Compliance Laws for Mobile Health Apps

Anyone who is developing or using mobile health applications needs to understand the laws that regulate these products. Generally, mobile software is regulated by the FDA, the Federal Trade Commission (FTC), and/or the Office of Civil Rights (OCR).

A few of the many federal laws that regulate mobile health applications (and that we’ve discussed in other articles) include the following, according to the Federal Trade Commission:

• Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy and security of certain health information and requires certain entities to provide notifications of health information breaches. HIPAA includes:
• • The HIPAA Privacy Rule
  • The HIPAA Security Rule
  • The HIPAA Breach Notification Rule

• Federal Food, Drug, and Cosmetic Act (FD&C Act). This law is enforced by the FDA. The law “regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight on a small subset of health apps that pose a higher risk if they don’t work as intended. “
• Federal Trade Commission Act (FTC Act). The FTC enforces this law “which prohibits deceptive or unfair acts or practices,” including “false or misleading claims about apps’ safety or performance.”
• FTC’s Health Breach Notification Rule. This FTC rule “requires certain businesses to provide notifications following breaches of personal health record information.”

An Interactive Compliance Tool

The FTC has an interactive tool to help developers and medical practices think through the laws that apply. The best course of action is to review the development and use of mobile apps with our experienced healthcare attorneys. The tool is the following group of yes or no questions.

1. Do you create, receive, maintain, or transmit identifiable health information?

• • If the answer is yes – then go to question 2 to determine if HIPAA applies.
  • If the answer is no – then jump to question 5 to determine if the FD&C Act applies.

2. Are you a health care provider or health plan?

• • If the answer is yes – then you are probably required to comply with HIPAA. Continue with question 5 to determine if the FD&C Act applies.
  • If the answer is no – see question 3.

3. Do consumers need a prescription to access your app?

• • If the answer is yes, you may be required to comply with HIPAA because you may qualify as a health care provider (one of the types of HIPAA-covered entities).
  • If the answer is no, then go to question 5.

4. Are you developing this app on behalf of a HIPAA-covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?

• • If the answer is yes, “you likely are a HIPAA business associate, subject to the HIPAA Security Rule and specific provisions of the HIPAA Privacy and Breach Notification Rules.” Proceed to question 5 to answer other questions.
  • If the answer is no, then go to question 5.

5. Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease?

• • If the answer is yes, your app is a medical device subject to the FD&C Act. See question 6 to determine if the FDA is likely to monitor your type of mobile health app.
  • If the answer is no, the FD&C Act does not apply. Your app is not considered a medical device and is outside of FDA purview. For examples of mobile apps that are not medical devices, see Appendix A of the FDA’s Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff [PDF]. Go to question 8, to see if the FTC Act applies.

6. Does your app pose “minimal risk” to a user? According to the FDA, “minimal risk” apps are those that are only intended for one or more of the following:

• • “Helping users self-manage their disease or condition without providing specific treatment suggestions
  • Providing users with simple tools to organize and track their health information
  • Providing easy access to information related to health conditions or treatments
  • Helping users document, show, or communicate potential medical conditions to health care providers
  • Automating simple tasks for health care providers
  • Enabling users or providers to interact with Personal Health Records (PHR) or Electronic Health Record (EHR) systems
  • Transferring, storing, converting format or displaying medical device data, as defined by the FDA’s Medical Device Data Systems regulations.”
    • If yes, the “FDA considers your app to be of minimal risk, and does not intend to enforce compliance with its regulatory requirements.” Go to Question 8.
    • If no, then the FDA does not consider your app to be of minimal risk. Go to Question 7 to see if the FDA intends to apply its regulatory oversight.

7. Is your app a “mobile medical app?” A “mobile medical app” is one that is intended for any of the following:

• • “Use as an accessory to a regulated medical device (for example, an app that alters the function or settings of an infusion pump)
  • Transforming a mobile platform into a regulated medical device (for example, an app that uses an attachment to the mobile platform to measure blood glucose levels)
  • Performing sophisticated analysis or interpreting data from another medical device (for example, an app that uses consumer-specific parameters and creates a dosage plan for radiation therapy)”
  • If the answer is yes, the FDA intends to apply its regulatory oversight. See Question 8 to see if the FTC Act applies.

“The FDA classifies medical devices into three categories  – Class I, Class II, and Class III, based on the risk the devices pose to consumers, the intended use, and indications for use.

• • “Class I devices are considered low risk and subject to the least regulatory controls.
  • Class II devices are moderate-risk devices and require greater regulatory controls to provide reasonable assurance of the device’s safety and effectiveness
  • Class III devices are generally the highest risk devices and subject to the highest level of regulatory control.”

Generally, Class II and Class III devices are evaluated for their safety and effectiveness before the devices can be sold to the public through a premarket submission process.

There are registration, listing, and fee requirements for all classes of medical devices. Mobile app manufacturers must also comply with:

• • Quality System (QS) Regulation/Medical Device Good Manufacturing Practices (“GMP”)
  • Medical Device Reporting
  • Other regulations

8. Are you a nonprofit organization?

• • If the answer is yes, the FTC Act likely does not apply – with some exceptions. Go to question 9.
  • If the answer is no, the FTC Act likely applies. Go to question 9.

Generally, the FTC Act requires that manufacturers and healthcare providers:

• • Can’t make misleading or deceptive statements to consumers about essential information
  • Can’t engage in practices that cause or may reasonably be expected to cause unavoidable substantial injuries to consumers – and “that do more harm than good.

The FTC has tips for how to protect consumers’ privacy and the security of their data. The FTC also has suggestions for health benefit, safety, performance, and for ensuring that claims are truthful, substantiated, and not misleading.

9. Are you developing this app as or on behalf of a HIPAA-covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?

• • If the answer is yes, the FTC’s Health Breach Notification Rule does not apply. You’re done. There’s no need to answer question 10.
  • If the answer is no, answer question 10 to see if the FTC’s Health Breach Notification Rule applies.

10. Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

• • If the answer is yes, “you may be a personal health records (PHR) provider, PHR-related entity, or service provider who must comply with the FTC’s Health Breach Notification Rule. The FTC’s rule does not apply if you are a HIPAA-covered entity or to the extent you are acting as a HIPAA business associate.”
  • If you are a PHR provider or PHR-related entity, the Health Breach Notification Rule requires that you notify affected consumers, the FTC, and in some cases, the media following a breach of unsecured personal health information. Service providers to PHR providers and PHR-related entities must notify these PHR providers and PHR-related entities.
  • If you are not a PHR provider, the FTC’s Health Breach Notification Rule does not apply.

Glossary of terms

The FTC write-up on mobile health-apps includes a glossary of terms. You can find definitions for the following terms on their website.

• Identifiable health information.
• HIPAA-covered entities.
• Health plans.
• Health care clearinghouses.
• HIPAA business associate.
• Protected health information (PHI)
• Medical device.
• Mobile medical app.
• PHR provider.
• PHR-related entity.
• Service Provider.

Developers and physicians who design and use medical apps and medical devices can use the HHS interactive tool to help review if HIPAA, the FD&C Act, or the FTC Act applies. The tool is just a guide. Speak with an experienced digital healthcare lawyer to learn more about digital health compliance.

Developers and medical practitioners who design, use, or recommend medical devices including medical apps should contact Cohen Healthcare Law Group, PC to  review what federal and state laws and regulations apply. Our experienced healthcare attorneys understand digital health law compliance.