AI wellness or regulated medical device? A lawyer's guide to navigating FDA rules—and what could change next

There are three key frameworks under which software can potentially avoid FDA regulation:

1. The general wellness policy
2. The non-device clinical decision support (CDS) carve-out
3. The mobile medical applications (MMA) enforcement discretion policy

Many companies strive to establish a presence in one of these three zones.  But all come with sharp boundaries—and exceeding those boundaries can trigger regulatory consequences.

The general wellness carve-out

FDA's 2016 general wellness guidance provides a narrow but practical pathway for certain consumer-facing products to avoid regulation.  The agency has stated it will not enforce medical device requirements against software that is:

• Intended only for general wellness (i.e., sleep, stress management, fitness, or mental acuity), and
• Low-risk, meaning it is not invasive, not implantable, and does not present a safety concern.

This exemption is ideal for lifestyle-oriented tools—apps that encourage hydration, track steps, prompt mindfulness, or support general sleep hygiene.

Where companies get into trouble is when they try to stretch the wellness label too far.  If your product uses AI to detect depression, screen for early dementia, or analyze biomarkers to flag metabolic risk, FDA is not likely to see that as mere wellness, regardless of how you phrase your claims.

The non-device CDS carve-out

For companies building software for health care professionals (HCPs), another potential safe harbor exists: the 2022 final guidance on CDS software.  To qualify as a non-device CDS, your product must meet all four of the following criteria:

1. It does not acquire, process, or analyze medical images or signals (e.g., ECGs, EEGs, MRIs).
2. It only displays, analyzes, or prints existing medical information about a patient.
3. It supports or provides recommendations to licensed HCPs, not patients.
4. It is transparent, meaning the HCP can independently review the basis for the recommendation and does not rely primarily on the software to make clinical decisions.

This carve-out was meant to support tools that inform—not replace—clinical judgment.

Where companies get into trouble is when they market to patients or caregivers, use black-box AI models that are not explainable, or cross the line from "supporting" to "driving" a medical decision.  CDS software that lacks explainability or processes raw physiological data is likely not to qualify and is considered a regulated device.

The MMA guidance

FDA's MMA guidance (originally issued in 2015 and updated periodically) provides yet another path for mobile health tools to avoid regulation through enforcement discretion.  Under this policy, FDA has stated it will not enforce medical device requirements for certain types of low-risk mobile apps, including those that:

• Help users self-manage a condition without making specific treatment suggestions
• Automate simple tasks for providers, such as scheduling or reminders
• Reference established clinical information without analyzing raw physiological signals

This is a practical option for companies building mobile tools that extend health engagement but don’t cross into diagnostics or treatment.

Where companies get into trouble is when they integrate with regulated medical devices, process physiological signals (e.g., heart rate variability, oxygen saturation), or offer novel diagnostics using consumer device inputs, such as a phone's camera or microphone.  FDA generally views those as medical devices and regulates them accordingly.

The technology alone doesn't determine your regulatory status.  The intended use, as demonstrated by your claims, functionality, and target audience, is the key driver.

Conduct a thorough claims audit of:

•  Your website
• App store listings
• Sales decks
• Investor materials
• Social media posts
• Affiliate or partner content

Ask yourself:

• Are we making direct or implied disease claims?
• Are we promising to screen, diagnose, monitor, or predict disease?
• Are we serving HCPs, patients, or both?
• Can the user independently verify what the tool is doing?
 

Words like “diagnose,” “screen,” “detect,” or “treat” raise red flags, especially when paired with AI capabilities.  Even subtle phrasing—like "flagging possible early signs"—can tip the scale.

Straddling the line is risky.  The companies best positioned for sustainable growth pick a lane and align their product strategy, claims, infrastructure, and roadmap accordingly.

If you choose the general wellness path:

• Focus only on lifestyle, mental fitness, or behavior change, not disease.
• Avoid medical claims entirely.
• non-clinical insights.
• Accept trade-offs: no reimbursement, no clinical integrations, limited business-to-business transactions.

If you choose the non-device CDS path:

• Target licensed HCPs only.
• Use transparent, explainable logic that enables HCPs to independently verify recommendations.
• Provide clinical context that supports—but doesn’t replace—decision-making.
• Do not acquire, process, or analyze raw medical images or signals.
• Maintain consistency across product functionality and marketing materials.

If you choose the MMA enforcement discretion path:

• Avoid making direct or implied diagnostic or treatment claims.
• Do not use the app to process or interpret raw physiological signals or images.
• If your app controls or alters the function of a regulated medical device, expect FDA oversight.
• Understand that MMA status is based on FDA enforcement discretion—not a formal exemption—and can change.

If you choose the regulated medical device path:

• Prepare for premarket submissions, such as 510(k), de novo, or PMA, depending on classification.
• Implement a compliant quality management system that meets all relevant standards and regulations.
• Conduct necessary clinical validation and risk management.
• Plan for ongoing post-market obligations, such as complaint handling, medical device reporting, and software updates.
• Use FDA clearance as a mark of credibility and market access.

Each path has its own strategic trade-offs, costs, and operational implications.  The critical step is to choose the regulatory lane that aligns with your technology, claims, audience, and long-term vision—and to build your infrastructure accordingly.

The general wellness and non-device CDS policies, along with the MMA enforcement discretion guidance, are based on FDA guidance documents, rather than formal regulations.  This means they are subject to reinterpretation, revision, or even withdrawal—especially with the advent of new administrations, evolving technology, and increasing regulatory scrutiny.

We can reasonably anticipate changes that may affect all three paths:

• Narrowing the scope of what qualifies as "low-risk" wellness products, possibly restricting some current AI wellness claims.
• Heightened scrutiny of AI-powered wellness tools marketed directly to consumers, especially those with opaque algorithms or broad health impact claims.
• Stricter expectations regarding transparency, explainability, and bias mitigation in clinical decision support tools could tighten the CDS carve-out criteria.
• Potential updates or clarifications to the MMA enforcement discretion policy, particularly concerning apps that interface with wearables, process physiological signals, or connect to regulated medical devices.  Apps currently operating under enforcement discretion may face new requirements or oversight.
• Coordinated enforcement actions from FDA, FTC, HHS, and OCR targeting unsubstantiated claims, privacy violations, or deceptive marketing practices across wellness, CDS, and mobile medical apps.
• Increased focus on adaptive AI algorithms that continuously learn post-deployment, requiring more rigorous validation and monitoring across all software categories.

Because these policies are flexible and evolving, companies relying on any of these carve-outs must stay vigilant.  Building a product with the ability to adapt—whether by implementing more rigorous validation, enhancing transparency, or preparing for potential FDA submissions—will be essential to avoid enforcement risks and maintain market access.