New York has made a mark on the regulatory and enforcement landscape for mobile health applications ("mobile health app") with the New York Attorney General's ("NY AG") March 23, 2017, announcement of settlements with three mobile health app developers. Two of the mobile health apps were promoted as tools to help users accurately monitor their heart rate using only their smartphone's camera. The developer of the third mobile health app claimed that it could transform a smartphone into a fetal heart monitor using only the smartphone's microphone and a pair of headphones. According to the developer, the mobile health app could be used instead of a Doppler—a type of fetal heart monitor. In the settlement agreements, the NY AG's office notes that both heart rate monitors and fetal heart monitors are regulated by the Food and Drug Administration ("FDA") as Class II medical devices, which "require greater regulatory controls to provide reasonable assurance of the device's safety and effectiveness."

The settlements rely on New York statutes prohibiting "illegal or fraudulent acts," "deceptive acts or practices," and "false advertising" in the conduct of any business, and describe two primary concerns. The first is the dissemination of unfounded and deceptive information that is potentially harmful to consumers. The NY AG claimed that all three mobile health apps were marketed without substantiating evidence or testing to compare their accuracy with that of FDA approved or cleared medical devices. The NY AG concluded that consumers could be harmed by relying on potentially inaccurate or misleading results, or by relying on false assurances, such as the presence of a healthy fetal heartbeat.

The second concern is privacy. While all three mobile health app developers maintained a privacy policy, the NY AG claimed that such policies were inadequate because they did not require express user consent and failed to disclose the collection, storage, and/or disclosure of certain information, such as the smartphone's global unique identifier or the user's GPS location. The NY AG also noted that the privacy policies for the heart monitor apps did not disclose to users that any personal health information collected, stored, and shared by the heart monitor app may not be protected under the Health Insurance Portability and Accountability Act ("HIPAA").

Pursuant to the settlements, the mobile health app developers agreed to provide additional substantiating evidence, to revise their marketing materials to make them nonmisleading, and to update and require affirmative consent to their privacy policies. The mobile health app developers also agreed to pay a combined $30,000 in penalties.

Both the development and use of mobile health apps continue to rise as people become increasingly more engaged in managing their own health and wellness. With this rise in popularity, the regulatory and enforcement landscape for mobile health applications is evolving to keep pace with concerns regarding consumer protection, safety, and privacy, as these recent settlements illustrate. At the federal level, in April 2016, the Federal Trade Commission, in conjunction with the Department of Health and Human Services' Office of National Coordinator for Health Information Technology, Office for Civil Rights, and the FDA, released a web-based tool designed to help developers and providers determine what federal laws and regulations might apply to their mobile health apps. This follows the FDA's Guidance on Mobile Medical Applications, which was updated in February 2015. Mobile health app providers and developers should also be aware that certain uses of consumer data may constitute human subject research and trigger the federal regulations governing the protection of human subjects, known as the "Common Rule." With the potential for enforcement at both the federal and state levels, providers and developers of mobile health apps should understand and become familiar with applicable laws and regulations.