Federal Trade Commission Issues Guidance for mHealth App Developers
The guidance tool, which was released on the FTC’s website on April 5, asks developers to respond to a series of high-level questions on the functionality of their apps, the data collected and the services provided to users. Based on a developer’s answers to those questions, the guidance tool funnels the user to information about relevant federal laws that might apply to the mHealth app. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Food, Drug and Cosmetics Act (FDCA). The tool also provides definitions of regulatory terms, links to further guidance and other federal agency resources.
The rapid expansion of digitized health information has contributed to the boom in the development of mobile healthcare apps. Some federal agencies that regulate the space have been criticized for failing to keep their guidance apace with the rapid growth of the mobile health industry. The web-based tool is an effort to provide industry with much sought-after guidance and clarification on the laws that apply to its innovative technologies.
While the guidance tool will likely be helpful in framing some basic issues tied to the applicability of HIPAA, it presents certain legal questions, such as “Do you create, receive, maintain or transmit identifiable health information?” and “Are you developing this app as or on behalf of a HIPAA covered entity?” that often raise complex legal issues and require nuanced legal analysis, which mHealth app developers will still need to conduct. For example, determining when an app developer is acting “on behalf of a HIPAA covered entity” is not always clear. Earlier this year, OCR released its “Health App Use Scenarios & HIPAA” guidance document, which describes how HIPAA applies to mHealth app developers. For entities subject to HIPAA, the FTC’s guidance tool should be considered in conjunction with OCR’s guidance, which provides examples of when mHealth app developers act “on behalf of” covered entities (e.g., in the provision of patient monitoring services).
With respect to the FDCA, the primary purpose of the tool is to determine whether the app is a medical device over which FDA intends to exercise regulatory oversight. The interactive tool draws from the FDCA and from FDA’s Guidance for Industry and FDA Staff: Mobile Medical Applications (Feb. 9, 2015) (MMA Guidance), but also includes a risk-based criterion that is not explicit in the MMA Guidance, asking “Does your app pose ‘minimal risk’ to a user?” Here, the tool lists the types of apps over which, under the MMA Guidance, FDA has said it will exercise enforcement discretion. The inclusion of “minimal risk” as an explicit criterion for enforcement discretion is a welcome feature, as it excludes many apps from oversight without the need to apply the MMA Guidance’s definition of a mobile medical app, which includes certain concepts that can be difficult to apply.
The tool does not address the difficult question that dogs federal policy-making for mobile apps and other health information technology (IT), namely, how and by whom clinical decision support (CDS) software will be regulated. CDS encompasses software and other tools intended to provide knowledge and patient-specific information, “intelligently filtered or presented at appropriate times,” to assist in physician or patient decision-making.1 Many apps include CDS functionality, but the MMA Guidance states that it does not apply to CDS. Although FDA stated in the draft FDA Safety and Innovation Act Health IT Report that it does not intend to regulate many types of CDS as medical devices, uncertainty is likely to remain until there is a more authoritative statement in a final report, final guidance or legislation. For the past two years, guidance on CDS has been a top priority of the FDA’s Center for Devices and Radiological Health, and legislation introduced in the House and Senate would exclude at least some CDS from FDA oversight.
Broadly speaking, developers must be cautious in relying solely on the results of the interactive survey for their legal compliance. In fact, the FTC’s website includes a disclaimer that the joint-agency guidance tool is “not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.” It remains to be seen, however, whether this sort of tool increases a do-it-yourself approach to compliance in which developers bypass legal review or whether it raises consciousness of the complexity of the area and the need to examine more specific guidance.
In conjunction with the release of the interactive guidance tool, FTC also released its own guidance aimed at mHealth app developer compliance with the FTC Act. Among other things, the guidance provides direction on how to design mHealth apps with data privacy and security in mind. For example, it recommends that developers strive to be simple, clear and direct in how they inform users about their app’s security options and privacy features. Consistent with prior guidance, it also notes that because a health app is likely collecting users’ health data — for example, dietary information or blood pressure readings — the developer should obtain users’ affirmative express consent before collecting or sharing that data. FTC clarifies that this “means you need to ask and they need to indicate ‘yes’ before you collect their data.”
The release of both the guidance tool and the FTC-specific guidance reflects coordinated efforts by federal agencies to provide meaningful guidance to the mHealth industry. Particularly for low-risk mHealth application developers, the tools should simplify the analysis of whether FDA oversight applies. But mHealth developers whose apps include CDS functionality will find little new here to tell them whether they will be regulated as medical devices. FTC’s issuance of more detailed and proscriptive guidance also signals that health privacy and security — particularly in the mHealth environment — will be an area of increased scrutiny for regulators.
1 FDA, FTC, ONC, FDASIA Health IT Report at 26 (April 2014).
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
|Anna L. Spencer
+1 202 736 8445
Edward R. McNicholas
+1 202 736 8010
+1 312 853 7169
+1 312 853 6109