FTC hopes helping health app developers will protect consumers

It should be easier for creators of health-related mobile applications (apps) to find applicable federal laws and regulations, thanks to a new interactive tool released by the Federal Trade Commission (FTC) in cooperation with HHS, the FDA, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology (ONC). Along with the new tool, the FTC simultaneously released a best practices document for mobile health app developers, focused on privacy and information security.

Health apps

There are hundreds of thousands of mobile health apps available in the iTunes and Google Play app stores, including apps for creating tailored training plans, running, social media, and tracking food and sleep. PricewaterhouseCoopers identified health apps used as medical devices, and do-it-yourself health care as top health industry issues of both 2015 and 2016. The information used by health apps may implicate a number of federal laws, including the FTC Act (15 U.S.C. §§41-58), the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and the federal Food, Drug and Cosmetics Act (FDC Act) (21 U.S.C. §301 et seq.).

Interactive tool

The tool is an interactive website that asks developers a series of high-level questions about the nature of their app. The questions cover the app’s function, the data it collects, and the services it provides to users. The guidance tool then points the developer toward detailed information about applicable federal laws and regulations based on the answers. The tool defines terms like “identifiable health information,” “HIPAA covered entity,” and “personal health records provider.” Questions include the following:

  • Do you create, receive, maintain, or transmit identifiable health information?
  • Do consumers need a prescription to access your app?
  • Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?
  • Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

Best practices

The FTC provided mobile health app developers with guidelines on best practices to build privacy and security into apps and comply with the FTC Act. It recommends determining whether the app needs to collect and retain health information, noting, “if you don’t collect data in the first place, you don’t have to go to the effort of securing it.” The best practices also suggest limiting the app’s access to unnecessary consumer information, such as the mobile user’s contacts list, choosing privacy-protective default settings for users, and making sure to be simple, clear, and direct in communicating notice to users about the data collected and stored.