Compliance Laws for Mobile Health Apps

Anyone who is developing or using mobile health applications needs to understand the laws that regulate these products. Generally, mobile software is regulated by the FDA, the Federal Trade Commission (FTC), and/or the Office of Civil Rights (OCR).

A few of the many federal laws that regulate mobile health applications (and that we’ve discussed in other articles) include the following, according to the Federal Trade Commission:

  • Federal Food, Drug, and Cosmetic Act (FD&C Act). This law is enforced by the FDA. The law “regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight on a small subset of health apps that pose a higher risk if they don’t work as intended. “
  • Federal Trade Commission Act (FTC Act). The FTC enforces this law “which prohibits deceptive or unfair acts or practices,” including “false or misleading claims about apps’ safety or performance.”
  • FTC’s Health Breach Notification Rule. This FTC rule “requires certain businesses to provide notifications following breaches of personal health record information.”


The OCR of the DHHS announced a new online decision tool to help HIPAA covered entities understand protected health information compliance during the COVID-19 emergency


Any health and wellness company not strong or tough enough to take the FTC pain, should have its marketing materials reviewed by legal counsel before putting them up on the Web.

An Interactive Compliance Tool

The FTC has an interactive tool to help developers and medical practices think through the laws that apply. The best course of action is to review the development and use of mobile apps with our experienced healthcare attorneys. The tool is the following group of yes or no questions.

  1. Do you create, receive, maintain, or transmit identifiable health information?
    • If the answer is yes – then go to question 2 to determine if HIPAA applies.
    • If the answer is no – then jump to question 5 to determine if the FD&C Act applies.
  1. Are you a health care provider or health plan?
    • If the answer is yes – then you are probably required to comply with HIPAA. Continue with question 5 to determine if the FD&C Act applies.
    • If the answer is no – see question 3.
  1. Do consumers need a prescription to access your app?
    • If the answer is yes, you may be required to comply with HIPAA because you may qualify as a health care provider (one of the types of HIPAA-covered entities).
    • If the answer is no, then go to question 5.
  1. Are you developing this app on behalf of a HIPAA-covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?
    • If the answer is yes, “you likely are a HIPAA business associate, subject to the HIPAA Security Rule and specific provisions of the HIPAA Privacy and Breach Notification Rules.” Proceed to question 5 to answer other questions.
    • If the answer is no, then go to question 5.
  1. Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease?
  1. Does your app pose “minimal risk” to a user? According to the FDA, “minimal risk” apps are those that are only intended for one or more of the following:
    • “Helping users self-manage their disease or condition without providing specific treatment suggestions
    • Providing users with simple tools to organize and track their health information
    • Providing easy access to information related to health conditions or treatments
    • Helping users document, show, or communicate potential medical conditions to health care providers
    • Automating simple tasks for health care providers
    • Enabling users or providers to interact with Personal Health Records (PHR) or Electronic Health Record (EHR) systems
    • Transferring, storing, converting format or displaying medical device data, as defined by the FDA’s Medical Device Data Systems regulations.”
      • If yes, the “FDA considers your app to be of minimal risk, and does not intend to enforce compliance with its regulatory requirements.” Go to Question 8.
      • If no, then the FDA does not consider your app to be of minimal risk. Go to Question 7 to see if the FDA intends to apply its regulatory oversight.
  1. Is your app a “mobile medical app?” A “mobile medical app” is one that is intended for any of the following:
    • “Use as an accessory to a regulated medical device (for example, an app that alters the function or settings of an infusion pump)
    • Transforming a mobile platform into a regulated medical device (for example, an app that uses an attachment to the mobile platform to measure blood glucose levels)
    • Performing sophisticated analysis or interpreting data from another medical device (for example, an app that uses consumer-specific parameters and creates a dosage plan for radiation therapy)”
    • If the answer is yes, the FDA intends to apply its regulatory oversight. See Question 8 to see if the FTC Act applies.

“The FDA classifies medical devices into three categories  – Class I, Class II, and Class III, based on the risk the devices pose to consumers, the intended use, and indications for use.

    • “Class I devices are considered low risk and subject to the least regulatory controls.
    • Class II devices are moderate-risk devices and require greater regulatory controls to provide reasonable assurance of the device’s safety and effectiveness
    • Class III devices are generally the highest risk devices and subject to the highest level of regulatory control.”

Generally, Class II and Class III devices are evaluated for their safety and effectiveness before the devices can be sold to the public through a premarket submission process.

There are registration, listing, and fee requirements for all classes of medical devices. Mobile app manufacturers must also comply with:

  1. Are you a nonprofit organization?
    • If the answer is yes, the FTC Act likely does not apply – with some exceptions. Go to question 9.
    • If the answer is no, the FTC Act likely applies. Go to question 9.

Generally, the FTC Act requires that manufacturers and healthcare providers:

    • Can’t make misleading or deceptive statements to consumers about essential information
    • Can’t engage in practices that cause or may reasonably be expected to cause unavoidable substantial injuries to consumers – and “that do more harm than good.

The FTC has tips for how to protect consumers’ privacy and the security of their data. The FTC also has suggestions for health benefit, safety, performance, and for ensuring that claims are truthful, substantiated, and not misleading.

  1. Are you developing this app as or on behalf of a HIPAA-covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?
    • If the answer is yes, the FTC’s Health Breach Notification Rule does not apply. You’re done. There’s no need to answer question 10.
    • If the answer is no, answer question 10 to see if the FTC’s Health Breach Notification Rule applies.
  1. Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

Glossary of terms

The FTC write-up on mobile health-apps includes a glossary of terms. You can find definitions for the following terms on their website.

  • Identifiable health information.
  • HIPAA-covered entities.
  • Health plans.
  • Health care clearinghouses.
  • HIPAA business associate.
  • Protected health information (PHI)
  • Medical device.
  • Mobile medical app.
  • PHR provider.
  • PHR-related entity.
  • Service Provider.

Developers and physicians who design and use medical apps and medical devices can use the HHS interactive tool to help review if HIPAA, the FD&C Act, or the FTC Act applies. The tool is just a guide. Speak with an experienced digital healthcare lawyer to learn more about digital health compliance.


Does FDA deem your product to be a medical device, or is it just a consumer product that would not be regulated by FDA? Here are basic steps you can take to work through the puzzle.

Developers and medical practitioners who design, use, or recommend medical devices including medical apps should contact Cohen Healthcare Law Group, PC to  review what federal and state laws and regulations apply. Our experienced healthcare attorneys understand digital health law compliance.

Contact Us

    Book your Legal Strategy Session now
    Cohen Healthcare Law Logo

    Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

    Start typing and press Enter to search