“Does your mobile app collect, create, or share consumer information? Does it diagnose or treat a disease or health condition?” If so, then the FTC’s new online tool may assist you in understanding what federal laws or regulations might apply to your app. 

The Mobile Health Apps Interactive Tool recently went online and offers developers of health-related apps an opportunity to better understand applicable laws and regulations.  The FTC developed this interactive tool with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights, and the Food and Drug Administration. The interactive tool does not purport to cover all applicable rules, but offers information on some of the most important federal laws that may apply, including the Health Insurance Portability and Accountability Act (“HIPAA”), the FTC Act, the FTC’s Health Breach Notification Rule, and the Federal Food, Drug and Cosmetics Act. 

The interactive tool asks a series of high-level questions related to the type of information the app collects, the credentials required to access the app, the nature of the company for whom the app is being developed, and the purpose of the app.  Depending on a user’s answer to each question, the interactive tool identifies potential laws or regulations that may apply, and links the user to additional resources that may be helpful.   

The FTC has also published additional guidance on how health app developers can comply with the FTC Act.  In 2013, the California Attorney General’s Office issued similar guidance for mobile app developers.  Both sets of guidelines suggest that developers “build privacy into their apps.”  They suggest limiting the collection of personally identifiable data where possible and stress the importance of developing a privacy policy that is clear and easily accessible to users.  The FTC’s guidelines emphasize the security aspect of app development, including maintaining data in a de-identified form, limiting access and permissions, properly authenticating a user, implementing strong password requirements, choosing an appropriate mobile platform, and implementing strong security protocols at all stages of the app’s lifecycle.  The California guidelines focus more on the early stages of app development at the outset of the design process and suggest that developers use a checklist to carefully identify the personally identifiable data an app collects, uses, or shares with third parties.  The California guidelines also suggest using “enhanced measures” when necessary, such as providing special notices in certain circumstances or a short privacy statement in combination with readily accessible privacy controls. 

As consumers become more engaged in managing health through mobile apps, and as the number of mobile health products continues to rise, it is increasingly important for app developers to understand which laws apply to them and the products they are developing.  These tools and resources offer important information and are a useful starting point for developers.  However, it is important that developers work with experienced attorneys to stay on top of compliance and security obligations from the outset.  Legal counsel can identify and provide guidance on other laws that may apply to a mobile health app such as the Telephone Consumer Protection Act (“TCPA”) and state consumer protection laws.  Working with an attorney can help limit exposure to litigation and regulatory enforcement actions.   

Troutman Sanders LLP has an experienced team dedicated to regulatory compliance and data privacy.