Blog

Health Information Technology, Health Law News

Print PDF

Updated Compliance Tool for Developers of Mobile Health Apps

Posted on January 11, 2023 in Health Information Technology, Health Law News

Published by: Hall Render

On December 7, 2022, the Federal Trade Commission (“FTC”) in conjunction with the U.S. Department of Health & Human Services (“HHS”) updated the Mobile Health App Interactive Tool (the “Tool”) to include new questions and new use cases. The Tool is a result of collaborative efforts between the FTC, HHS Office for Civil Rights (“OCR”), HHS Office of the National Coordinator for Health Information Technology (“ONC”) and the Food and Drug Administration (“FDA”). The updated Tool signals the continued interest that federal agencies have in regulating digital health technologies, including mobile health apps.

Regulatory Landscape

The Tool presents developers of mobile health apps with a series of questions to help them understand which federal laws and regulations may apply. These include questions about the identity of and technology provided by the app provider; the purpose of the app; intended users and the information involved; potential risks to patients; and relationships to prescriptions, entities regulated by Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and device software functions under FDA oversight.

Based on their responses to the questions in the Tool, developers may be directed to several federal laws and regulations:

  • HIPAA – If an app is offered by a covered entity or business associate subject to HIPAA, the app and the individually identifiable health information maintained in the app may be subject to the privacy and security regulations under HIPAA.
  • Federal Food, Drug, and Cosmetic (“FD&C”) Act – If an app includes a software function that meets the definition of a medical device under section 201(h) of the FD&C Act, the app may be subject to regulatory oversight by the FDA. Just a few months ago, the FDA released final guidance that clarifies the factors the agency uses to determine whether a software function is subject to its regulatory oversight.
  • ONC’s Information Blocking Regulations – If an app developer certifies its technology through the ONC’s Health IT Certification Program, the app is subject to the ONC’s information blocking rules which prohibit “practices likely to interfere with access, exchange, or use of electronic health information” unless an exception applies.
  • Federal Trade Commission Act (“FTC Act”) – The FTC Act prohibits unfair or deceptive acts and practices and false advertisements in offering consumer products, including mobile health apps. In the context of mobile health apps, the FTC’s enforcement of the FTC Act has been seen where a developer shared health information collected through the app with third parties despite promising its users that it would not do so.
  • FTC’s Health Breach Notification Rule – The FTC’s Health Breach Notification Rule requires a vendor of a personal health record (“PHR”), a PHR-related entity and their third-party service providers to provide notifications to consumers, the FTC, and, in some cases, the media, following a breach of personal health record information. The Health Breach Notification Rule applies only to organizations not subject to HIPAA and is triggered when there is unsecured, individually identifiable information in a PHR. Note that if a covered entity has hybridized and performs non-covered functions through a mobile app under its hybridized entity, the Health Breach Notification Rule may be applicable to the information maintained in such mobile app.
  • Children’s Online Privacy Protection Act (“COPPA”) – COPPA applies to operators of commercial websites and online services that collect, use or disclose personal information from children under the age of 13, or on whose behalf such information is collected. Parents of children whose personal information will be collected have certain rights under COPPA. FTC enforcement of COPPA has been seen in the context of mobile apps where the developer fails to implement mechanisms to prevent children under the age of 13 from bypassing age restrictions.

The Tool does not present a comprehensive list of laws and regulations that may apply to mobile health apps. Among other issues, developers and providers of mobile health apps should consider the following:

  • Reimbursement – An increasing number of health care payors are reimbursing for certain digital health technology services. For example, reimbursement under Medicare and Medicaid for certain telemedicine services was significantly increased due to the COVID-19 pandemic. As payor coverage expands for certain telemedicine services and technology, app and digital health technology developers will need to do their due diligence in determining coverage and reimbursement under federal and state health care programs and be cognizant of any fraud and abuse laws that apply under the various programs.
  • State law – App developers should also be mindful of the numerous state laws that may apply to the provision of health services through their apps. For instance, many states have privacy and data protection laws that apply to mobile health apps. California has the California Online Privacy Protection Act (“CalOPPA”) and the California Consumer Privacy Act (“CCPA”) aimed at enhancing privacy rights and consumer protection for California residents. CalOPPA requires operators of commercial websites or online services to post a privacy policy and the CCPA gives California residents enumerated rights with respect to their personal data. Other states that have enacted comprehensive consumer privacy laws include Virginia, Colorado, Utah and Connecticut.
  • GDPR – The General Data Protection Regulation (“GDPR”) is the European Union’s set of data protection laws aimed at protecting the privacy and security of personal information of individuals. App developers with global operations will be familiar with their obligations under GDPR, but by its terms, GDPR’s scope is not limited to organizations with operations in the European Union.

Other Resources

The Tool is part of a larger suite of resources maintained by HHS for mobile health app developers, including:

  • Health App Use Scenarios & HIPAA – This guidance details various use scenarios for mHealth applications and explains when an app developer may be acting as a business associate under the HIPAA Rules.
  • Access Right, Apps, and APIs – FAQs about how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps and application programming interfaces.
  • Health Information Technology – FAQs on HIPAA and health IT.
  • Guidance on HIPAA & Cloud Computing – OCR developed guidance to assist HIPAA-covered entities and business associates, including cloud services providers, in understanding how they can use cloud computing technologies while complying with their HIPAA obligations.

In light of OCR’s recent Bulletin on the use of tracking technologies, HIPAA-regulated entities should also determine whether the use of tracking technology in their mobile app implicates HIPAA’s rules. OCR’s position is that all individually identifiable health information collected on a HIPAA-regulated entity’s mobile app is generally PHI and if the tracking technology vendor meets the definition of a business associate under HIPAA, the parties must enter into a HIPAA-compliant business associate agreement.

The FDA has also published guidance on its enforcement discretion on low-risk devices and how it determines whether a general wellness product (such as an app) is not a medical device, or is a medical device but not subject to regulatory oversight because it is low-risk. A product is a general wellness product if it: (1) is intended for only general wellness use; and (2) presents a low risk to the safety of users and other persons.

Practical Takeaways

  • The Tool is a great starting point for developers of mobile health apps to learn about potential federal laws and regulations that may apply to them and their apps, but it is only a starting point. In addition to only covering a small number of potentially applicable laws, the FTC and HHS emphasize that it is not intended to supplant legal advice.
  • As the regulatory landscape for mobile health apps continues to evolve, app developers will have to keep in mind the novelty of their products, the information they collect and the ever-changing legal framework that may apply.
  • Whether an app is considered a low-risk device or if it implicates FDA application or submission requirements will continue to require careful judgment.

If you have any questions or would like any additional information about this topic, please contact:

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.

If you have any questions, please contact one of the following or your regular Hall Render attorney.

Emily S. Beukema's Photo

Emily S. Beukema

(248) 457-7882

Email

Related Services

Dropdown arrow

Blog Categories

Archives