How federal privacy laws apply to mobile health applications has been an area of significant ambiguity. Recently, the Federal Trade Commission’s (FTC), the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Food and Drug Administration (FDA), and the HHS Office of the National Coordinator for Health Information Technology (ONC) joined together to provide a user-friendly web-based interactive tool to guide developers who are entering the heavily regulated mobile health industry with high-level guidance on how to navigate this complex regulatory environment. As noted by the director of the FTC Bureau of Consumer Protection, “Mobile App developers need clear information about the laws that apply to their health-related products.” In addition, the FTC released Best Practices Guidance for Mobile Health Developers to provide practical guidance for industry participants.
The FTC’s User-Friendly Legal/Regulatory Issue Spotting Tool
The tool, while published on the FTC’s website, addresses the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act), and the FTC’s Health Breach Notification rule. The tool is a decision tree to help developers get a preliminary understanding of whether and how these laws apply to them. By asking questions about the company itself, the application’s clients and audience, whether the application stores identifiable data and the application’s interaction with the health care industry and patients, the tool focuses on the relevant legal hurdles. Along with the decision tree, the tool includes a glossary that provides relevant definitions along with helpful links to expansive source materials.
The FTC’s Best Practices Guidance
The FTC guidance describes business practices for mobile health developers. Overall, the guidance reiterates many industry best practices such as:
- Only maintaining de-identified data unless identifiable information is absolutely necessary;
- Engaging third parties who are contractually bound to implement and follow through with data security measures; and
- Adding processes to thwart hacker access to client information such as adding salt (random data to hash passwords) to account information storage.
If developers are unfamiliar with these industry practices, the guidance even provides links to data security resources for developers from independent and government sources. The guidance further emphasizes minimizing data sharing and storage, maximizing data security for stored information, and instituting processes and points of contact on each workforce team to manage data retention and security.
The health industry is heavily regulated. In a world where direct-to-consumer technology and business-to-business enterprise solutions are rapidly growing, the regulatory barriers can sometimes thwart innovation that can revolutionize the sector. The web-based tool notes, “It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.” Mobile health developers should seek out legal advice regarding the complete regulatory landscape early on. By carefully addressing compliance issues before bringing a product to market, developers can ensure that legal issues do not hamper the product’s launch or distract from its real mission: to help patients, providers, and payors be better and do better.