As regulators seek to define their authority and the scope of their enforcement power, more health apps will continue to flood the marketplace and transform how patients are treated.

As mobile health applications become more integrated with everyday patient care, federal regulators have seized the opportunity to wield influence in this arena. With mobile health device innovation shaping how medical device companies, pharmaceutical companies and health care providers interact and treat patients, the Food and Drug Administration (FDA), the Federal Trade Commission (FTC) and state attorneys general have entered the fray — all in service to patient safety and data privacy. Of course, the Office of Civil Rights (OCR), an enforcement arm within the Department of Health and Human Services, maintains a strong interest to the extent HIPAA and HITECH are implicated. This article will provide manufacturers and app developers with insight into the regulatory focus and enforcement priorities of this diverse collection of regulators.

Interactive Tool

Because of their often overlapping regulatory objectives, the FDA, FTC, OCR and the Office of the National Coordinator for Health Information Technology (ONC) published an interactive tool to help developers assess which regulations or regulators are implicated by a proposed mobile health application.1 The tool, which was released on April 4, includes 10 simple questions designed to alert the developer to the lead regulator. These questions are as follows:

  1. Do you create, receive, maintain, or transmit identifiable health information?
  2. Are you a health care provider or health plan?
  3. Do consumers need a prescription to access your app?
  4. Are you developing this app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?
  5. Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?
  6. Does your app pose “minimal risk” to a user?
  7. Is your app a “mobile medical app”?
  8. Are you a nonprofit organization?
  9. Are you developing this app as or on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?
  10. Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

The first four questions test whether the health app is subject to HIPAA and HITECH. Not all health apps that store or transmit health information are regulated by the OCR. Instead, only those apps that are created by or on behalf of a covered entity are subject to HIPAA. Although not addressed by this interactive tool, state attorneys general wield broad authority to enforce against data breaches that implicate HITECH and have been active in doing so regardless of the size or scope of the breach.

Questions five through seven assess whether the app is likely to be subject to FDA regulation. Specifically, question five asks whether the health app fits within the statutory definition of a “device” and can be regulated by the FDA. If the app fits within the definition of a device — meaning it is intended to diagnose a disease or other condition or to cure, mitigate, treat or prevent disease — then the FDA must determine where the app falls on the risk continuum. The FDA’s guidance on health apps recognizes that, while there are many different kinds of health care-related mobile applications that may be used in a clinical setting or to enhance patient care, the FDA will only regulate those types of mobile applications deemed to be a safety risk to patients if they do not function as intended.2 Therefore, questions six and seven assess whether the health application invites sufficient risks such that it should be regulated by the FDA as a “mobile medical application.” Importantly, if a health app is found to be a “mobile medical application,” the app must comply with the same premarket and postmarket controls imposed on traditional medical devices. However, even if a device is regulated by the FDA, this does not mean that the other regulators may not have an interest or that conduct could fall within their respective enforcement activities.

Questions eight through 10 are designed to determine the extent of the FTC’s regulatory oversight, which may be in addition to implicating HIPAA concerns. If an app is developed by a nonprofit organization, it falls beyond the FTC’s regulatory reach. Questions nine and 10 assess the applicability of the FTC’s Breach Notification Rule, which requires certain businesses not covered by HIPAA to notify their customers if there is a breach of unsecured, individually identifiable electronic health information. Because section 5 of the FTC Act applies to all health apps, regardless of whether they are classified as “mobile medical applications” or transmit HIPAA-protected information, none of these questions tease out the FTC’s broad authority under that far-reaching statute.

Manufacturers should welcome this interactive tool. It will help guide them in assessing regulatory risk, but several questions remain. In particular, it is unclear if the FTC will defer enforcement authority to the FDA — as it has done with pharmaceuticals — for health apps that fall under the FDA’s purview. Additionally, there are questions about whether state attorneys general, who have expressed interest in both patient safety and data privacy, will expand their enforcement authority to the mobile health arena. What is clear, however, is that, as regulators seek to define their authority and the scope of their enforcement power, more and more health apps will continue to flood the marketplace and transform how patients are treated.

Other Sources of Guidance: FDA, FTC and OCR

In addition to the interactive tool, several guidance documents and enforcement actions provide further insight into each agency’s regulatory focus.

For example, on February 9, 2015, the FDA responded to the increasing number of health care-related mobile applications by issuing final guidance on its regulation of mobile medical applications. In addition, the FDA has also released guidance documents on premarket and postmarket management of cybersecurity risks in interconnected medical devices, like mobile medical apps, based on concerns that data breaches could impact a device’s ability to function properly and impair patient safety.3

Much like the FDA, the FTC has become more active and has even brought multiple enforcement actions against app developers under its broad authority to police unfair and deceptive trade practices pursuant to section 5 of the FTC Act. For example, in February 2015, the FTC filed a complaint under section 5 of the FTC Act, alleging that two app developers — Mel App and Mole Detective — engaged in deceptive trade practices by claiming that their apps could increase a consumer’s chance of detecting early-stage melanoma without corroborating scientific evidence. In a resulting settlement, these developers agreed to refrain from making any efficacy claims without first substantiating those claims through “competent and reliable evidence” from human clinical testing.

In addition to its broad powers to police deceptive, misleading and unfairness claims advanced by app developers, the FTC also has wide latitude to regulate cybersecurity practices and has identified cybersecurity concerns in health apps as a regulatory focal point. In fact, the FTC recently published a list of best practices for developers to follow when integrating privacy and data security measures into their apps.4 The FTC identified eight “best practices” that app developers should implement to minimize potential cybersecurity concerns and ensure compliance with the FTC Act:

  1. minimize data
  2. limit access and permissions
  3. keep authentication in mind
  4. consider the mobile ecosystem
  5. implement security by design
  6. don’t reinvent the wheel
  7. innovate how you communicate with users
  8. don’t forget about other applicable laws.

App developers should heed the recommendations in the FTC’s recent guidance document and ensure their cybersecurity controls comply with industry standards. A recent study found that protected health information is worth up to 20 times more on black markets than financial information. Because of the high value associated with compromised personal health information, state attorneys general have also brought numerous enforcement actions in this area, resulting in large fines and the creation of additional compliance policies and reporting requirements. Therefore, app developers must be vigilant in building privacy into the design and development of their products to minimize the potential for hacks and the resulting regulatory scrutiny from the FDA, FTC, state attorneys general and — when the app developer is a covered entity or business associate — the OCR.5