By Kathryn Marchesini and Rachel Nelson, ONC
Twitter:Â @ONC_HealthIT
As you design, market, and distribute a mobile health (mHealth) app that your customers will use to collect, share, use, or maintain individuals’ health information, it is likely you have questions about what U.S. federal laws apply. You may also wonder which federal agencies oversee various aspects of mHealth — including how this varies by how individuals, their health plan, or health care providers will use the app. Depending on who is expected to use an app and how they will get and use the app (e.g., direct-to-consumer (patient) app or a health care provider-directed app), this can vary.
To help you find answers, the Federal Trade Commission (FTC) released an update to the online, interactive Mobile Health Apps Tool. The updated tool was produced collaboratively, with contributions from ONC and our HHS colleagues at the Food and Drug Administration (FDA) and the Office for Civil Rights (OCR).
The interactive tool is structured simply, using a list of questions to help you assess which of the below federal laws may apply based on what an app will do or how it will be used, how users will get it, and who will use it. This tool helps you figure out whether, in addition to the FTC Act, you need to learn more about the following federal laws and how they may apply:
- Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules
- Federal Food, Drug, and Cosmetic Act (FD&C Act)
- 21st Century Cures Act’s Health IT and Information Blocking Provisions, ONC’s Cures Act Final Rule (including the ONC Health IT Certification Program)
- Federal Trade Commission Act (FTC Act) & FTC’s Health Breach Notification Rule
- Children’s Online Privacy Protection Act (COPPA)
Whether you are a developer new to mHealth, focusing on different users than you have with prior mHealth products, or are building innovative features into an existing app focused on the same kind(s) of users, the Mobile Health Apps Tool can serve as a sort of “trail guide” to these federal laws centered on information governance and federally required protections for information related to an individual’s health, as well as the safety and effectiveness of medical devices — which some mobile health apps might be. (However, please note there are federal as well as state laws that could apply to you or your technology that are not within the scope of this tool.)
We recognize the important role health technology developers have in helping enable and establish trust in the adoption and use of mobile technology. Building information privacy and security protections into mobile technology from the start makes privacy and security the default setting embedded in the overall design and development of the technology and business practices (sometimes referred to as privacy or security by design). This provides some assurance to users that the information is secure and will be used and disclosed only as expected or approved.
For example, if a developer chooses to have a health IT product, such as an app, certified through the ONC Health IT Certification Program, that health IT would need to meet specific certification criteria for privacy and security technical capabilities and make publicly available statements (“attestations”) that ensure transparency about certain privacy and security features of the certified technology.
Beyond the scope of the Mobile Health Apps Tool, developers may want to consider privacy and security practices beyond solely complying with applicable federal laws. For example, ONC supports developers providing transparency into what happens to a patient’s digital health data when they use the developer’s application, including conveying information about privacy and security to users in a way that’s easy for them (patients) – not just the developer’s or users’ legal counsel — to understand.
Wherever you are in your mHealth innovation journey, be sure to check out the Mobile Health Apps Tool to help identify and understand your obligations, so that by proactively meeting or exceeding those obligations, you can earn and keep customers’ trust in your mobile technology.
This article was originally published on the Health IT Buzz and is syndicated here with permission.