Mobile Health Apps – which U.S. federal laws may apply?
Mobile Health Apps – which U.S. federal laws may apply?
The Federal Trade Commission (FTC) has published on its web site an interactive tool that helps mobile health apps manufacturer to navigate laws and rules that may apply to their app. Privacy and security are important considerations for any app—and especially apps that collect and share consumers’ health information. As you design, market, and distribute your mobile health app, think about which U.S. federal laws may apply. Check out this interactive tool to help you navigate laws and rules that may apply to you or your app.
Who Should Use this Tool?
This tool is for anyone developing a mobile app that will access, collect, share, use, or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness, or addiction. Here are some examples:
- Apps that help consumers track or monitor fitness or activity, diet, mood, sleep, menstruation or fertility, smoking or alcohol consumption, or medications
- Apps that help consumers view, use, or share their medical records or health insurance claims data or otherwise access information from their doctor, health care clinic, or health plan
- Apps that sync with health platforms or internet-connected devices, like a fitness tracker, sleep monitor, blood pressure monitor, or a watch that records activity or heart rate
- Apps that diagnose or treat a disease or health condition, or record information that might be relevant to diagnosis or treatment
If your app relates to health information in these (or other) ways, you’re in the right place. This tool is meant to help you figure out the federal regulatory, privacy, and security laws and regulations that may apply. (Hint: More than one may apply.)
An important caveat: This tool is not offering legal advice and is provided for informational purposes only. Using this tool isn’t required by federal law and can’t guarantee compliance with applicable federal requirements. Instead, it’s meant to give you a snapshot of potential compliance obligations and point you to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.
What Are the Relevant Federal Laws and Regulations?
Health Insurance Portability and Accountability Act (HIPAA) Rules
The HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) protect the privacy and security of most individually identifiable health information held by health plans, most health care providers, and health care clearinghouses (these groups are called “covered entities”). Such information is referred to as protected health information, or PHI. In addition, the HIPAA Rules apply to people or companies who create, receive, maintain, or transmit health information for, or provide certain services to a covered entity (those groups are called “business associates”). The HIPAA Rules also require these entities to provide notifications of any breaches of health information. The Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS) enforces the HIPAA Rules. Importantly, the HIPAA Rules do notapply to health information maintained by anyone who isn’t a covered entity or business associate. For example, the HIPAA Rules likely wouldn’t apply to consumer health information maintained in an app that isn’t offered by a HIPAA covered entity or its business associate, even if the health information originated from a covered entity or business associate.
If health information is not protected by the HIPAA Rules, does this mean that there are no federally required protections for the information? No! Other federal laws likely apply. For example, the Federal Trade Commission (“FTC”) Act applies to most app developers. So, there’s a good chance the FTC Act will require you, among other things, to have reasonable privacy and security practices in place. More on that later.
For additional information and helpful resources about the HIPAA Rules, please visit OCR’s health information privacy page at https://www.hhs.gov/hipaa/index.html.
Federal Food, Drug, and Cosmetic Act (FD&C Act)
The Food and Drug Administration (FDA) enforces the FD&C Act, which among other things regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight of digital health devices on a subset of mobile health apps that could pose a risk to consumers if they don’t work as intended. The FDA considers a software function to be a medical device, and subject to FDA device regulation, if it meets the definition of device in section 201(h) of the FD&C Act. When a software function is intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the human body, the software function is a device under section 201(h) of the FD&C Act, if it is not a software function excluded from the device definition by the 21st Century Cures Act. FDA’s Digital Health Policy Navigator may be referenced to help in determining whether your product’s software functions are potentially the focus of the FDA’s oversight.
21st Century Cures Act & ONC Information Blocking Regulations
The HHS Office of the National Coordinator for Health Information Technology (ONC) issued regulations in response to the 21st Century Cures Act’s prohibition of “information blocking.” ONC also maintains a program for the voluntary certification of health IT that meets certain technical requirements to support health care providers’ needs for interoperable health IT.
ONC’s Information Blocking regulations apply to practices likely to interfere with access, exchange, or use of electronic health information (EHI) and define certain exceptions to the definition of information blocking. When a health care provider, health IT developer of certified health IT, or health information network or health information exchange engages in any practice that is not required by law or covered by a regulatory exception, has the requisite knowledge about that practice, and that practice is likely to interfere with access, exchange, or use of EHI, that practice could be information blocking.
Importantly, the Information Blocking regulations function in complement with other laws, such as HIPAA and state laws, that protect the privacy and security of patients’ health information. The Information Blocking regulations do not require or excuse violation of other laws.
The Information Blocking regulations include specific exceptions for reasonable and necessary practices that protect the privacy and security of patients’ EHI. Privacy- and security-protective practices that meet these exceptions’ conditions will not be considered information blocking.
If a developer chooses to certify health IT through the voluntary ONC Health IT Certification Program, that health IT must meet specific privacy and security requirements. These requirements include implementing appropriate privacy and security safeguards (certification criteria) and making certain publicly available statements (“attestations”) that ensure transparency about certain privacy and security features of the certified technology.
For additional information and helpful resources about the Information Blocking regulations or the voluntary certification of health IT, please visit ONC’s HealthIT.gov website.
Federal Trade Commission Act (FTC Act)
The FTC enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce, including those relating to the privacy and security of personal information that apps collect, use, maintain, or share, as well as the safety or performance that apps provide. Section 12 of the FTC Act prohibits false advertisements for food, drugs, devices, cosmetics, or services in or affecting commerce.
The FTC Act applies to most app developers – including developers of health apps. For example, if you develop an app and share consumers’ health information with third parties after telling or implying to consumers that their information will be kept private, you could be violating the FTC Act. Also, if you certify through the voluntary ONC Health IT Certification Program and make certain transparency attestations about your app’s privacy or security features and then don’t live up to those promises, the FTC could bring an enforcement action against you.
FTC’s Health Breach Notification Rule
The FTC’s Health Breach Notification Rule requires entities covered by the Rule to provide notifications to consumers, the FTC, and, in some cases, the media, following certain breaches of personal health record information. The FTC’s Health Breach Notification Rule applies to most health apps that aren’t covered by HIPAA because most developers of health apps are acting as “health care providers” by furnishing health care services or supplies – in this case, apps – to consumers. (That definition of “health care provider” comes from 42 U.S.C. § 1320d, which is referenced in Section 318.2(e) of the FTC’s Rule.) If your app experiences a breach—that is, any incidents of unauthorized access, including sharing of identifying health information, without consumers’ authorization—you are likely required to notify consumers, the FTC, and, in some cases, the media. If you don’t provide that notice, you could face an FTC enforcement action seeking hefty civil penalties.
Children’s Online Privacy Protection Act (COPPA)
The FTC enforces the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule, which give parents control over the information that operators of websites and online services can collect from children. COPPA applies to the operator of any commercial website or online service (including a mobile app) that is directed to children under 13 or where the operator has actual knowledge that it collects, uses, or discloses personal information from children under 13. Before collecting children’s personal information – that includes online contact information, persistent identifiers, photos, video, audio, and geolocation information – COPPA requires the operator to (among other things) give parents notice of what personal information the operator is collecting from children and to get the parent’s verifiable consent. COPPA also requires that operators establish and maintain reasonable procedures for protecting the confidentiality, security, and integrity of children’s personal information.
Which Federal Laws and Regulations May Apply?
Check out the interactive tool to help you navigate laws and rules that may apply to you or your app. Please find the interactive tool here.
Topics: #healthcare #lifeSciences #medicaldevices #medtech #medicaltechnology #MedSysCon #FDA # MobileHealthApps #FederalLaws # COPPA #FTCAct #HIPAA
For further information please get in touch with us: