Health apps need regulation, the question is, how much?

Although the health app market is exploding—with more than 165,000 health and wellness apps available for download—the apps are not necessarily achieving the goal of keeping people healthy. It is undisputed that health apps present significant promise for innovation and the integration of health and technology. However, in the current and largely unregulated health app market, innovation is outpacing oversight and, in many cases, the result is that health apps are not helpful, or, worse, are harming users. In some cases, as University of Michigan Professor Dr. Karandeep Singh put it, “It’s like having a really bad doctor.”


The potential uses for health apps are broad. Developers have designed apps for health uses from the identification of skin cancer to detection of early onset dementia. Other apps (some of which are useful and others that are fraudulent) include those that remind users to drink water, track heart rate, measure sun exposure, treat acne, test urine samples, and monitor sleep. While the level of assistance provided by a reminder to drink water is arguable, the lifesaving potential of some apps is unquestionably dramatic. For example, apps that allow continuous, remote heart rhythm monitoring can help doctors identify whether someone is having a heart attack—turning smartphones into an electrocardiogram (EKG).


A Commonwealth Fund study authored by Singh evaluating the usefulness of 1046 health care related and patient-facing apps determined that 43 percent of iOS apps and 27 percent of Android apps appeared likely to be useful. The study evaluated the apps for usefulness in terms of patient engagement, quality, and safety. While some apps were deemed helpful, many were not. In the worst cases, physicians and regulators are alarmed. For example, Nathan Cortez, a medical technology law and regulation expert at Southern Methodist University’s law school in Dallas, warned, “There’s just no plausible medical way that some of these apps could work.”


There is some regulation of apps. For example, those that perform higher-risk functions—EKGs and blood glucose measurers—require FDA approval before they can be marketed. However, in some cases, there are concerns that the current regulatory protections aren’t enough. Some diabetes apps, for example, don’t prompt users to call 911 if their blood sugar drops dangerously low (low enough to cause a diabetic coma) and instead rewards users for entering data. The emphasis on data entry as opposed to treatment is common. Other apps devoted to depression and post-traumatic stress disorder asks users to log mood states but does not take steps to encourage users to access a suicide hotline if they report feeling suicidal. Or, in more dire cases, for example, Cortez cautioned “If you’re diabetic and your app is misreading your blood glucose levels, you may give yourself more insulin than you need and go into diabetic shock.” Regulators have stopped some fraudulent app developers—in 2011, the FTC fined the developer of AcneApp who claimed that his app could treat acne with the light from an iPhone screen.


At the same time that regulation seems necessary to prevent harm and stop fraud, there is concern that too much regulation would be worse than the status quo because it would stifle important innovation; and the innovation is increasingly significant. The Mental Indicator App (MIa), developed by Virginia Tech students is a prime example of the pace of progress. The app seeks to replace traditional paper-based mental aptitude tests for dementia with a test that can be administered by a user, anytime, and be remotely sent to a physician to allow a more comprehensive, day-to-day analysis of a patient’s mental health. The concern is that if innovation becomes too bogged down in regulation, students like MIa’s developers could be discouraged from undertaking similar groundbreaking efforts.

Problems keep growing for bone graft device manufacturer

A popular—and frequently litigated—implantable medical device has come under congressional scrutiny after allegations of data suppression arose. Medtronic manufacturers and markets the Infuse® Bone Graft/LT-Cage® Lumbar Tapered Fusion Device and the Infuse Bone Graft, a two-part product, for joint surgeries. The Minneapolis Star Tribune released a special report on April 10, 2016, raising allegations that the company failed to disclose important safety information from a study that was shut down without explanation.

How does it work?

Infuse contains a bioactive solution that is mixed with water right in the operating room. This solution is an engineered version of the bone morphogenetic protein (BMP), which causes bone formation. Prior to using the engineered BMP, patients with certain issues like degenerative disc disease were forced to undergo multiple surgeries so that a bone graft could be created from living bone in the hip. Infuse’s solution is inserted into a titanium case that is placed between vertebrae.

Secret data?

Medtronic hoped that the Infuse device would be approved for different types of surgeries, broadening its application in the lucrative field of spinal surgeries. Doctors who performed surgeries using the device reported adverse events, and Medtronic reviewed the records of 3,600 patients. Over 1,000 issues were reported, from minor problems to four patient deaths. Medtronic shut down the study without providing data about it to the FDA. Medical device manufacturers are required to report injuries that are possibly related to their products within 30 days of learning of them.

Executives told the Star Tribune that the data was not purposely hidden. They claim that the adverse events database was internally misfiled and discovered five years later, then reported to the FDA. Medtronic maintains that its procedures have been improved and that no patients were harmed by the failure to report.

Some concerns have been raised regarding the specific type of BMP used, rhBMP-2. Some critics believed that not enough was known about the safety of the compound, and pointed out that doctors might use it in a way that has not been adequately evaluated for safety. After Infuse was approved for fusion of bones in the lower spine in a procedure performed through the patient’s stomach, surgeons began using the product in different ways. Some fused bones in the neck, some fused more than two bones, and some approached the surgery from the back. The Star Tribune reported that between 2003 and 2007, at least 85 percent of the BMP surgeries performed in the U.S. were for uses not reviewed for safety and effectiveness.

Medtronic’s response, Senate attention

Medtronic responded to the Star Tribune’s article, vehemently maintaining that the article made false insinuations and left out important information. The company stated that the Star Tribune left out a large amount of the information in the “extensive account of what transpired.” Medtronic defended its actions, stating that the data was immediately assessed and reported when it was discovered five years later, and emphasized that patient safety is a priority.

The matter caught Senator Al Franken’s (D-Minn) eye, and he asked both Medtronic and FDA Commissioner Dr. Robert Califf to provide details information about the injuries that were allegedly covered up. He also requested an explanation about the correlation between injuries and approved versus unapproved uses, and asked if the rate of injury was consistent with other data. He also suggested that medical device surveillance should be strengthened to ensure patient safety.


Issues with Infuse are nothing new to the world of medical device litigation. In 2014, the company settled 950 lawsuits for $22 million. Another suit was filed in June 2015, which specifically alleged that Medtronic marketed the product for use in types of surgeries that were not previously researched. Humana even filed a suit against Medtronic for federal racketeering, claiming that Medtronic reportedly conspired with physicians to promote off-label uses for the device.

FTC hopes helping health app developers will protect consumers

It should be easier for creators of health-related mobile applications (apps) to find applicable federal laws and regulations, thanks to a new interactive tool released by the Federal Trade Commission (FTC) in cooperation with HHS, the FDA, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology (ONC). Along with the new tool, the FTC simultaneously released a best practices document for mobile health app developers, focused on privacy and information security.

Health apps

There are hundreds of thousands of mobile health apps available in the iTunes and Google Play app stores, including apps for creating tailored training plans, running, social media, and tracking food and sleep. PricewaterhouseCoopers identified health apps used as medical devices, and do-it-yourself health care as top health industry issues of both 2015 and 2016. The information used by health apps may implicate a number of federal laws, including the FTC Act (15 U.S.C. §§41-58), the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and the federal Food, Drug and Cosmetics Act (FDC Act) (21 U.S.C. §301 et seq.).

Interactive tool

The tool is an interactive website that asks developers a series of high-level questions about the nature of their app. The questions cover the app’s function, the data it collects, and the services it provides to users. The guidance tool then points the developer toward detailed information about applicable federal laws and regulations based on the answers. The tool defines terms like “identifiable health information,” “HIPAA covered entity,” and “personal health records provider.” Questions include the following:

  • Do you create, receive, maintain, or transmit identifiable health information?
  • Do consumers need a prescription to access your app?
  • Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?
  • Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

Best practices

The FTC provided mobile health app developers with guidelines on best practices to build privacy and security into apps and comply with the FTC Act. It recommends determining whether the app needs to collect and retain health information, noting, “if you don’t collect data in the first place, you don’t have to go to the effort of securing it.” The best practices also suggest limiting the app’s access to unnecessary consumer information, such as the mobile user’s contacts list, choosing privacy-protective default settings for users, and making sure to be simple, clear, and direct in communicating notice to users about the data collected and stored.

FTC to UV ‘disinfectant’ device consumers: The check is in the mail

The Federal Trade Commission (FTC) will mail out refund checks to consumers who purchased Nano-UV™ “disinfectant” devices from Zadro Health Solutions, Inc., (Zadro). The partial refund checks, which total almost $210,000, are the result of a settlement with Zadro announced in August of 2015. Pursuant to the settlement, the company agreed to stop making false and unsubstantiated claims about the device’s UV lights and its ability to kill certain bacteria including E. coli, Salmonella, and the swine flu virus.

The device

Previously, Zadro claimed, in advertisements on their website as well as on other national retailer websites and catalogues, that the device would “safely kill 99.99 [percent] of targeted bacteria—E. coli, Salmonella, and the H1N1 (swine flu)—in 10 seconds.” The company also alleged in those advertisements that the device’s “specifically designed Disinfecting Wands have been proven to eliminate 99.99 [percent] of targeted germs and viruses in as little as 10 seconds.” The packaging of the device, which retailed from between $59.99 to $159.99, also claimed that it was proven effective at killing germs on surfaces in places such as food preparation areas, nurseries, in footwear, shower floors, public restrooms, and clinics.

FTC settlement

In August 2015, the FTC filed separate suits against Zadro’s subsidiary, Angel Sales, Inc., which marketed the Nano-UV device as well as another Zadro device, alleging false and unsubstantiated advertising. Subsequently, Zadro agreed to enter into a settlement agreement with the agency. Pursuant to that settlement, Zadro was prohibited from making false or unsubstantiated claims for any device regarding its disinfectant efficacy and from making any claims about health benefits, performance, of efficacy of any product unless it is truthful and not misleading. Judgments of $656,423 and $629,359 were imposed on Zadro individually and as the parent company of Angel Sales (see UV ‘disinfectant’ device marketers see the light, stop false advertising, Health Law Daily, August 21, 2015).

Fine print

The FTC warned consumers that would be receiving refund checks that “these are legitimate refund checks that must be cashed within 60 days of the date they are issued, or they will become void.” The checks will be mailed from Rust Consulting, Inc., the redress administrator for the matter, and will average $96.50. The refunds were mailed to consumers that were identified in company records. While the FTC cannot guarantee additional refunds, it advised that the device consumers may still file complaints with the FTC and recommended that questions be directed to its hotline on this issue (1-866-683-8516).