Archives     Advertise     Editorial Calendar     Subscribe     Contact Us    

COVID-19, Mobile Health & the Importance of Maintaining Legal Compliance in an Era of Explosive Growth

Matthew Kroplin

Renee Rayne

Mobile health apps have become quite commonplace and are projected to continue rapid growth to become a $57.57 billion market by 2026. Although COVID-19 has created numerous issues for patients and healthcare providers to overcome this year, one benefit has been that stakeholders have homed in on existing technology to fast track more mobile health solutions for improving overall patient care. Given the incredible variety within the mobile health space and the many federal and state laws that can apply to mobile health apps, it will be increasingly important for mobile health developers to identify which laws apply to their product and which business changes might place them under a different legal framework.

Three federal laws that are commonly implicated with mobile health apps are the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) Act, and the Federal Food, Drug and Cosmetics (FD&C) Act. Analyzing which laws apply to each application can be incredibly fact specific, but the following are a few instructive guidelines.


HIPAA is one of the most well-known and exacting patient privacy laws, but its scope can be quite limited when it comes to mobile health apps. A threshold question for developers to consider will be whether they are creating, receiving, maintaining, or transmitting identifiable patient health information on behalf of a "covered entity" -- a health plan, healthcare clearinghouse or healthcare provider -- or on behalf of a covered entity's business associate.

If the app concerns only data that patients input and manage to help them track their own care, then HIPAA likely will not apply. However, developers should be careful because as their business grows, they may begin forming more relationships with covered entities or their business associates, which could then bring their product within the ambit of HIPAA. Specifically, the federal government has been increasing its efforts to enforce HIPAA Security Rule violations, which concern the methods that covered entities and their business associates use to protect electronic patient information from improper access and disclosure. For example, if a cloud service provider (CSP) stores data for a covered entity or its business associate, the CSP must comply with the HIPAA Security Rules.


Unlike HIPAA, the FTC Act will likely apply to most mobile health developers. For developers who are not subject to HIPAA, they will need to ensure compliance with the FTC Health Breach Notification Rule to appropriately notify users if their data has been breached.

The FTC Act also governs general privacy concerns, requiring businesses to have appropriate disclosures on what data they collect from users and how the developer uses that data. If the mobile health developer will run third-party advertisements on its app, the developer must know what data the third-party will collect and how the data is used in order to ensure the developer can make the appropriate disclosures to its consumers.

Additionally, the FTC Act prohibits businesses from making false or misleading claims regarding its product safety and performance. Recently, the FTC has been particularly active in this area of enforcement with regard to COVID-19 claims. The FTC requires health claims to be based on competent and reliable scientific evidence. Because there are so few scientific conclusions regarding prevention and treatment of COVID-19 as of yet, COVID-19 related claims have garnered targeted attention from the FTC. To date, the FTC has sent over 300 COVID-19 related warning letters.

FD&C Act

The FD&C Act ensures the safety and effectiveness of medical devices. Many mobile health software functions will not meet the definition of a medical device under the FD&C Act. Other mobile health apps may meet the definition but fall into a low-risk category where the Food and Drug Administration (FDA) exercises its enforcement discretion. For example, the FDA has stated that it intends to exercise enforcement discretion with functions using a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a healthcare provider, even though such a "low risk" function may meet the definition of a medical device.

The FDA has issued guidance to clarify the types of software functions that will and will not require compliance and FDA approval. The analysis of whether a mobile health app meets the definition of a medical device can be incredibly fact specific. Developers should work with their counsel to ensure compliance as necessary.

Mobile health app usage typically spans numerous states as well, so developers must also comply with a patchwork of state privacy laws in addition to all applicable federal laws. The relevant legal framework can also change depending on the age range of the targeted users. For any mobile developer whose app or platform collects data from children under the age of 13, the developer must also comply with the Children's Online Privacy Protection Act. Given the breadth of the compliance considerations, it is more important than ever for mobile health developers to obtain counsel to ensure they meet all federal and state requirements.

Matthew Kroplin and Renee Rayne are both attorneys in the Nashville office of Burr & Forman, practicing in the firm's Health Care Practice Group. For more information, visit


Burr & Forman


Related Articles:

Recent Articles

Hot spots identified for colorectal cancer mortality rates among young women

Read More

ONcology Rounds

Read More

Minority Report

All cancers are not created equally. Recent Vanderbilt research show stomach, lung and appendiceal cancers are on the rise and detected later among certain ethnic groups.

Read More

Rounding on Addiction

Read More

Women and Addiction

Prenatal addiction services needed to bridge the gap in addiction, obstetrics

Read More

State of Recovery

Efforts are underway by TDMHSAS leadership to reach more Tennesseans suffering with addiction through education and recovery initiatives.

Read More

AMA Backs Policy Proposals to Cover More of the Uninsured

CHICAGO -- The American Medical Association (AMA) House of Delegates adopted principles today supporting public policy approaches that have the potential to expand insurance coverage to millions of the uninsured, including those who have lost their coverage during the COVID-19 pandemic.

Read More

Statins to be Studied for Prevention of Dementia, Disability, and Heart Disease

Vanderbilt University Medical Center (VUMC) researchers are enrolling adults age 75 and over to study whether taking atorvastatin, a drug commonly used to lower cholesterol, also called Lipitor®, can help maintain health by preventing dementia, disability, and heart disease.

Read More

Addressing Opioid Usage in the Hospital Setting

Opioid misuse often traces its roots to medically valid pain management intervention. Increased awareness of addiction has led providers to look for effective alternatives. In the hospital setting, recent studies find Caldolor® might be one such option.

Read More

Nashville Health Care Council: 25 Years Old & Growing

This year marks the 25th anniversary of the Nashville Health Care Council, an organization that was founded by the local health care community with the purpose of establishing Nashville as the nation's health care capital.

Read More

Email Print



Drug and Cosmetics Act., FD&C Act, FDA, Federal Food, Food and Drug Administration, Health Insurance Portability and Accountability Act, HIPAA, Mobile Health Apps, Regulatory Compliance
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: