Feb 72023

New FTC Guidance for Mobile Health Apps

Colleen Theresa Brown, Meenakshi Datta, Sama E. Kahook and Francesca R. Ozinal
, , ,

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

The tool points to potential compliance obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules; the Food, Drug, and Cosmetic Act; the 21st Century Cures Act and ONC Information Blocking Regulations; the FTC Act; the FTC Health Breach Notification Rule; and the Children’s Online Privacy Protection Act. The tool allows users to answer the questions to learn which of the federal laws and regulations may apply to the mobile health app, including the following:

  1. Does/will your app collect, share, use, or maintain health information?
  2. Does the information the app collects fall within the HIPAA Rules’ definition of “individually identifiable health information”?
  3. Do consumers need a prescription to access your app?
  4. Is your app for use by consumers?
  5. Does your app
    • collect, receive, or maintain identifiable health information for consumers?
    • access health information in personal health records?
    • send health information to personal health records?
    • offer products or services through the website of an entity that maintains health records for consumers?
    • provide services to an entity that maintains health records for consumers?

The release of the interactive tool comes on the heels of FTC’s issuance of its best practices for mobile health app developers. In December 2022, FTC provided health app developers with tailored advice and additional questions to ask for any business seeking to implement sound data security. Specifically, the FTC recommends that health app developers minimize data, limit access and permissions, and keep authentication in mind. FTC also recommends that health app developers consider the mobile ecosystem and the complexities of third-party tools and platforms when designing applications to ensure appropriate protection for sensitive data. The FTC also recommends that mobile health app developers implement security by design, take advantage of what experts have already learned about security, and innovate ways to communicate with users regarding security options and privacy features.

Given the increased scrutiny on health information privacy and security from regulators, privacy litigation trends, and the highly complex interplay of the various legal and regulatory health privacy obligations, these FTC guidance and tools can be a valuable first step in conversations and consultations to mitigate risk from mobile health apps offerings.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Meenakshi Datta

Chicago

mdatta@sidley.com

Sama E. Kahook

Washington, D.C.

skahook@sidley.com

Francesca R. Ozinal

Washington, D.C.

fozinal@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.