Archives     Advertise     Editorial Calendar      Advertiser Index     Subscribe     Contact Us    

COVID-19, Mobile Health & the Importance of Maintaining Legal Compliance in an Era of Explosive Growth

Matthew Kroplin

Renee Rayne

Mobile health apps have become quite commonplace and are projected to continue rapid growth to become a $57.57 billion market by 2026. Although COVID-19 has created numerous issues for patients and healthcare providers to overcome this year, one benefit has been that stakeholders have homed in on existing technology to fast track more mobile health solutions for improving overall patient care. Given the incredible variety within the mobile health space and the many federal and state laws that can apply to mobile health apps, it will be increasingly important for mobile health developers to identify which laws apply to their product and which business changes might place them under a different legal framework.

Three federal laws that are commonly implicated with mobile health apps are the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) Act, and the Federal Food, Drug and Cosmetics (FD&C) Act. Analyzing which laws apply to each application can be incredibly fact specific, but the following are a few instructive guidelines.


HIPAA is one of the most well-known and exacting patient privacy laws, but its scope can be quite limited when it comes to mobile health apps. A threshold question for developers to consider will be whether they are creating, receiving, maintaining, or transmitting identifiable patient health information on behalf of a "covered entity" -- a health plan, healthcare clearinghouse or healthcare provider -- or on behalf of a covered entity's business associate.

If the app concerns only data that patients input and manage to help them track their own care, then HIPAA likely will not apply. However, developers should be careful because as their business grows, they may begin forming more relationships with covered entities or their business associates, which could then bring their product within the ambit of HIPAA. Specifically, the federal government has been increasing its efforts to enforce HIPAA Security Rule violations, which concern the methods that covered entities and their business associates use to protect electronic patient information from improper access and disclosure. For example, if a cloud service provider (CSP) stores data for a covered entity or its business associate, the CSP must comply with the HIPAA Security Rules.


Unlike HIPAA, the FTC Act will likely apply to most mobile health developers. For developers who are not subject to HIPAA, they will need to ensure compliance with the FTC Health Breach Notification Rule to appropriately notify users if their data has been breached.

The FTC Act also governs general privacy concerns, requiring businesses to have appropriate disclosures on what data they collect from users and how the developer uses that data. If the mobile health developer will run third-party advertisements on its app, the developer must know what data the third-party will collect and how the data is used in order to ensure the developer can make the appropriate disclosures to its consumers.

Additionally, the FTC Act prohibits businesses from making false or misleading claims regarding its product safety and performance. Recently, the FTC has been particularly active in this area of enforcement with regard to COVID-19 claims. The FTC requires health claims to be based on competent and reliable scientific evidence. Because there are so few scientific conclusions regarding prevention and treatment of COVID-19 as of yet, COVID-19 related claims have garnered targeted attention from the FTC. To date, the FTC has sent over 300 COVID-19 related warning letters.

FD&C Act

The FD&C Act ensures the safety and effectiveness of medical devices. Many mobile health software functions will not meet the definition of a medical device under the FD&C Act. Other mobile health apps may meet the definition but fall into a low-risk category where the Food and Drug Administration (FDA) exercises its enforcement discretion. For example, the FDA has stated that it intends to exercise enforcement discretion with functions using a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a healthcare provider, even though such a "low risk" function may meet the definition of a medical device.

The FDA has issued guidance to clarify the types of software functions that will and will not require compliance and FDA approval. The analysis of whether a mobile health app meets the definition of a medical device can be incredibly fact specific. Developers should work with their counsel to ensure compliance as necessary.

Mobile health app usage typically spans numerous states as well, so developers must also comply with a patchwork of state privacy laws in addition to all applicable federal laws. The relevant legal framework can also change depending on the age range of the targeted users. For any mobile developer whose app or platform collects data from children under the age of 13, the developer must also comply with the Children's Online Privacy Protection Act. Given the breadth of the compliance considerations, it is more important than ever for mobile health developers to obtain counsel to ensure they meet all federal and state requirements.

Matthew Kroplin and Renee Rayne are both attorneys in the Nashville office of Burr & Forman, practicing in the firm's Health Care Practice Group. For more information, visit


Burr & Forman


Related Articles:

Recent Articles

Blackburn, Duckworth Lead Bipartisan Legislation to Improve Lives of People with Limb Loss

U.S. Senator Marsha Blackburn (R-Tenn.) introduced bicameral, bipartisan legislation along with Senator Tammy Duckworth (D-Ill.) to improve health outcomes for individuals living with limb loss or limb differences.

Read More

Method Proposed to Correct Misinterpretations of Long-Term Survival Rates for Immunotherapies

Immune checkpoint inhibitors have transformed cancer care to the point where the popular Cox proportional-hazards model provides misleading estimates of the treatment effect, according to a new study published April 15 in JAMA Oncology.

Read More

Blackburn, Durbin Introduce Legislation to Improve Rural Health Care

U.S. Senator Marsha Blackburn (R-Tenn.) along with Senators Dick Durbin (D-Ill.), Lisa Murkowski (R-Ala.), and Tina Smith (D-Minn.) introduced the bipartisan Rural America Health Corps Act. Representatives Cheri Bustos (D-Ill.) and David Kustoff (R-Tenn.) introduced companion legislation in the House of Representatives.

Read More

AHA Statement On Senate Passage Of Medicare Sequester Relief Legislation

Read More

Crucial Behavioral Health Bill Introduced

Reps. Dan Kildee (D-Mich.) and Brad Wenstrup (R-Ohio) introduced their bipartisan bill, the Rural Behavioral Health Access Act.

Read More

New Analysis Shows Continued Negative Impact Of COVID-19 On Hospital & Health System Financial Health In 2021

A new analysis prepared by Kaufman, Hall & Associates, LLC and released by the American Hospital Association (AHA) highlights the ongoing consequences of the COVID-19 pandemic on the financial stability of hospitals and health systems, threatening their ability to continue to provide essential services to their patients and communities.

Read More

NAACOS Asks HHS Secretary Xavier Becerra to Grow Medicare ACO Programs

Letter Recommends National Goal to Have a Majority of Traditional Medicare Beneficiaries in an ACO by 2025

Read More

Luck of the Irish

Read More

Artificial Intelligence Calculates Suicide Attempt Risk

A machine learning algorithm that predicts suicide attempt recently underwent a prospective trial at the institution where it was developed, Vanderbilt University Medical Center.

Read More

Pre-term Births in Tennessee Decreased During Pandemic

Statewide stay-at-home orders put in place as Tennessee fought to control the spread of coronavirus last March were associated with a 14% lower rate of preterm birth, according to a research letter published today in JAMA Pediatrics.

Read More

Email Print



Drug and Cosmetics Act., FD&C Act, FDA, Federal Food, Food and Drug Administration, Health Insurance Portability and Accountability Act, HIPAA, Mobile Health Apps, Regulatory Compliance
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: