LESSON 02
Digital Health & Telemedicine Strategy
Regulatory Compliance for Digital Health
The FDA does not regulate apps — it regulates software that makes clinical decisions, and the line between the two is where most digital health legal risk lives.
13 min read
Digital health regulation operates across at least four overlapping jurisdictions that founders routinely treat as a single problem. Federal agencies — primarily the FDA, the FTC, and CMS — set baseline requirements for software safety, advertising claims, and reimbursement eligibility. State medical boards regulate who can practice medicine and where. State insurance commissioners regulate what must be covered and how. Professional licensing bodies determine which services can be delivered by which clinical credential. A company that achieves FDA clearance and then ignores state medical practice law has solved one problem and ignored three others.
The FDA's authority over digital health products derives from its device authority under the Federal Food, Drug, and Cosmetic Act. In 2016, the 21st Century Cures Act and subsequent guidance clarified that software functions intended to treat, diagnose, or prevent disease meet the definition of a medical device — while software for administrative workflows, general wellness, or clinical decision support that a clinician uses as one input among many generally does not. The critical variable is clinical intended use: the same algorithm that suggests a health tip is a wellness product, but the same algorithm that identifies atrial fibrillation from a waveform is a Class II medical device subject to 510(k) clearance.
FDA device classification determines the regulatory pathway. Class I devices — low risk, like bandages and tongue depressors — require only general controls. Class II devices — moderate risk, like most Software as a Medical Device — typically require 510(k) premarket notification, where you demonstrate substantial equivalence to a legally marketed predicate device. Class III devices — high risk, like implantable cardiac monitors — require premarket approval, which involves full clinical trials. Most digital health software, if it requires FDA clearance at all, lands in Class II. The 510(k) pathway typically takes six to twelve months and requires documented evidence of safety and effectiveness relative to the predicate.
Software as a Medical Device — abbreviated SaMD — is the FDA's category for software that performs a medical purpose without being part of a hardware device. Regulatory requirements for SaMD scale with the severity of the condition being managed and the degree to which the software's output directly drives clinical decisions. An app that monitors blood glucose trends and alerts the care team is SaMD. An app that reports calorie intake has no medical intended use and is not SaMD. The FDA's Software as a Medical Device guidance document and the International Medical Device Regulators Forum framework are the primary reference documents for making this determination.
State medical practice law creates the most operationally complex regulatory layer for telemedicine companies. The dominant rule is that a physician-patient relationship is established in the state where the patient is located at the time of service, which means a clinician licensed only in California cannot legally treat a patient sitting in New York. Companies that operate across multiple states must either employ clinicians licensed in each state or operate through a physician staffing model that manages licensure geographically. Interstate licensure compacts — the Interstate Medical Licensure Compact for physicians and similar compacts for nurses and psychologists — have partially eased this burden by enabling streamlined multi-state licensure, but coverage is still incomplete.
The FTC's role in digital health is narrower but frequently underestimated. The FTC Act prohibits unfair or deceptive acts in commerce, which means health product claims that cannot be substantiated by competent and reliable scientific evidence are actionable. Companies that claim their app reduces anxiety, improves sleep, or manages chronic conditions without adequate clinical evidence are exposed to FTC enforcement independent of FDA jurisdiction. The FTC has taken enforcement action against numerous digital health companies in the past decade, and its standard for substantiation — two randomized controlled trials for efficacy claims — is higher than most early-stage startups appreciate.
Corporate practice of medicine — often abbreviated CPOM — is a doctrine in most states that prohibits a corporation from employing physicians or controlling medical decision-making. This creates a structural problem for digital health companies that want to employ clinicians directly: they cannot, in most states, own a medical practice. The common workaround is a management services organization structure, in which the technology company provides administrative, operational, and technology services to a separately owned professional corporation that holds the clinical entity and employs the physicians. Building this structure correctly from the start is dramatically cheaper than restructuring it after a state enforcement inquiry.
The fastest way to create an FDA enforcement problem is to market a product as a wellness tool while your own marketing claims imply it diagnoses or treats disease.
This lesson is coming soon.
TERMS
Term of focus
510(k) Clearance
A 510(k) is an FDA premarket submission demonstrating that a medical device is substantially equivalent in intended use and technological characteristics to a legally marketed predicate device. It is the standard regulatory pathway for Class II medical devices, including most Software as a Medical Device that requires FDA clearance. Clearance does not mean the FDA has confirmed the device is safe and effective in an absolute sense — it means the device is as safe and effective as a device already on the market.
SaMD is software intended to be used for a medical purpose — diagnosis, treatment, prevention, or monitoring — that does not depend on a hardware device to function. The FDA and International Medical Device Regulators Forum have published frameworks categorizing SaMD risk by condition severity and the directness of the software's clinical action. Most digital health applications that analyze patient data to drive clinical decisions fall within this category and require careful regulatory classification before market entry.
Intended use is the objective purpose of a product as expressed by the manufacturer's claims, labeling, advertising, and marketing materials. The FDA uses intended use — not underlying technology — to determine whether a product is a device and what regulatory controls apply. A company cannot escape device regulation by avoiding formal medical claims if its marketing, app store descriptions, or investor materials imply diagnostic or therapeutic purpose.
CPOM is a legal doctrine, existing in most U.S. states, prohibiting unlicensed corporations from owning medical practices, employing physicians, or directing clinical decisions. It was designed to protect physician independence and patient welfare from commercial incentives. Digital health companies that employ clinicians directly in CPOM states risk enforcement by state medical boards and potentially loss of operating authority.
An MSO is a business entity that provides administrative, operational, and technology services to a separately owned medical professional corporation under a services agreement. It is the standard structural solution to CPOM constraints in digital health, allowing the technology company to support clinical operations without legally controlling them. The MSO-PC structure must be carefully constructed so the services agreement does not constitute de facto physician control, which would defeat the compliance purpose.
The IMLC is an agreement among participating U.S. states that streamlines the process for physicians to obtain licenses in multiple member states through a single application. It does not grant a single national license — clinicians must still hold individual state licenses — but it reduces the administrative burden significantly. Coverage is still incomplete, and not all states participate, which means multi-state telemedicine companies cannot rely on the IMLC alone to solve their licensure geography problem.
PMA is the FDA's most rigorous premarket submission pathway, required for Class III devices that pose significant patient risk. It requires valid scientific evidence — typically from clinical trials — demonstrating reasonable assurance of safety and effectiveness. Very few digital health software products require PMA, but those targeting high-acuity clinical decisions in life-critical conditions may be classified at this tier and should conduct early regulatory strategy planning accordingly.
BEFORE YOUR NEXT MEETING
— What is the intended use of our product as a regulatory matter — and have we had outside regulatory counsel review our marketing copy against that intended use claim?
— If the FDA were to evaluate our product today, which device classification would it likely receive, and have we identified a 510(k) predicate we could use?
— In which states do we currently have licensed clinicians, and for which states do we have a licensure gap relative to our active patient population?
— Have we built an MSO-PC structure, and has regulatory counsel confirmed that the services agreement does not create CPOM exposure in our operating states?
— What clinical claims are we making — explicitly or implicitly — in our marketing, and do we have the scientific substantiation to defend those claims in an FTC inquiry?
REALITY CHECK
SOURCES
↗FDA — 'Policy for Device Software Functions and Mobile Medical Applications' (2019)
↗FDA — 'Software as a Medical Device (SaMD): Clinical Evaluation' (2017)
↗IMDRF — 'Software as a Medical Device: Possible Framework for Risk Categorization' (2014)
↗Interstate Medical Licensure Compact — Member State Map
↗FTC — 'Health Products Compliance Guidance' (2022)
↗American Telemedicine Association — 'State Telemedicine Policy' (2023)
↗Foley & Lardner — 'Corporate Practice of Medicine: A 50-State Survey'
LESSON 02 OF 04