Consider this: A 42-year-old man arrives at the emergency room showing signs of a heart attack. The ER doctors, using the patient’s activity tracker—in this case, a Fitbit® —are able to pinpoint when the patient’s normal heartrate of 70 bpm jumped up to 190 bpm. On the device’s mobile health app, the doctors are able to review a detailed heartrate graph compiled by the device’s wrist sensors.
This incredible story, where ER doctors effectively diagnosed and treated a patient using a mobile health tracker, was the focus of an article titled Interrogation of Patient Smartphone Activity Tracker to Assist Arrhythmia Management that was recently published in the peer-reviewed journal Annals of Emergency Medicine.
So if a mobile health app can save a person’s life—can it hurt as well? The Federal Trade Commission (FTC) certainly believes so.
On April 5, 2016, the FTC announced a new web-based tool for developers of health-related mobile apps, designed to help app developers navigate the tricky waters of the various laws and regulations surrounding healthcare and protection of health information.
Laws that may be implicated in the development of mobile health apps include the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act), and the FTC’s Health Breach Notification Rule.
Luckily, many mobile health and fitness apps are likely exempt from enforcement under these laws. According to the FTC’s Mobile Health Apps Interactive Tool, HIPAA does not apply if a mobile app does not “create, receive, maintain, or transmit identifiable health information” on behalf of a “covered entity” (or “business associate”). Additionally, the FD&C Act does not apply if an app is not “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease.”
Similarly, the FDA will not enforce compliance with its regulatory requirements if an app poses “minimal risk” to a user. Apps that are only intended to help users self-manage their disease or condition without providing specific treatment suggestions fall into this category.
The FTC is focusing its regulatory oversight on “medical” mobile apps, as opposed to health or fitness apps. A medical app is one that is intended for use as an accessory or platform to a regulated medical device, or an app that performs sophisticated analysis or interpretation of data from another medical device.
Finally, if an app offers health records directly to consumers, or offers services to someone who does—and is not otherwise covered under HIPAA, it may be subject to the FTC’s Health Breach Notification Rule. Similar to HIPAA’s breach notification, the FTC’s Notification Rule requires entities to notify affected consumers, the FTC, and in some cases, the media following a breach of unsecured personal health information.
With the number of mobile health, fitness, and medical apps growing day by day, app developers are likely to face increased scrutiny from these government agencies.