The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.

The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app. The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources.

In conjunction with the release of the developer tool, the FTC also released its own guidance aimed at developer compliance with the FTC Act. This guidance follows the release of OCR’s Health App Use Scenarios & HIPAA guidance and discussion portal and FDA Mobile Medical Applications guidance. Together, these agency releases reflect efforts to provide guidance that will help provide clarity to the growing mobile health app ecosystem. In addition to federal and state U.S. regulations, many developers must to contend with what international mHealth laws might apply. Developers should take care to understand how mHealth is regulated in the EU, including what information is considered personal and/or sensitive data and what the new GDPR means for health data.

The release of the FTC tool, which was developed in conjunction with the U.S. Department of Health and Human Services’ Office of National Coordinator for Health Information Technology and Office for Civil Rights (OCR), as well as the Food and Drug Administration, follows OCR’s release of the revamped audit protocol for the upcoming HIPAA Phase 2 audits, and increased focus on cybersecurity by health regulators. The increased regulatory activity in the health space in recent months suggests that health privacy and security—including in the mobile health environment—will be an area of scrutiny for regulators in the upcoming year.