New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

The tool points to potential compliance obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules; the Food, Drug, and Cosmetic Act; the 21st Century Cures Act and ONC Information Blocking Regulations; the FTC Act; the FTC Health Breach Notification Rule; and the Children’s Online Privacy Protection Act. The tool allows users to answer the questions to learn which of the federal laws and regulations may apply to the mobile health app, including the following:

  1. Does/will your app collect, share, use, or maintain health information?
  2. Does the information the app collects fall within the HIPAA Rules’ definition of “individually identifiable health information”?
  3. Do consumers need a prescription to access your app?
  4. Is your app for use by consumers?
  5. Does your app
    • collect, receive, or maintain identifiable health information for consumers?
    • access health information in personal health records?
    • send health information to personal health records?
    • offer products or services through the website of an entity that maintains health records for consumers?
    • provide services to an entity that maintains health records for consumers?

The release of the interactive tool comes on the heels of FTC’s issuance of its best practices for mobile health app developers. In December 2022, FTC provided health app developers with tailored advice and additional questions to ask for any business seeking to implement sound data security. Specifically, the FTC recommends that health app developers minimize data, limit access and permissions, and keep authentication in mind. FTC also recommends that health app developers consider the mobile ecosystem and the complexities of third-party tools and platforms when designing applications to ensure appropriate protection for sensitive data. The FTC also recommends that mobile health app developers implement security by design, take advantage of what experts have already learned about security, and innovate ways to communicate with users regarding security options and privacy features.

Given the increased scrutiny on health information privacy and security from regulators, privacy litigation trends, and the highly complex interplay of the various legal and regulatory health privacy obligations, these FTC guidance and tools can be a valuable first step in conversations and consultations to mitigate risk from mobile health apps offerings.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.