While attending the International Association of Privacy Professionals annual global event, and listening to Chairwoman Edith Ramirez discuss the Federal Trade Commission’s (FTC) concerns about consumer privacy, the FTC, the Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA) announced that they had combined efforts and created a web-based tool for mobile health app developers to use in determining which federal laws and regulations might apply to their app.
Ms. Ramirez explained that the number of mobile apps being developed is staggering, and often, the app developers don’t know which regulatory scheme is applicable to the product. She stressed how important it is that app developers build privacy and security into the app from the start and that the FTC, along with the other agencies, wanted to provide a tool to assist developers to understand the regulatory rubric that might be applicable.
The tool asks app developers a series of questions including:
- Do you create, receive, maintain, or transmit identifiable health information?
- Are you a health care provider or health plan? Do consumers need a prescription to access your app?
- Are you developing this app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?
- Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?
- Does your app pose “minimal risk” to a user?
- Is your app a “mobile medical app?”
- Are you a nonprofit organization?
- Are you developing this app as or on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?
- Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?
Each question has a drop-down explanation after the user chooses ‘yes’ or ‘no,’ and the tool also offers a glossary and short explanations (and links) to the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug & Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act) and the FTC’s Health Breach Notification Rule. The website also provides a link to tips on how to protect and secure consumer data.
The FTC released simultaneously “Mobile Health App Developers: FTC Best Practices,” which provides guidance for app developers “to help you build privacy and security into your app.” The points made in the guidance are:
- Minimize data
- Limit access and permissions.
- Keep authentication in mind.
- Consider the mobile ecosystem.
- Implement security by design.
- Don’t reinvent the wheel.
- Innovate how you communicate with users.
- Don’t forget about other applicable laws.
The regulatory scheme for app developers is often unclear and any guidance from regulators is a valuable read.