DEV Community: CT_NOOO The latest articles on DEV Community by CT_NOOO (@cto_nooo_41914ad55905b). https://dev.to/cto_nooo_41914ad55905b https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2494859%2F3c96cf86-b223-42d6-bfe7-81360a4b8d64.png DEV Community: CT_NOOO https://dev.to/cto_nooo_41914ad55905b en I shipped a health app without knowing it was regulated. Here are the tools I used to fix it CT_NOOO Fri, 24 Apr 2026 16:36:34 +0000 https://dev.to/cto_nooo_41914ad55905b/i-shipped-a-health-app-without-knowing-it-was-regulated-here-are-the-tools-i-used-to-fix-it-lck https://dev.to/cto_nooo_41914ad55905b/i-shipped-a-health-app-without-knowing-it-was-regulated-here-are-the-tools-i-used-to-fix-it-lck <p>TL;DR: Most developers building health apps don't realise they might be building a regulated medical device. Here's how to check, and the tools that can help if you are.</p> <h2> A question worth asking early </h2> <p>I'm a former CTO of a medtech startup. The question that blindsided us - and that I see catch developers out constantly - is this:</p> <p><em>"Is what we're building actually a medical device?"</em></p> <p>Most developers assume the answer is no. Often they're wrong.</p> <h2> How to tell if your software is regulated </h2> <p>The category is called SaMD, Software as a Medical Device. It covers standalone software that performs a medical function without being part of a physical device.<br> The line is blurrier than you'd expect:</p> <ul> <li> <em>Is a mental health app a medical device?</em> A mood journal or meditation app - probably not. An app that screens for depression, tracks symptoms to inform clinical decisions, or recommends treatment, almost certainly yes.</li> <li> <em>Is a fitness tracker a medical device?</em> General step counting, no. Detecting arrhythmia or monitoring blood oxygen for clinical purposes, yes.</li> <li> <em>Is a symptom checker a medical device?</em> Usually yes. If it influences what a user does next about their health, regulators treat that as a medical function.</li> <li> <em>Is a mental health chatbot a medical device?</em> If it's therapeutic or diagnostic in intent, likely yes.</li> <li> <em>Is a hospital management app a medical device?</em> Administrative software, no. Clinical decision support that affects patient care, the line blurs fast.</li> </ul> <p><strong>The rule of thumb</strong>: if your software influences a clinical decision, monitors a health condition, or assists in diagnosis or treatment: assume you're regulated until confirmed otherwise. This applies whether you're building for the EU, the US, or elsewhere.</p> <h2> Tools that actually help </h2> <p>The ecosystem has improved a lot. Here's what's worth knowing across the different compliance layers:</p> <p><strong>Getting started / qualification</strong></p> <ol> <li>OpenRegulatory's classification wizard — walks you through the EU MDR classification logic and produces a risk class. Free to use.</li> <li>Greenlight Guru's <a href="https://www.greenlight.guru/eu-mdr-gap-analysis-tool" rel="noopener noreferrer">EU MDR gap assessment</a> — a free tool for teams who already know they're building a medical device and want to assess their compliance posture against EU MDR requirements.</li> <li>QualiHQ's <a href="https://qualihq.com/tools/is-my-product-a-medical-device" rel="noopener noreferrer">Is My App a Medical Device?</a> — a free five-question checker that gives you a preliminary answer based on your software's intended use.</li> </ol> <p><strong>HIPAA compliance (US)</strong><br> If you're handling protected health information, HIPAA is a parallel concern. </p> <ol> <li>Google Workspace: Google signs a Business Associate Agreement, meaning there's a legitimate pathway to using Google Workspace as part of a HIPAA-compliant setup if configured correctly.</li> <li> <a href="https://compliancy-group.com/the-guard-compliance-dashboard/" rel="noopener noreferrer">Compliancy Group (The Guard)</a> — dedicated HIPAA compliance platform covering policy management, risk assessments, staff training, and incident management.</li> </ol> <p><strong>QMS platforms</strong></p> <ol> <li>Formwork (OpenRegulatory) — QMS with strong template coverage, AI Assistant in Paid Tiers. Relatively cheap but best for teams that already understand the regulatory framework.</li> <li> <a href="https://www.qualio.com/compare" rel="noopener noreferrer">Qualio</a> — full-featured, built for teams with a dedicated QA function and budget to match. Strong if you have a regulatory/QA hire. </li> <li> <a href="//qualihq.com">QualiHQ</a> — Built for small-medium SaaS teams, free to start, no credit card required. AI generates documentation drafts based on your product, onboarding teaches the framework as you go, scoped to software compliance only.</li> </ol> <p>Most regulated health app founders find out late, usually when they're close to launch or talking to their first healthcare customer (but definitely not afterwards ;)). Finding out early is cheaper in every sense.</p> <p>If you're not sure whether your app is regulated, start with the classification wizard or the free checker above. If you are regulated, the tools listed here are what I'd reach for first. no three-month detour, no valuable consultant (read: expensive).</p> <p>I'm sure there are other tools in this space I haven't covered. If you've been through this process and found something useful, drop it in the comments, would love to build out the list.</p> software devops product deved