Health apps need regulation, the question is, how much?

Although the health app market is exploding—with more than 165,000 health and wellness apps available for download—the apps are not necessarily achieving the goal of keeping people healthy. It is undisputed that health apps present significant promise for innovation and the integration of health and technology. However, in the current and largely unregulated health app market, innovation is outpacing oversight and, in many cases, the result is that health apps are not helpful, or, worse, are harming users. In some cases, as University of Michigan Professor Dr. Karandeep Singh put it, “It’s like having a really bad doctor.”


The potential uses for health apps are broad. Developers have designed apps for health uses from the identification of skin cancer to detection of early onset dementia. Other apps (some of which are useful and others that are fraudulent) include those that remind users to drink water, track heart rate, measure sun exposure, treat acne, test urine samples, and monitor sleep. While the level of assistance provided by a reminder to drink water is arguable, the lifesaving potential of some apps is unquestionably dramatic. For example, apps that allow continuous, remote heart rhythm monitoring can help doctors identify whether someone is having a heart attack—turning smartphones into an electrocardiogram (EKG).


A Commonwealth Fund study authored by Singh evaluating the usefulness of 1046 health care related and patient-facing apps determined that 43 percent of iOS apps and 27 percent of Android apps appeared likely to be useful. The study evaluated the apps for usefulness in terms of patient engagement, quality, and safety. While some apps were deemed helpful, many were not. In the worst cases, physicians and regulators are alarmed. For example, Nathan Cortez, a medical technology law and regulation expert at Southern Methodist University’s law school in Dallas, warned, “There’s just no plausible medical way that some of these apps could work.”


There is some regulation of apps. For example, those that perform higher-risk functions—EKGs and blood glucose measurers—require FDA approval before they can be marketed. However, in some cases, there are concerns that the current regulatory protections aren’t enough. Some diabetes apps, for example, don’t prompt users to call 911 if their blood sugar drops dangerously low (low enough to cause a diabetic coma) and instead rewards users for entering data. The emphasis on data entry as opposed to treatment is common. Other apps devoted to depression and post-traumatic stress disorder asks users to log mood states but does not take steps to encourage users to access a suicide hotline if they report feeling suicidal. Or, in more dire cases, for example, Cortez cautioned “If you’re diabetic and your app is misreading your blood glucose levels, you may give yourself more insulin than you need and go into diabetic shock.” Regulators have stopped some fraudulent app developers—in 2011, the FTC fined the developer of AcneApp who claimed that his app could treat acne with the light from an iPhone screen.


At the same time that regulation seems necessary to prevent harm and stop fraud, there is concern that too much regulation would be worse than the status quo because it would stifle important innovation; and the innovation is increasingly significant. The Mental Indicator App (MIa), developed by Virginia Tech students is a prime example of the pace of progress. The app seeks to replace traditional paper-based mental aptitude tests for dementia with a test that can be administered by a user, anytime, and be remotely sent to a physician to allow a more comprehensive, day-to-day analysis of a patient’s mental health. The concern is that if innovation becomes too bogged down in regulation, students like MIa’s developers could be discouraged from undertaking similar groundbreaking efforts.

FTC hopes helping health app developers will protect consumers

It should be easier for creators of health-related mobile applications (apps) to find applicable federal laws and regulations, thanks to a new interactive tool released by the Federal Trade Commission (FTC) in cooperation with HHS, the FDA, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology (ONC). Along with the new tool, the FTC simultaneously released a best practices document for mobile health app developers, focused on privacy and information security.

Health apps

There are hundreds of thousands of mobile health apps available in the iTunes and Google Play app stores, including apps for creating tailored training plans, running, social media, and tracking food and sleep. PricewaterhouseCoopers identified health apps used as medical devices, and do-it-yourself health care as top health industry issues of both 2015 and 2016. The information used by health apps may implicate a number of federal laws, including the FTC Act (15 U.S.C. §§41-58), the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and the federal Food, Drug and Cosmetics Act (FDC Act) (21 U.S.C. §301 et seq.).

Interactive tool

The tool is an interactive website that asks developers a series of high-level questions about the nature of their app. The questions cover the app’s function, the data it collects, and the services it provides to users. The guidance tool then points the developer toward detailed information about applicable federal laws and regulations based on the answers. The tool defines terms like “identifiable health information,” “HIPAA covered entity,” and “personal health records provider.” Questions include the following:

  • Do you create, receive, maintain, or transmit identifiable health information?
  • Do consumers need a prescription to access your app?
  • Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?
  • Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

Best practices

The FTC provided mobile health app developers with guidelines on best practices to build privacy and security into apps and comply with the FTC Act. It recommends determining whether the app needs to collect and retain health information, noting, “if you don’t collect data in the first place, you don’t have to go to the effort of securing it.” The best practices also suggest limiting the app’s access to unnecessary consumer information, such as the mobile user’s contacts list, choosing privacy-protective default settings for users, and making sure to be simple, clear, and direct in communicating notice to users about the data collected and stored.