s 2009 Guidance for Industry Patient-Reported Outcome Measures discusses the process for the development of instruments in the patient-reported outcome (PRO) context.31 The topic of PRO instrument creation32 is beyond the scope of this article; however, the guidance does speak to electronic implementation of instruments and topics of concern (Guidance Section F) surrounding eSource data, such as integrity, security, availability, and data loss prevention. The researcher should be able to scientifically demonstrate fitness of use for mHealth data (as an endpoint or a new type of biomarker serving as a surrogate endpoint) through validation or qualification processes. Given the breadth of mHealth, the use cases for mHealth services and data should always be assessed in terms of how the mHealth data will be used and submitted for regulatory review.

Whenever possible, a sponsor should discuss tools and technologies with the applicable review divisions early.33 Further, it is recommended that these discussions include representatives of the Office of Scientific Investigations (OSI),34 especially when a new or novel technology is employed.



Other considerations

This paper surveyed broad topics relevant to sponsors intrigued by the potential of mHealth tools. Providing sound and meaningful data with minimal patient burden is crucial. At the same time, sponsors should be prepared to train investigators and site staff on how to use and assess mHealth data. Do not be surprised if sites and sponsors find themselves performing more tech support functions than they had previously. Who should patients and caregivers contact if there are problems or use issues with the tool? Who will be looking at trends in patient sensor data for signs of gaps or problems? Trials structured with a “staccato-rhythm”35 of defined points in conduct study data, such as in-person site visits or telephonic contact visits, differ from trials with continuous “legato”36 data. With potentially rich and seamless data coming in, investigators and monitors should be prepared to give this data adequate attention as it may relate to possible safety or non-compliance issues.37 This may present a challenge to investigator oversight in study conduct.38

At the DIA 2015 Annual Meeting, Craig Lipset, Pfizer’s Head of Clinical Innovation, listed five considerations for sensors.39 These include:

  • Know what you want to measure

  • Find a “fit-for-purpose” sensor

  • Support it in the study

  • Get the data off the sensor

  • Plan for analytics

This process, or set of procedural considerations, connects to the regulatory considerations outlined in this article and provides a foundation for making sound choices that should not be understated.

A sponsor submitting mHealth data as part of a clinical study should be prepared to demonstrate to regulatory inspectors the data was collected, maintained, and utilized in line with the ALCOA principles and in compliance with underlying regulations and guidance, including GCP. A sponsor should assess these attributes throughout the mHealth chain of custody-from the initial collection through submission to the applicable regulatory authorities.40 The sponsor should be in an inspection-ready state of preparedness irrespective of the technologies utilized and consider how they (and potentially their mHealth partners) would accommodate inspections and/or other inquiries.41



There are more nuances to regulatory oversight on mHealth than could be discussed here. mHealth may span multiple regulatory areas, from clinical, to healthcare, to consumer protection/privacy. New tools warrant diligence and engagement. Just as sponsors are evaluating an emerging landscape, so are regulators, ethics committees, and other stakeholders. Principles of clinical research still apply as the methods and tools evolve. As data is collected from mHealth research studies, it will need to be evaluated in order to ensure data integrity and patient protection.


Philip Coran, JD, CIPP/US, CISA, is Sr. Director, Quality & Regulatory Affairs (QRA), Medidata Solutions

Acknowledgements: The author gratefully acknowledges the following who provided insights and feedback on this paper: Linda Coleman and Anna Gee of Quorum Review IRB, Jonathan Helfgott of Stage 2 Innovations, and Dr. Colin Wilsher of Research Quality Assurance. In addition, the author wishes to thank Craig Lipset of Pfizer on the “Five Considerations For Wearable Devices In Clinical Trials.”



1.  Definitions of MHealth, Healthcare Information and Management Systems Society (Jan. 5, 2012),

2.  Mhealth App Developer Economics 2014, Research2guidance (May 6, 2014),

3. Hamel, Mary Beth, Nathan G. Cortez, I. Glenn Cohen, and Aaron S. Kesselheim. 2014. “FDA Regulation of Mobile Health Technologies.” New England Journal of Medicine 371, no. 4: 372-79. doi:10.1056/ NEJMhle1403384.

4. Search results on retrieved May 4, 2015 for search terms “mHealth” and “mobile health” with options of study type: interventional selected and status: known. Note that it is not clear from query on if the mHealth aspect of the trial is an intervention or is providing data into the trial record or is more of an operational enhancement in the trial process.

5. Marco Della Cava, Apple Leverages IPhone to Help Doctors Research, USA Today (Mar. 9, 2015, 7:34 PM), See also Ron Winslow, Apps to Track Exercise, Sleep Help Patients Participate in Clinical Trials, The Wall Street Journal (April 13, 2015, 4:11 PM), articles/apps-to-track-exercise-sleep-help-patients-participate-in-clinical-trials-1428955916?KEYWOR DS=Ron+Winslow.

6. See Hamel, Mary Beth et al, (2014). See also Veronica Thomas, Legal Experts Call For More Regulation Of Mobile Health Apps, WBUR (July 29, 2014, 12:02 PM),

7. Jonathan D. Rockoff, Remote Patient Monitoring Lets Doctors Spot Trouble Early, The Wall Street Journal (Feb. 16, 2015, 11:00 PM),

8. Aditi Pai, Scripps Wins USAID Grant to Monitor Ebola Patients with Medical Wearables, mobihealthnews (Feb. 12, 2015),

9. Drug Information Association Website,

10. See Offering 412: Mobile Health, Telemedicine, and Remote Sensors in Clinical Investigations: A New Era in Clinical Trial Design?, DIA 2015 51st Annual Meeting Presentation (2015), accessed June 27, 2015). 

11. Selected FDA GCP/Clinical Trial Guidance Documents, U.S. Food and Drug Administration, (last visited Aug. 28, 2015).

12. Good-clinical-practice Compliance, European Medicines Agency, jsp?curl=pages/regulation/general/general_content_000072.jsp (last visited Aug. 28, 2015).

13.  For more on GCP (E6), see Efficacy Guidelines, ICH, (last visited Aug. 28, 2015).

14. Note that as of the publication of this paper, the Integrated Addendum to Good Clinical Practice was under a public comment period through January 2016 and may update the parental guideline. 

15. See GCP Section 5.5.3, Supra note 13. 5.5.3(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation)…(d) Maintain a security system that prevents unauthorized access to the data.

16. Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff, U.S. Food and Drug Administration (Feb. 9. 2015),

17. General Wellness: [Draft] Policy for Low Risk Devices Draft Guidance for Industry and Food and Drug Administration Staff, U.S. Food and Drug Administration (Jan. 20, 2015),

18. See Offering 412, Supra note 10.

19. Other regulatory authorities including US Federal Trade Commission (FTC) have taken action against some app providers out of consumer protection and unfair trade practices. A notable example was an app provider that claimed that the app could be used to treat acne. See “Acne Cure” Mobile App Marketers Will Drop Baseless Claims Under FTC Settlements, Federal Trade Commission (Sept. 8, 2011),

20.  Medical Devices: Cybersecurity, U.S. Food and Drug Administration (last updated Oct. 23, 2014),

21.  Privacy & Data Security Update (2014), Federal Trade Commission (January 2015),

22. See C‑362/14 Schrems v. [Ireland] Data Protection Commissioner [2015] ECLI:EU:C:2015:650  available at

23. Search results on U.S.-EU SAFE HARBOR LIST retrieved on November 11, 2015 available at

24. Guidance for Industry: Computerized Systems Used in Clinical Investigations, U.S. Food and Drug Administration (May 2007),

25. Guidance for Industry: Electronic Source Data in Clinical Investigations, U.S. Food and Drug Administration (Sept. 2013), ucm328691.pdf.

26. See Guidance for Industry: Computerized Systems Used in Clinical Investigations, Pp. 8.

27.  Supra note 25. pp. 2.

28.  Id.

29. Reflection Paper on Expectations for Electronic Source Data and Data Transcribed to Electronic Data Collection Tools in Clinical Trials, European Medicines Agency (June 9, 2010),

30. Supra note 14.

31. Guidance for Industry Patient-Reported Outcome Measures: Use in Medical Product Development to Support Labeling Claims, U.S. Food and Drug Administration (Dec. 2009), For a Guidance perspective from Japan, see Supplement to the Guidance for Electronic Data Capture in Clinical Trials, Japan Pharmaceutical Manufacturers Association (Jan. 10, 2012),

32. See id at p. 32. An instrument is defined as “[a] means to capture data (i.e., a questionnaire) plus all the information and documentation that supports its use. Generally, that includes clearly defined methods and instructions for administration or responding, a standard format for data collection, and welldocumented methods for scoring, analysis, and interpretation of results in the target patient population.”

33. For a general listing of Review Divisions, see CDER Offices and Divisions, U.S. Food and Drug Administration (last visited June 27, 2015),

34. Office of Scientific Investigations, U.S. Food and Drug Administration, CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm090085.htm (last visited June 27, 2015).

35. Staccato: abrupt, disjointed. available at

36. Legato: a smooth and connected manner of performance. available at

37. See Selected FDA GCP/Clinical Trial Guidance Documents, supra note 11. ICH GCP Investigator Section 4.2 Adequate Resources and Section and Section 4.3 Medical Care of Trial Subjects.

38. See Guidance for Industry: Investigator Responsibilities - Protecting the Rights, Safety, and Welfare of Study Subjects U.S. Food and Drug Administration (Oct. 2009),

39. See Offering 416 mHealth / mClinical and Clinical Trials: A Candid Discussion on Opportunities and Risks,, DIA 2015 51st Annual Meeting (2015), (accessed June 28, 2015). See also Five Considerations For Wearable Devices In Clinical Trials, Geeks Talk Clinical: Putting Technology on Trial Blog (June 25, 2015).

40.  This expectation relates back to the general GCP requirements regarding inspections, records access, and electronic records systems. See generally ICH Harmonized Tripartite Guideline: Guideline for Good Clinical Practice E6(R1) Sections 5.1, 5.5.3, and Glossary 1.29, 1.49, ICH (June 10, 1996),

41. For more on the inspections process, see Bioresearch Monitoring Program (BIMO) Compliance Programs available at