FTC, HHS Privacy Tool Aimed at Health Mobile App Compliance
Mobile health app developers unsure of what federal laws and regulations they must comply with just got a little help from the FTC and other agencies. The commission announced Tuesday the release of a multiagency, interactive guidance tool that asks developers 10 high-level questions regarding an app's function, the data it collects and services that it provides. The tool then provides detailed information about laws and regulations -- including the FTC Act, the FTC’s health breach notification rule, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Food, Drug and Cosmetics Act -- that might apply to the product.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
It's a "very good first step" that will help better educate app developers about privacy and security, Lori Andrews, an Illinois Institute of Technology's Chicago-Kent College of Law professor, told us. Developers "often didn't pay attention to the fact that what they're dealing with is some of the most private information that people have in their life -- information that could cause life insurers to discriminate against them or credit card companies [to discriminate] if that information got out," she said.
In March, Andrews was part of a research team that published a study in the Journal of the American Medical Association that found that health apps carry many privacy risks. Of 211 diabetes apps that researchers identified, 81 percent lacked privacy policies. Of the remaining 19 percent -- or 41 apps -- with privacy policies, the study found that "not all of the provisions actually protected privacy." For example, it said 81 percent collected user data and 49 percent shared data, but only four policies sought permission to share data.
Morgan Reed, executive director of ACT|The App Association, called the tool a "good starting point" but said it doesn't address many key questions that connected health companies are asking. "While companies need to understand where they fit in the regulatory ecosystem, the most pressing issue is understanding how to meet those requirements," he emailed. "Once a company figures out they need to comply with HIPAA, what happens next? Is there guidance to help them determine how to craft a Business Associate Agreement (BAA)? If a company is a business associate, how do they handle health data in the cloud? Etc. That is the kind of guidance the industry needs."
Reed said the tool should help companies figure out their priorities, but they may still need to hire a HIPAA consultant or privacy lawyer to deal with specific requirements. They "won't necessarily need a lawyer to determine their place in the regulatory sphere," he said. He added that the Food and Drug Administration has provided good information about mobile medical applications, so this fits with the FDA's previous work.
Andrews said that some laws don't cover health apps. She said HIPAA covers only healthcare providers and facilities that collect and share heath information. "If I'm using my app to figure out how much insulin I should give myself and putting in glucose levels, that [information] isn't going to the doctor, so no general privacy law actually covers it," she said. That data is also financially valuable for medical app companies that can share it with pharmaceutical companies or others that can direct advertising to patients, she added.
The FTC developed the tool along with Department of Health and Human Services agencies Office of the National Coordinator for Health Information Technology, Office for Civil Rights and the FDA. The FTC also released its own guidance to help app developers comply with the FTC Act, by recommending certain privacy and security practices that should be part of the app. They include minimizing data, limiting access and permissions, implementing and testing authentication, and communicating an app's security and privacy features to users.
“As the number of mobile health products available today continues to rise, it’s important to clarify for developers how FDA and other agencies’ regulations would apply to their app,” Bakul Patel, associate director for digital health in the FDA's Center for Devices and Radiological Health, said in the FTC release.
Reed said "the sensitivity of health data makes the impact of data loss more significant, even if the 'risks' are the same." He said his association is focusing attention on encryption, cloud storage of health data, and secure patient access. "Overall, this tool reinforces and encourages companies to create transparent privacy policies that help users and contractors better understand how their data is being used," he added.