Mobile health (“mHealth”) medical app developers, including health information technology (“HIT”) and telemedicine app developers, tend to focus on FDA requirements.  Indeed since many of these apps may be categorized as medical devices, and the FDA approval process is lengthy, developers are wise to focus on whether an app is regulated by the FDA.  But a successful developer should also build privacy protections (e.g., privacy policies) and security protections (e.g., disaster recovery) into its product from the earliest stages.  The Federal Trade Commission (“FTC”) calls this “Privacy By Design.”  “Security By Design” is the corollary.  The idea is to design the product service with privacy and security protections in place, to avoid major modifications down the road and regulatory hurdles.  Many developers say, “Of course I’ll take care of privacy and security - the data is encrypted.”  That’s great but it’s not enough.  If HIPAA applies, there are a long list of privacy and security standards to address.  If HIPAA does not apply, the FTC and other agencies may step in with their own requirements.  The goal of Privacy and Security By Design is to avoid the avoidable – a privacy or security violation or breach that slows down and even stops the success of a product on the market.  It’s competitive out there for mHealth, HIT and telemedicine app developers, and the edge is important.