A recent string of advertising and privacy crackdowns on mobile health apps should have developers on high alert as regulators are scrutinizing advertising statements and privacy policies. Most recently, three mobile health app developers agreed to pay a fine and revise their marketing claims and data use in settlements following a New York Attorney General investigation. While the absence of FDA review was at play in the cases, it’s noteworthy that New York took the lead on these cases in lieu of the FDA or FTC. States like New York setting their own expectations for marketing products that were primarily regulated by the Federal government may be the beginning of a trend we previously predicted.
According to the New York Attorney General, apps Cardiio, Runtastic, and Matis used “misleading claims and irresponsible privacy practices” that resulted in settlement agreements to provide additional information about testing of the apps, make clarifications in their advertising, and pay $30,000 in combined penalties. They must also post clear and prominent disclaimers informing users that the apps are not medical devices and not cleared or approved by the FDA. Additionally, the apps must disclose to users that they collect and share information that may be “personally identifying” and obtain affirmative consent to their privacy policies.
The intended uses of the apps subject to the settlements all relate to the heart. Two of the apps claimed to measure heart rate after vigorous exercise using only a smartphone camera and sensors, while the third app claimed to enable expecting couples to hear their unborn baby’s heartbeat.
To take action against these three companies, the New York Attorney General relied on state laws prohibiting repeated fraudulent or deceptive acts in the conduct of business. Keep in mind these laws are interpreted by state courts - meaning a similar law in another state could be applied differently depending on a variety of factors such as previous cases that came before that court regarding that law or even other laws the state has enacted. If other states follow New York’s lead in bringing action against app developers, this could prove damaging for the industry, at least by virtue of the variability between each jurisdiction applying its own state laws. Interestingly, it seemed important to the New York Attorney General that the apps include disclosures indicating they had not been reviewed by the FDA.
The FDA realizes that unnecessary regulation in a burgeoning market impairs innovation and hinders patient access to valuable technologies. Recently, the FDA has taken steps to de-regulate benign mobile medical apps through its Mobile Medical App guidance and General Wellness guidance. Both guidances provided more clarity and predictability for developers that were previously flying blind without an understanding of what FDA considers when deciding how, if at all, to regulate an app.
In the 2015 Mobile Medical App guidance, the FDA states it intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were not to function as intended. Further, the FDA explains it does not intend to regulate the subset of mobile apps that pose minimal risk. In the 2016 General Wellness guidance, the FDA creates a safe harbor for low risk devices with an intended use that either relates to maintaining a general state of health or relates to the role of a healthy lifestyle. Included as an example in the General Wellness guidance is the FDA’s policy not to regulate apps that make heart monitor claims relating to exercise generally.
The FDA has essentially taken the position that although certain intended use claims may rise to the level of classifying the app as a medical device due to the medical nature of those claims, the risks to health are so low that FDA is comfortable not regulating these apps at all.
While the FDA likely didn’t take any action because of its policies regarding mobile health apps, it’s less clear why the FTC held off, though the lack of Federal action may reflect the current administration’s regulatory enforcement posture. Just last year, the FTC issued guidance and an interactive tool for mobile health app developers. And as recently as December 2016, the FTC was taking action against mobile health app developers for deceptive acts or practices (including deceptive data collection practices) and disseminating false advertisements. But no FTC or FDA action on this occasion.
Mobile health app and other digital health developers should be aware of state regulators. Developers should carefully review their marketing claims regarding their apps and ensure their privacy policies clearly explain the data they collect. Based on the New York settlement, certain app developers might consider posting a clear and prominent disclaimer informing users that their app is not a medical device and not evaluated by the FDA. That said, claims made by a mobile health app developer regarding the app’s use are critical to the success of its business. Less aggressive claims may lead to avoiding FDA (and perhaps state) oversight, but this could impair the developer’s ability to market the app to its full potential. On the other hand, claims regarding the app’s medical uses could require scientific evidence and FDA review, but may pay higher dividends in terms of marketing and sales capabilities.