Mobile health apps is a broad term encompassing various health-related applications designed to be used on mobile devices such as smartphones and tablets. Several laws regulate these mobile apps and how they are used.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
If a mobile app is developed or offered by a covered entity or business associate and collects, stores, or transmits protected health information (PHI), it is subject to HIPAA regulations. These regulations require compliance with HIPAA's Privacy, Security, and Breach Notification Rules, which outline specific requirements for the protection of PHI.
These requirements apply to mobile apps in the following ways:
- Privacy: The app must have privacy safeguards in place, which include implementing user authentication, encryption, and access controls to ensure that only authorized individuals can access PHI.
- Security: The app must implement appropriate security measures such as secure data storage, encryption of data in transit, and regular security assessments.
- Business associate agreements (BAAs): If a mobile app is developed or offered by a business associate of a covered entity, a BAA must be in place between the covered entity and the business associate.
- Breach notification: If a breach of PHI occurs, the app must follow the HIPAA Breach Notification Rule. This includes promptly notifying affected individuals, the covered entity, and potentially the Office for Civil Rights (OCR) about the breach.
Related: What is the HIPAA Security Rule?
Federal Food, Drug, and Cosmetic Act (FD&C Act)
The FD&C Act is a federal law that grants authority to the Food and Drug Administration (FDA) to regulate various products, including medical devices, drugs, cosmetics, and food.
In the context of mobile apps, the FDA enforces the FD&C Act to regulate certain mobile medical apps. The FDA considers a software function to be a medical device if it is intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease or if it is intended to affect the structure or function of the human body. This means the app developer or manufacturer must comply with applicable FDA regulations for medical devices, including obtaining proper approvals or clearances before marketing and distributing the app.
21st Century Cures Act & ONC Information Blocking Regulations
The 21st Century Cures Act aims to support medical advancements and improve access to healthcare. As part of the 21st Century Cures Act, the Office of the National Coordinator for Health Information Technology (ONC) issued regulations to address the prohibition of "information blocking."
Information blocking refers to practices that impede accessing, exchanging, or using electronic health information (EHI). The Information Blocking regulations include specific exceptions for practices to protect the privacy and security of patients' EHI. These exceptions ensure that privacy- and security-protective practices are not considered information blocking.
If a developer chooses to certify their health IT product through the voluntary ONC Health IT Certification Program, they must meet specific privacy and security requirements. These requirements include implementing appropriate privacy and security safeguards, as defined by certification criteria, and making certain publicly available statements ("attestations") that ensure transparency about the privacy and security features of the certified technology.
Federal Trade Commission Act (FTC Act)
App developers, including those developing health apps, are subject to the provisions of the FTC Act. If an app developer engages in unfair or deceptive acts or practices, such as making false claims, misrepresenting the privacy or security of consumer information, or failing to fulfill promises related to privacy or transparency, it may be considered a violation in terms of the Act.
For example, if an app developer collects consumers' health information and shares it with third parties after promising to keep that information private and secure, it could be seen as a deceptive practice under the Act. Similarly, if an app developer participates in the voluntary ONC Health IT Certification Program and makes transparency attestations about the privacy or security features of their app, but fails to live up to those promises, it may be considered a violation of the Act.
The Federal Trade Commission (FTC) has the authority to investigate and take enforcement actions against app developers found to be in violation of the Act. Penalties for violations can include financial penalties, injunctions, and other remedies.
FTC's Health Breach Notification Rule
The FTC's Health Breach Notification Rule requires entities that qualify as "health care providers" under the Rule to provide notifications in the event of breaches of personal health record information. In this context, "health care providers" include developers of certain health apps.
If a health app experiences a breach, which involves unauthorized access to or sharing of identifying health information without consumers' authorization, the entity responsible for the app, as a health care provider, is generally required to notify affected consumers, the FTC, and, in some instances, the media. The notification should provide information about the breach, the type of information involved, and steps the affected individuals can take to protect themselves.
Note that this rule specifically applies to health apps not covered by HIPAA. Covered entities under HIPAA have separate breach notification requirements under the HIPAA Privacy Rule. If a health app is subject to HIPAA, the breach notification obligations would be governed by HIPAA rather than the FTC's Health Breach Notification Rule.
- A guide to HIPAA's rules
- HIPAA Compliant Email: The Definitive Guide
- Embracing HIPAA compliant SDLC in healthcare tech app development
- HIPAA compliant email API