FTC Updates Mobile Health App Interactive Tool
for Small Business Guidance
In December, the Federal Trade Commission (FTC) released an updated Mobile Health App
Interactive Tool to help small business developers determine what federal laws and regulations
may apply to their health apps.
Created in conjunction with the Department of Health and Human Services (HHS) Office for
Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology
(ONC) and the Food and Drug Administration (FDA), the Tool was first released in 2016. Per
the FTC, the updated version was released in response to regulatory changes that have
occurred since that time.
The Tool is designed to be interactive and user-friendly. More specifically, the Tool asks users
to answer a series of high-level questions about the nature of the app, how it functions, the data
it collects, and the services it provides to users. Based on the health app developer’s
responses, the Tool will point the developer to certain federal laws and regulations that may
apply to the health app. An outline of the federal laws and regulations that the Tool touches
upon follows below.
The FTC makes clear that the Tool is intended to provide compliance guidance and is not a
substitute for individualized legal advice. In addition, the FTC directs health app developers to
its Best Practices as a “must-read” guidance document concerning a series of issues for health
app developers to consider.
Health Insurance Portability and Accountability Act (HIPAA) Rules
The HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) protect the privacy
and security of most individually identifiable health information held by “covered entities” –
health plans, health care providers, and health care clearinghouses. The HIPAA Rules also
applies to “business associates,” those individuals and entities who create, receive, maintain, or
transmit health information for, or provide certain services to a covered entity. Because the
HIPAA Rules only apply to covered entities and their business associates, health information
that is maintained in a mobile health app that is not offered by a HIPAA-covered entity or
business associate likely would not be subject to the HIPAA Rules.
Federal Food, Drug, and Cosmetic Act (FDCA)
Amongst other things, the Federal Food, Drug, and Cosmetic Act regulates the safety and
effectiveness of medical devices, including certain mobile medical apps. According to the FTC,
the FDA focuses its regulatory oversight of digital health devices on a subset of mobile health
apps that could pose a risk to consumers if the devices do not work as intended. In doing so,
FDA considers a software function to meet a medical device subject to FDCA regulations if it
meets the definition of a device – the software function is intended for use in the diagnosis of
disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is
intended to affect the structure or any function of the human body; so long as the software is not
otherwise excluded from the device definition under the 21 st Century Cures Act, discussed
21 st Century Cures Act & ONC Information Blocking Regulations
“Information blocking” may occur when a health care provider, health IT developer of certified
health IT, health information network or health information exchange engages in any practice
that is not required by law or covered by a regulatory exception, has the requisite knowledge
about that practice and that practice is likely to interfere with access, exchange, or use of EHI.
In response to the 21 st Century Cures Act’s prohibition of “information blocking,” the ONC issued
regulations, which apply to practices likely to interfere with access, exchange, or use of
electronic health information (EHI) and define certain exceptions to the definition of information
blocking (Information Blocking Regulations). The Information Blocking Regulations provide
specific exceptions for reasonable and necessary practices that protect the privacy and security
of patients’ EHI. Additionally, the Information Blocking Regulations function in accompaniment
with other laws such as HIPAA that protect the privacy and security of patient’s health
With respect to mobile health apps, a developer may choose to certify health IT through the
ONC Health IT Certification Program, which is voluntary. The Program requires that the health
IT meets specific privacy and security requirements, including appropriate privacy and security
safeguards and certain attestations concerning transparency about privacy and safety features
of the health IT.
Federal Trade Commission Act (FTC Act)
The FTC enforces Section 5 of the FTC Act which prohibits unfair or deceptive acts or practices,
including those that affect the privacy and security of personal information that mobile health
apps collect, use, maintain or share. Section 12 of the FTC Act also prohibits false
advertisements of food, drugs, devices, cosmetics, or services in or affecting commerce.
Critically, the FTC Act applies to most mobile health app developers.
FTC’s Health Breach Notification Rule
The FTC Health Breach Notification Rule requires applicable entities to provide notifications to
consumers, the FTC, and in some cases, the media following certain breaches of personal
health record information. The Rule applies to most mobile health apps that are not covered by
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPAA) is also enforced by FTC. Generally,
COPAA gives parents control over the information that operators of websites and online
services can collect from children – minors under 13 years of age. Among other things, COPAA
requires the mobile health app operator to give parents notice about what information is being
collected and to obtain parental consent for the collection of such information. COPAA also requires
operators to establish and maintain procedures for protecting the confidentiality, security, and
integrity of children’s personal information.
Contact Our Attorneys Today
The data protection and privacy lawyers at Kendall PC provide strategic legal services for
companies of all sizes. We can help your business ensure consumer privacy and security
protections in every stage of your company’s product and program development.
To learn how our attorneys can help your company, contact Kendall PC today online or at (484)
414-4093. Our firm proudly serves small, midsized, and emerging businesses throughout the
United States and across the globe.