It seems as though 2016 may become the year that industry receives a plethora of helpful interactive portals from Federal Agencies. My colleague Matt Cohen recently reported on the existence of a new CPSC tool called The Regulatory Robot that’s helping businesses identify the product safety rules that might apply to a new product. This week, the Federal Trade Commission (FTC) — in conjunction with the Food and Drug Administration (FDA), the Office of Civil Rights (OCR), and the Office of the National Coordinator for Health Information Technology (ONC), all agencies housed within the Department of Health and Human Services — launched a similar portal for mobile app developers.
The FTC’s interactive tool walks developers of health-related mobile apps through a series of ten questions and then points them to critical Federal laws that may apply to their product. Mobile apps often collect, create, or share consumer information, thus implicating the FTC Act, which prohibits unfair or deceptive trade practices in or affecting commerce, including practices that relate to data security and consumer privacy. The FTC Act also prohibits false or misleading claims about the performance of a mobile app product or about its potential safety, if relevant to the app’s function. FTC also enforces a breach notification rule that requires certain businesses to notify consumers following breaches to their personal health information. The Commission also released a new guidance, “Mobile Health App Developers: FTC Best Practices,” at the same time as the interactive tool in order to provide additional compliance tips to businesses who are covered by the FTC Act.
Next, the interactive tool asks questions to determine whether the mobile app is intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease – an affirmative answer will likely render the product a medical device under the Food, Drug, and Cosmetic Act. FDA has focused its regulatory oversight on what it calls “mobile medical apps” that have the potential to pose risks to consumers, but there may be situations in which lower-risk medical apps are subject to certain medical device requirements as well.
Finally, if a wellness or other health-related app is developed by or on behalf of an entity covered by the Health Insurance Portability and Accountability Act (HIPAA), then HIPAA rules on privacy and security will probably apply. OCR is responsible for enforcing HIPAA and separately released a guidance earlier this year that provided examples of when a mobile app developer may become subject to the law (as discussed recently in a post on our sister blog, Health Law & Policy Matters).
An April 5th FTC press release includes comments from each of the agencies involved in enforcing these various laws and their application to mobile app products. In our view, the agencies should be applauded for this effort at transparency and facilitating compliance by small businesses who may be overwhelmed with the various legal analyses they need to undertake before releasing a new mobile app product. The only other comment from us is that having the Mobile Health Apps Interactive Tool running slows down your other computer programs a lot, so be forewarned if you plan to use it!