BOISE, Idaho — Digital therapeutics is a novel technology with many implications for records management. This blog will address some emerging records management issues specific to digital therapeutics. 

What are digital therapeutics?

Digital therapeutics (sometimes referred to as “DTx”) combine software and monitoring devices for the management and treatment of physical, mental, or behavioral health conditions. To be approved by a regulator, a DTx device or app needs to be scientifically and clinically proven to manage or treat a medical disorder. An example of a digital therapeutic approved by the Food and Drug Administration (“FDA”) is a smartphone app that can deliver extra doses of insulin through a connected insulin pump. [1]  

Benefits of digital therapeutics.

The benefit of digital therapeutics is in the way the information is delivered. This is usually through a smartphone or connected device. Digital therapeutics allow a patient and their physician to easily access health information, monitor data, and receive treatment simultaneously to manage the patient’s health. 

What digital therapeutics are being developed?

Some of the more notable DTx devices and software applications are used to treat:

  • Asthma and COPD
  • Substance Use Disorders
  • Behavioral Health Issues
  • Medication Management 
  • Diabetes 
  • PTSD 
  • Sleep Disorders

What personal information is digital therapeutics collecting?

Information that digital therapeutics collect which identifies a person can include the user’s name, address, telephone number, and email address. Other information collected could include demographics and biometric data. And of course, digital therapeutics collect a variety of user health information.  

Digital therapeutic regulations.

Because digital therapeutics are relatively new to the healthcare and pharmacy markets there often aren’t yet specific regulations in most jurisdictions. Most applicable records requirements will fall under existing medical devices, privacy, medical and health-related data retention, and cybersecurity laws and regulations. However, some countries have developed specific regulations for digital therapeutics. Here are a few examples of both general and DTx-specific regulations of which records managers should be aware: 

  • In the United States, the FDA requires companies to go through a pre-certification program to be recognized by regulators. Regulated as software as a medical device (aka SaMD), approval is subject-specific quality management system standards for software development and clinical evaluation, among other requirements. [2] 
  • In 2019, Germany passed the Digital Healthcare Act[3] which requires manufacturers to provide a safe, functional, and quality medical device, and also take steps to help ensure data privacy and security. 
  • Korea’s Ministry of Food and Drug Safety developed a Guideline on Review and Approval of Digital Therapeutics,[4] which explains the scope and criteria for regulatory review and approval of digital therapeutics under that country’s relevant rules and regulations. 

 The European Union has also begun discussing how to regulate privacy in connection with the personal data digital therapeutics collect. Because digital therapeutic devices collect a wealth of health information and other personal data, they are generally governed by privacy laws and regulations. Additionally, the International Medical Device Regulators Forum, a working group, has developed a framework to help harmonize SaMD across jurisdictions. [5]

Regulatory challenges of digital therapeutics.

The primary challenge for digital therapeutics regulators is the technology’s fast-evolving nature. For example, the devices, as well as the software necessary for their use, may quickly change from the product and service initially reviewed and approved. There is also the risk of unauthorized access to or the manipulation of DTx technology given its required connection to the internet. Data breaches are a further concern due to the large amount of personal health data that is collected from each device user.

Challenges for RIM Professionals.

Inconsistent or a lack of clear guidance concerning how to handle the personal health information collected using digital therapeutics has many RIM professionals asking how such data should be incorporated into records retention schedules. One frequent concern is whether the information that digital therapeutics collect should be treated like a medical record. The answer to this question is often very fact dependent and largely jurisdictional. Where DTx data is considered a medical record, in the U.S., the average minimum retention period is between 7 to 10 years, with many states requiring longer periods for medical records on minors. On the other end of the spectrum, some non-U.S. jurisdictions require medical records to be retained for the life of the patient. Other questions RIM professionals often encounter include:

  • Can information collected by digital therapeutics be subject to much shorter privacy retention periods given that personal information is involved;
  • Is therapeutic device data subject to often varying contractual retention requirements; and

 Are users being given notice of the provider’s processing, storage, and retention policies for personal and health information?


As digital therapeutics evolve and new DTx laws and regulations are passed, Zasio will keep clients updated and help them incorporate therapeutic device data retention requirements into their retention schedules.

  [1] The FDA would regulate this software as a medical device (“SaMD”).