The U.S. Federal Trade Commission (FTC) recently announced its creation of a Mobile Health Apps Interactive Tool, a web-based tool designed to help developers of mobile health (mHealth) applications understand which federal laws and regulations they should consider in developing their apps. While the tool is helpful as a starting place for mHealth app developers to recognize basic issues regarding the applicability of select laws and regulations, developers should be cautious about relying exclusively on guidance resulting from the tool. In addition to using the tool, developers should obtain detailed legal guidance regarding:
- Complex legal issues under the laws and regulations covered by the tool, such as whether the type of information collected by the app is “identifiable health information”; and
- Additional legal and regulatory obligations, such as those under state laws or international laws.
Mobile Health Interactive Tool
The tool guides developers through high-level questions about their app’s functionality, data collection, and services to users. Based on a developer’s responses, the tool provides guidance about which federal laws may apply to the app. The tool’s guidance covers the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act, the FTC Act, and the FTC’s Health Breach Notification Rule and includes a Glossary with definitions of regulatory terms (e.g., medical device), as well as links to further guidance and other federal agency resources, such as OCR’s Health App Use Scenarios & HIPAA and discussion portal, as well as the FDA’s Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff.
For example, if a developer says:
- Question 1: Yes, my app creates, receives, maintains, or transmits identifiable health information;
- Question 2: No, the developer is not a health care provider or health plan;
- Question 3: No, the app does not require a prescription to access the app; and
- Question 4: Yes, the app is being developed on behalf of a HIPAA covered entity then
- Answer: The tool says that the developer is “likely  a HIPAA business associate, subject to the HIPAA Security Rule and specific provisions of the HIPAA Privacy and Breach Notification Rules” and provides an overview of the obligations under each of the HIPAA Rules. In this scenario, the tool also directs the developer to Question 5 to see if the FD&C Act also applies.
While the tool is helpful in identifying basic issues it only covers the abovementioned laws and regulations, it does not address complex issues under those laws and regulations. For example, it does not help a developer determine whether the information collected by the app is “identifiable health information.” Similarly, for a developer producing a health app directed toward consumers but with data accessible to healthcare providers, the analysis becomes more complicated. For example, if the app permits a connection with a healthcare professional’s systems, the extent of that connectedness can mean the difference between the application of HIPAA or the FTC’s consumer protection rules – and as recent FTC enforcement in the mHealth app space demonstrates, simply because an app may handle protected health information does not mean that the app is outside the FTC’s jurisdiction.
FTC Mobile Health App Best Practices
In conjunction with the release of the interactive tool, the FTC also released its own guidance, Mobile Health App Developers: FTC Best Practices. This guidance is aimed at helping developers understand their obligations under the FTC Act. For example, it recommends that developers provide “simple, clear, and direct” notice of their app’s privacy and security features, including providing “just in time” notice regarding the collection of sensitive or unexpected data (e.g., geolocation information) and explaining why certain information is being collect (e.g., collecting geolocation information in order to track the distance cycled if the app is a cycling app). The FTC also notes that certain information, such as dietary information or blood pressure readings, may require obtaining a user’s affirmative express consent prior to collecting or sharing the data. This mHealth app developers guidance draws on the FTC’s June 2015 Start with Security: A Guide for Business, which provided practical lessons that all businesses can learn from the FTC’s data security settlements under the FTC Act.
Increased Regulatory Activity Likely
It remains to be seen whether the FTC’s release of this tool and guidance is simply to provide resources to mHealth app developers – or whether the FTC will use this guidance to bring enforcement actions under its unfair and deceptive acts and practices powers. However, the release of this tool and guidance is part of a larger trend of increased regulatory activity within the health data security space, coming on the heels of the appointment of members to the Health Care Industry Cybersecurity Task Force, as required under the Cybersecurity Information Sharing Act of 2015; updated OCR audit protocols for HIPAA Phase 2 audits; and the release of OCR’s HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.