FTC Releases Tool And Best Practices For Mobile Health App Developers

King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On April 5, the Federal Trade Commission (“FTC”) announced that it had created a web-based tool designed to assist developers of health-related mobile apps identify and understand what federal laws and regulations might apply to their apps.  The FTC developed the web-based tool in conjunction with other federal regulators with an interest in health-related topics such as the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (“ONC”) and Office for Civil Rights (“OCR”) and the Food and Drug Administration (“FDA”).

The tool asks developers a series of 10 high-level, yes or no questions related to their apps covering topics such as the apps’ functions, data they collect, and the services they provide.  For example, the tool asks developers whether they “create, receive, maintain, or transmit identifiable health information.”  The tool also includes a detailed glossary to help users answer the questions.  For instance, “identifiable health care information” is defined broadly to include information that relates to a consumer’s physical or mental health condition, provision of health care, or payment for health care, including demographic information.  The tool specifically states that a consumer’s IP address is “identifiable health information” if maintained by the app.

Then, based on the answers to the high-level questions, the tool identifies and describes four potentially applicable federal laws or regulations: the Health Insurance Portability and Accountability Act; the Federal Food, Drug, and Cosmetic Act; the Federal Trade Commission Act; and the FTC’s Health Breach Notification Rule.  The tool itself states that “[i]t’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.”  Thus, while useful as a starting point for introducing and orienting developers and other healthcare industry players to the legal thicket affecting health apps, the tool provides high-level guidance on the basics of only a few relevant federal laws.

The point is underscored by the FTC’s set of best practices for developers of mobile health apps to help ensure their compliance with the FTC Act, which was released alongside the tool.  This supplementary guidance is distilled into eight areas of advice:

  • Area One: Minimize Data.  The FTC notes that “if you don’t collect data in the first place, you don’t have to go to the effort of securing it,” and suggests that developers consider keeping sensitive data only in de-identified form.  
  • Area Two: Limit Access and Permissions.  The FTC advises developers to ensure their apps do not access information that is not necessary, such as a consumers’ contacts for an exercise app. 
  • Area Three: Keep Authentication in Mind.  The FTC encourages developers to devote resources to authentication and notes that if user identity risks are significant, “consider multi-factor authentication—for example, requiring the use of a password and a separate code sent via another channel, such as an email or text.” 
  • Area Four: Consider the Mobile Ecosystem.  If an app relies on a mobile platform to protect data, the FTC urges developers to “[r]esearch the mobile platforms and adapt your code so you can protect people’s data, regardless of the platform.” 
  • Area Five: Implement Security by Design.  The FTC recommends developing a culture of data security by designating an individual or team to be responsible for data security matters and maintaining a “channel through which security researchers or consumers can reach you if they discover a vulnerability in your app.” 
  • Area Six: Don’t Reinvent the Wheel.  The FTC notes that there are inexpensive tools available for safeguarding consumers’ information, such as software development kits and cross-platform toolkits. 
  • Area Seven: Innovate How You Communicate with Users.  The FTC encourages developers to inform users about security and privacy features in their apps in “simple, clear, and direct” terms.
  • Area Eight: Don’t Forget About Other Applicable Laws.  Here, the FTC links developers to the web-based tool and specifically tells them not to forget about other applicable laws, including federal laws such as the Gramm-Leach-Bliley Act’s Safeguards Rule and the HIPAA Privacy Rule as well as various state laws.

The FTC’s web-based tool and set of best practices provide developers of mobile health apps with a useful overview of federal regulators’ core concerns in this rapidly evolving space.

Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide