Mobile health apps have become quite commonplace and are projected to continue rapid growth to become a $57.57 billion market by 2026. Although COVID-19 has created numerous issues for patients and healthcare providers to overcome this year, one benefit has been that stakeholders have homed in on existing technology to fast track more mobile health solutions for improving overall patient care. Given the incredible variety within the mobile health space and the many federal and state laws that can apply to mobile health apps, it will be increasingly important for mobile health developers to identify which laws apply to their product and which business changes might place them under a different legal framework.
Three federal laws that are commonly implicated with mobile health apps are the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) Act, and the Federal Food, Drug and Cosmetics (FD&C) Act. Analyzing which laws apply to each application can be incredibly fact specific, but the following are a few instructive guidelines.
HIPAA is one of the most well-known and exacting patient privacy laws, but its scope can be quite limited when it comes to mobile health apps. A threshold question for developers to consider will be whether they are creating, receiving, maintaining, or transmitting identifiable patient health information on behalf of a "covered entity" -- a health plan, healthcare clearinghouse or healthcare provider -- or on behalf of a covered entity's business associate.
If the app concerns only data that patients input and manage to help them track their own care, then HIPAA likely will not apply. However, developers should be careful because as their business grows, they may begin forming more relationships with covered entities or their business associates, which could then bring their product within the ambit of HIPAA. Specifically, the federal government has been increasing its efforts to enforce HIPAA Security Rule violations, which concern the methods that covered entities and their business associates use to protect electronic patient information from improper access and disclosure. For example, if a cloud service provider (CSP) stores data for a covered entity or its business associate, the CSP must comply with the HIPAA Security Rules.
Unlike HIPAA, the FTC Act will likely apply to most mobile health developers. For developers who are not subject to HIPAA, they will need to ensure compliance with the FTC Health Breach Notification Rule to appropriately notify users if their data has been breached.
The FTC Act also governs general privacy concerns, requiring businesses to have appropriate disclosures on what data they collect from users and how the developer uses that data. If the mobile health developer will run third-party advertisements on its app, the developer must know what data the third-party will collect and how the data is used in order to ensure the developer can make the appropriate disclosures to its consumers.
Additionally, the FTC Act prohibits businesses from making false or misleading claims regarding its product safety and performance. Recently, the FTC has been particularly active in this area of enforcement with regard to COVID-19 claims. The FTC requires health claims to be based on competent and reliable scientific evidence. Because there are so few scientific conclusions regarding prevention and treatment of COVID-19 as of yet, COVID-19 related claims have garnered targeted attention from the FTC. To date, the FTC has sent over 300 COVID-19 related warning letters.
The FD&C Act ensures the safety and effectiveness of medical devices. Many mobile health software functions will not meet the definition of a medical device under the FD&C Act. Other mobile health apps may meet the definition but fall into a low-risk category where the Food and Drug Administration (FDA) exercises its enforcement discretion. For example, the FDA has stated that it intends to exercise enforcement discretion with functions using a checklist of common signs and symptoms to provide a list of possible medical conditions and advice on when to consult a healthcare provider, even though such a "low risk" function may meet the definition of a medical device.
The FDA has issued guidance to clarify the types of software functions that will and will not require compliance and FDA approval. The analysis of whether a mobile health app meets the definition of a medical device can be incredibly fact specific. Developers should work with their counsel to ensure compliance as necessary.
Mobile health app usage typically spans numerous states as well, so developers must also comply with a patchwork of state privacy laws in addition to all applicable federal laws. The relevant legal framework can also change depending on the age range of the targeted users. For any mobile developer whose app or platform collects data from children under the age of 13, the developer must also comply with the Children's Online Privacy Protection Act. Given the breadth of the compliance considerations, it is more important than ever for mobile health developers to obtain counsel to ensure they meet all federal and state requirements.
Matthew Kroplin and Renee Rayne are both attorneys in the Nashville office of Burr & Forman, practicing in the firm's Health Care Practice Group. For more information, visit burr.com.