Share this article on:
A new interactive tool has been released by the Federal Trade Commission (FTC) to help mobile health app developers determine whether their apps need to comply with federal regulations.
The new web-based tool was developed with assistance from the U.S Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).
By answering a series of 10 questions, mobile app developers can determine whether their health care products are covered under the Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug, and Cosmetic Act (FD&C Act), Federal Trade Commission Act (FTC Act) or need to comply with the FTC’s Health Breach Notification Rule. In many cases, app developers will be required to comply with more than one set of federal laws.
According to Jessica Rich, FTC Bureau of Consumer Protection director, “Mobile app developers need clear information about the laws that apply to their health-related products.” The tool aims to provide the information app developers need to determine whether safeguards need to be incorporated to ensure data is appropriately protected.
There has been considerable confusion among mobile health app developers, who have struggled to understand the various laws that apply to app development, in particular HIPAA. This confusion has been holding back development and preventing app developers from meeting the demands of patients.
Last year OCR sought feedback from mobile app developers via an online web portal to find out the specific issues that app developers were having with HIPAA. Based on the feedback received, OCR released new guidance in February this year, explaining the circumstances under which an app developer would be required to comply with HIPAA regulations.
The guidance was long overdue, but many in the industry felt that it did not go far enough to clear up confusion, only providing answers to a limited number of scenarios. Recently, some members of congress wrote to HHS Secretary Sylvia Burwell, criticizing the efforts made thus far and claiming the recent guidance was inadequate. The letter called for further clarification on HIPAA’s privacy and security standards.
The new tool may not help to improve knowledge of the intricacies of HIPAA as it reiterates much of what OCR has already provided in recent guidance, but it should help app developers determine whether HIPAA and other federal rules apply.
Along with the interactive tool is a glossary of terms commonly used in HIPAA Rules and a list of FTC best practices to adopt to implement sound data security. These include minimizing the data collected, limiting access and permissions to customer information, implementing strong user authentication, implementing security by design, incorporating security at every stage of an app’s lifecycle and the need to obtain consent from users before sharing their information.
The new interactive web-based tool can be found on the following link – https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool.
The FTC’s best practices for mobile health app developers can be downloaded here.