Advising Mobile Medical App Developers: Untangling the Regulatory Web

The FD&C Act

The FD&C Act requires FDA oversight of certain products, including foods, drugs and medical devices.⁵  In guidance issued in 2015, the FDA defined a mobile app as “a software application that can be executed (run) on a mobile platform (i.e., a handheld commercial off-the shelf computing platform, with or without wireless connectivity), or a web-based software application that is tailored to a mobile platform but is executed on a server.”⁶  The FDA further defined mobile medical apps as “a mobile app that meets the definition of device in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) and either is intended to be used as an accessory to a regulated medical device; or to transform a mobile platform into a regulated device.”⁷

If a mobile app has functionality that meets the FD&C’s definition of a medical device, then the developer must comply with the regulatory requirements of the FD&C Act prior to marketing the app to the public.  For example, the developer would need to determine into which of the FD&C Act risk based “classes” the app would fall in⁸ and whether premarket notification or premarket approval is required.⁹  

The FDA’s 2015 guidance indicated that certain mobile apps for general wellness, such as activity trackers and food logs, would not be subject to regulatory requirements because the FDA would exercise its enforcement discretion and would not enforce the FD&C Act requirements as to these types of apps.¹⁰ The 21st Century Cures Act (Cures Act) of 2016 provided statutory clarification by removing certain software functions from the definition of “device,” including  certain administrative functions, promotion of a healthy lifestyle unrelated to cure or treatment of a specific diagnosis, electronic patient records and the display of test results and other data.¹¹  The FDA issued draft guidance on December 8, 2017 which lists those examples from the 2015 guidance that it proposes to move to a list of devices that will not be considered a medical device because of the Cures Act change in definition.¹²  The FDA did not include the issuance of final guidance on its list of proposed guidance development for fiscal year 2018.¹³

HIPAA

Mobile apps that collect, transmit or store the medical information of users or their patients may have obligations pursuant to HIPAA,¹⁴ including complying with HIPAA’s  Privacy Rule,¹⁵ Security Rule¹⁶ and Breach Notification Rule.¹⁷  In order to determine whether HIPAA is applicable, there are two key considerations:  (1) Is the app receiving, collecting,  maintaining or transmitting information on behalf of a covered entity or a business associate of a covered entity? and (2) Is the information “protected health information” as that term is defined in the HIPAA Regulations?

A. Is the information being collected on behalf of a Covered Entity or Business Associate?  

All healthcare providers that transmit health information electronically as part of a HIPAA “standard transaction” are considered “covered entities.”¹⁸  The most common “standard transaction” is the submission of health information electronically for payment from an insurance company or other payor.¹⁹  Because most third party payors require submission of electronic claims, any provider that bills insurance or other third party payors, even if the provider uses a billing company to submit the claims, will generally be considered a “covered entity.”²⁰  Health plans and healthcare clearinghouses are also “covered entities.”

A “business associate” for HIPAA purposes generally includes any person or entity which “creates, receives, maintains, or transmits protected health information” on behalf of a covered entity.²¹  Certain categories of services are specifically mentioned in the HIPAA Privacy Rule as creating a business associate relationship, including, for example, claims processing or administration, billing, consulting, data aggregation, and management or administrative services.²²  Further, any entity that provides data transmission services and requires access on a “routine basis” to protected health information is considered a business associate, as well as any entity that stores protected health information for a covered entity.²³  The definition of business associate also specifically includes a provider of a personal health record, if the personal health record is being offered on behalf of a covered entity.²⁴  Any subcontractor of a business associate is also considered a business associate of the covered entity.  This is often referred to as a “downstream business associate.”²⁵

The OCR has developed a portal for app developers which addresses potential scenarios and whether such scenarios would cause the app developer to meet the definition of a business associate.²⁶ Business associates must safeguard protected health information in accordance with the requirements of the HIPAA Privacy and Security Rules.  In the event of a breach of unsecured information, they must comply with the Breach Notification Rule, which requires them to report the breach to the covered entity with which they have a contractual relationship.²⁷  They can be subject to fines from the government for noncompliance. 

B. Is the information Protected Health Information?

Protected health information includes information that is created or received by a covered entity or a business associate on behalf of a covered entity if the information identifies or can be used to identify the patient and relates to the patient’s past, present or future health, provision of healthcare or payment for healthcare.²⁸  Because the definition of “protected health information” is so broad, almost all information related to a healthcare provider’s patients will be considered protected health information, including, for example, lists of patient names and even derivatives of patient names such as initials, as well as dates, account numbers and other numbers associated with the patient.²⁹

FTC Breach Notification Rule

As discussed above, a vendor offering a personal health record (PHR) on behalf of a covered entity will be considered a business associate and will be subject to the HIPAA regulations.  Vendors of PHRs that provide the service directly to patients and not on behalf of a covered entity are not business associates and are therefore not subject to the HIPAA Regulations. 

However, these vendors and the businesses that interact with them as “PHR-related entities”³⁰ or that provide services to them as “third party services providers”³¹ are subject to the FTC Breach Notification Rule.³²  A PHR is defined by the FTC as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.³³  The definition of “PHR identifiable health information” incorporates the definition of “individually identifiable health information” from the HIPAA statute but includes such information that is provided by or on behalf of an individual.³⁴  Google Health, which is no longer available, was an example of a stand-alone PHR which allowed patients to independently store their own medical information.  A tethered PHR connects to a healthcare provider’s electronic health record (EHR) so that the patient can view his or her lab results and other information directly from the provider.  Such receipt of information from a covered entity will, however, cause the PHR to meet the definition of a business associate for HIPAA purposes.³⁵   

The FTC Breach Notification Rule is similar to the HIPAA Breach Notification Rule and requires that any “unauthorized access to unsecured PHR identifiable health information”³⁶ be reported to affected persons, the FTC, and in some cases the media.³⁷

The FTC Act

The FTC Act is not specific to medical information, but protects all personal information collected by businesses.  Specifically, Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”  The FTC’s standards regarding adequate data security are not as specific as the HIPAA Security standards and are generally issued as guidance documents.³⁸  According to the FTC’s Privacy and Data Security Update, the FTC has brought over 60 cases against companies that have failed to adequately protect consumers’ personal data since 2002.³⁹  

Some of these enforcement actions involved medical information and were against companies that were also covered by HIPAA.  For example, in 2013, the FTC initiated an administrative proceeding against LabMD, a laboratory, for its failure to properly secure medical information retained in an electronic form.  A lengthy battle ensued during which LabMD unsuccessfully challenged the FTC’s authority to regulate entities that are also covered by HIPAA.⁴⁰  However, the Eleventh Circuit recently held in favor of LabMD’s challenge to the FTC’s cease and desist order because the order was not specific as to the conduct that must cease, but rather used an “indeterminable standard of reasonableness” in ordering LabMD to overhaul and replace its data security program.⁴¹  

Additional Considerations

Xcertia Guidelines

In order to fill perceived gaps in the oversight of mobile health apps, the American Heart Association (AHA), the American Medical Association (AMA), the Healthcare Information and Management Systems Society (HIMSS) and the DHX Group formed a collaboration to establish and promote best practices for mobile health apps.⁴²  The nonprofit entity, named Xcertia, was founded in December 2016.⁴³  Membership and access to annual guidelines is open to consumers, developers, payors, clinicians, academia and others with an interest in the development of guidelines for mobile health.⁴⁴  Xcertia’s proposed guidelines target operability, privacy, security and content.⁴⁵  According to Xcertia’s website, Xcertia will benefit stakeholders by reducing the burden on providers and healthcare sponsors, giving consumers confidence and helping app developers.⁴⁶  While any guidance issued by Xcertia is strictly voluntary at this point, it could be used by or against app developers in future enforcement actions to establish whether the developer followed best practices.

GDPR

Although an extensive discussion of the GDPR is beyond the scope of this article, attorneys assisting mobile app developers should be aware that the GDPR went into effect on March 25, 2018 for organizations doing business with European Union (EU) countries.⁴⁷  The GDPR addresses security measures as well as users’ rights to (1) be told how their data is being used, (2) access their data, (3) transfer their data between services providers, (4) have their data deleted and (5) know if their data has been hacked.⁴⁸

State Law

California recently passed the CCPA, which is comparable in many ways to GDPR and which will be effective in 2020.⁴⁹  Mobile apps that could potentially receive data of California residents will need to be prepared to comply with this law.  Although most states have laws on the books to protect patient privacy,⁵⁰ California is the first state to adopt this kind of broad consumer privacy law.  The law is directed only at large businesses⁵¹ but could impact mobile apps associated with larger companies. 

Conclusion

The oversight of mobile medical apps is rapidly evolving.  Although there are various government and private agencies involved in providing regulations and guidance, a common thread is the goal to protect health information provided by consumers.  Developers must of course look to laws and guidance that are directly applicable, but should consider all sources of guidance to determine best practices for protecting the health information of individuals in order to ensure the future success of the mobile app. 

* * *

¹ Federal Trade Commission, Mobile Health Interactive Tool, accessed at https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool. 

² Id.

³ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

⁴ California Assembly Bill No. 375 (June 28, 2018).

⁵ 21 U.S.C. Chapter 9.

⁶ Mobile Medical Applications – Guidance for Industry and Food and Drug Administration Staff, February 9, 2015, https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf.

⁷ Id.

⁸ 21 U.S.C. § 360c; See also FDA Classify Your Medical Device, accessed at https://www.fda.gov/medicaldevices/deviceregulationandguidance/overview/classifyyourdevice/.

⁹ 21 U.S.C. § 360e; see also FDA Overview of Device Regulation, accessed at https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/default.htm#list.

¹⁰ Supra note 6.

¹¹ Public Law 114-255, December 13, 2016.

¹² Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act, https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM587820.pdf.

¹³ FDA CDRH Fiscal year 2018 (FY 2018) Proposed Guidance Development and Focused Retrospective Review of Final Guidance, https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm580172.htm.

¹⁴ Public Law 104-191 (August 21, 1996).

¹⁵ 45 C.F.R. § 160; 45 C.F.R. § 164 (Subparts A and E).

¹⁶ 45 C.F.R. § 160; 45 C.F.R. § 164 (Subpart C).

¹⁷ 45 C.F.R. § 164.402 – 414.

¹⁸ 45 C.F.R. § 160.103.  Note that a health plan or healthcare clearinghouse that submits standard electronic transactions will also be considered a “covered entity.”  However, this module focuses on healthcare providers.

¹⁹ See 45 C.F.R. § 162.1101.

²⁰ See discussion at 64 Fed. Reg. 59927 (Nov. 3, 1999).

²¹ 45 C.F.R. § 160.103.

²² Id.  Other services and relationships specifically mentioned include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 C.F.R. § 3.20, billing, benefit management, practice management, and repricing.  Other specifically mentioned services include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.  Health information organizations and e-prescribing gateways are also specifically mentioned.

²³ Id.

²⁴ 45 C.F.R. § 160.103.

²⁵ 78 Fed. Reg. 5573 (Jan. 25, 2013).

²⁶ Health App Developers Questions About HIPAA? accessed at https://hipaaqsportal.hhs.gov/.

²⁷ 45 C.F.R. § 164.410.

²⁸ Protected Health Information is a subset of Individually Identifiable Health Information.  Both are defined as 45 C.F.R. § 160.103. 

²⁹ 45 C.F.R. § 164.514(b).  See also Department of Health and Human Services Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

³⁰ A PHR-related entity is defined as “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA -covered entity that: (i) Offers products or services through the Website of a vendor of personal health records;  (2) Offers products or services through the Websites of HIPAA-covered entities that offer individuals personal health records;  or (3) Accesses information in a personal health record or sends information to a personal health record.” 16 C.F.R. § 318.2(f).

³¹ A Third party service provider is defined as an entity that “(1) Provides services to a vendor of personal health records in connection with he offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity;  and (2) Accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured PHR identifiable health information as a result of such services. 16 C.F.R. §318.2(h).

³² 16 C.F.R. Part 318. 

³³ 16 C.F.R. § 318.2 (d.)

³⁴ 16 C.F.R. § 318.2(e).

³⁵ Office of the National Coordinator for Health Information Technology, Personal Health Records:  What Providers Need to Know, https://www.healthit.gov/sites/default/files/about-phrs-for-providers-011311.pdf.

³⁶ 16 C.F.R. § 318.2 (a).

³⁷ 16 C.F.R. § 318.3.

³⁸ FTC Privacy & Data Security Update:  2017, accessed at https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2017-overview-commissions-enforcement-policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf.

³⁹ Id.

⁴⁰ The full case timeline can be accessed on the FTC’s website at https://www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter.

⁴¹ LabMD, Inc. v. Federal Trade Commission, 894 F.3d 1221 (2018). Note that LabMD ceased operations before the court issued its ruling.

⁴² Raths, David, “Nonprofit Xcertia Formed to Promote Best Practices for Mobile Health Apps,” Healthcare Informatics, December 12, 2016, accessed at https://www.healthcare-informatics.com/news-item/mobile/nonprofit-xcertia-formed-promote-best-practices-mobile-health-apps.

⁴³ Id.

⁴⁴ Xcertia news, accessed at http://xcertia.org/news-announcements/.

⁴⁵ Xcertia Guidelines, accessed at http://xcertia.org/the-guidelines/.

⁴⁶ Id.

⁴⁷ See Supra note 3.

⁴⁸ Id.

49 See Supra note 4.

50 See e.g., Electronic Privacy Information Center, Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization, accessed at https://epic.org/privacy/medical/cdc_survey.html.

51 See Supra note 4, Section 1798.140(c).  The Act applies to for-profit entities doing business in California that collect personal information and have annual gross revenues exceeding $25 million; annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or derive 50 percent or more of annual revenue from selling personal information.