Mobile apps are a topic of frequent discussion in the healthcare field these days. Questions include what regulatory requirements apply, are the apps trustworthy, is information kept safe and secure, and others. The question of what regulations apply in particular leaves many confused and uncertain as to what needs to be done. The government, through efforts of the Office for Civil Rights (“OCR”), the Office of the National Coordinator of Health IT (“ONC”), the Food and Drug Administration (“FDA”) and the Federal Trade Commission (“FTC”), is trying to provide guidance and resources.
One recent resource is the Mobile Health Apps Interactive Tool that was jointly developed by OCR, ONC, FDA, and FTC. The tool tries to walk interested parties through a variety of federal laws that are most likely to govern the development and use of mobile apps. The tool covers the regulations that may primarily be applicable to mobile apps in the healthcare realm: HIPAA, the Food Drug & Cosmetic Act, the Federal Trade Commission Act, and the FTC’s Health Breach Notification Rule.
HIPAA has been discussed at length in many instances, but it is always a topic worth covering. HIPAA addresses the portability and accessibility of healthcare information, among other topics. Of most importance to mobile apps, HIPAA also covers the privacy and security of healthcare information. However, the application of HIPAA is driven largely by context. Healthcare information in one context will be covered by HIPAA and completely outside of HIPAA in another context. For example, healthcare information handled by a physician or other healthcare provider falls under the ambit of HIPAA. By contrast, healthcare information in an individual’s own hands or generated by the individual is not under the ambit of HIPAA. Such distinctions are extremely important when it comes to assessing a mobile health app. Being able to determine whether HIPAA applies impacts how the app should be developed and information utilized and protected. As such HIPAA creates layers of complexity. At the same time, HIPAA also creates a level of expectation and assurance. Does this mean that HIPAA should be followed regardless? That is a matter of much debate. As a bottom line, understanding whether HIPAA applies greatly influences the development of the app and interactions between the app’s developer and potential users.
The FTC has the authority to regulate mobile health apps through the Federal Trade Commission Act (“FTCA”). The FTCA prevents deceptive or misleading acts or practices. As applied to mobile health apps, this means that the app needs a valid basis for assertions made as to effectiveness or purpose. For example, any claims of producing a certain health outcome will most likely require actual scientific studies and support to be the weight behind such assertions. Nothing can be made without a basis. Further, the apps should clearly disclose how personal information can be used and/or disclosed by the app manufacturer. From this perspective, the FTCA either fills in some gaps created by HIPAA, because regulation under the FTCA is separate and apart from HIPAA, or adds a double layer on top of HIPAA that creates potential double trouble. A potential concern arising from the FTCA is the lack of “expertise” in healthcare when the FTC steps in to regulate. There is also the potential for overlap with HIPAA because the FTC could exercise its authority even over a mobile health app that falls within the ambit of HIPAA. Complying with dual regulatory requirements and agencies that are not necessarily aligned create unexpected challenges for app developers.
Mobile health apps are also potentially subject to the jurisdiction of the FDA as a result of the Food, Drug & Cosmetics Act (“FDCA”). The FDA regulates medical devices and ensures that medical devices can actually do what it is claimed that they do. It may not seem apparent that a mobile health app could be a medical device, but the definition of a medical device is very broad. A medical device is arguably anything that aids in the diagnosis or treatment or intended to affect the structure or function of the body, among other elements. Even if a mobile health app could be a medical device, the FDA has stated an intention to take a mostly hands-off role. As such, if a device poses a “minimal risk,” then the FDA will exercise its discretion as to regulation. Ultimately this means that mobile health apps may or may not be subject to FDA oversight, which can generate confusion. However, if it can be determined that there is only minimal or no risk, then the potential for FDA regulation will likely be significantly reduced.
As the brief description of the regulatory scheme demonstrates, mobile health apps face a fair amount of potential regulation. At the same time, many of the government agencies that could exercise oversight of mobile health apps are not settled in what they want to do. The FDA has been the most vocal in trying to take a passive role, but it is beginning to re-examine that stance. Basically, this means that the government is still feeling its way through the process and can be expected to change its mind before a firm regulatory scheme is finalized.
What does this mean for mobile health app developers? First, it is essential to fully vet a proposed application and vet against the different sets of regulations that can be imposed. Fully understanding what could apply and how will better setup the developer to be able to get to market without facing unnecessary backlash or resistance. It also means that mobile health app developers should seek assistance. None of HIPAA, the FTCA, nor the FDCA are straightforward laws. As with all healthcare regulation, the laws are full of traps for the unwary (or uninitiated). Even though such a statement sounds like a call for work, this is definitely yet another example in healthcare that it is better to spend some money upfront, then have to spend even more money later on.
Mobile health app developers are in a burgeoning field and are helping to trailblaze where that field will go. It is certainly an exciting time, but one that calls for some amount of caution. Given that the government is not entirely clear what to do, developers should take that into account and carefully craft all elements of the app.