With the massive increase in health apps over recent years, the Federal Trade Commission (“FTC”), the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (“ONC”), the Office for Civil Rights (“OCR”), and the Food and Drug Administration (“FDA”) have coordinated and together, have created a tool to help developers of health-related apps navigate federal laws and regulations.
The tool will ask developers a series of questions regarding the nature of the app. These questions will cover how the app is designed to function, what data it will collect from users, and what services it’s designed to provide. Based on the answers provided, the tool will point to detailed information regarding federal laws that could apply to the app. These laws can include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Food, Drug and Cosmetics Act (FD&C Act).
A major goal of the FTC is consumer protection. (For more posts we’ve written on the FTC, click here). The creation of this tool is one way the FTC can ensure app developers get the right information about the laws at play, while furthering their goal of protecting the consumer base.
The FTC has no interest in shutting down or doing away with health apps, as they recognize this is the direction the world is heading in and encourage competition. Through the use of their tool, app developers can build with confidence and recognize potential legal problems before any issues arise by understanding laws they need to be taking into account.
While the tool is only designed to address federal laws at this point, there is hope that similar tools will be designed for the State level. This will add another layer of protection to both the companies producing the apps and the consumers relying on them.
While we can’t yet guarantee that the information and advice in health apps will be any better than the slippery slope of asking Google, we now know that app developers can be aware of the laws associated with building such apps. This may not do away with the slippery slope, but it is one step closer to the apps truly being built to the benefit of the consumer.
For more information regarding the FTC’s health app tool and how it can be used to your benefit, contact Revision Legal’s Corporate attorneys by filling out our contact form or by calling 855-473-8474.
Image courtesy of Flickr user Jason Howie.
The interagency tool described above is useful as a starting point, but health app developers need a working understanding of the specific statutes at issue — not just a roadmap to relevant guidance documents. Each law has its own threshold for coverage, its own substantive requirements, and its own enforcement mechanisms.
Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits unfair or deceptive acts or practices in or affecting commerce. For health app developers, the FTC Act primarily targets three types of conduct: (1) making false or unsubstantiated health claims about the app’s efficacy; (2) misrepresenting how user health data will be collected, used, or shared; and (3) failing to honor representations made in the app’s privacy policy. The FTC has brought enforcement actions against health apps that claimed to diagnose medical conditions without clinical validation, and against apps that shared health data with advertisers while representing that data would remain private.
The FTC Health Breach Notification Rule, 16 C.F.R. Part 318, requires vendors of personal health records (PHRs) and related entities to notify individuals, the FTC, and in some cases the media following a breach of unsecured individually identifiable health information. Critically, this Rule covers health apps that are not covered by HIPAA — meaning it applies to consumer-facing health apps that collect health data directly from users but are not operated by or on behalf of HIPAA-covered entities. In 2023, the FTC updated the Rule to clarify that unauthorized sharing of health data with third-party advertisers constitutes a “breach” triggering notification obligations. This expansion significantly increased compliance obligations for health app developers using behavioral advertising.
The Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164, applies to covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates. A health app is covered by HIPAA only if it operates on behalf of a covered entity — for example, a patient portal app operated by a hospital, or a remote monitoring app connected to a clinical healthcare provider. Most direct-to-consumer health apps — fitness trackers, symptom checkers, nutrition apps — are not operated by or on behalf of covered entities and are therefore not covered by HIPAA, even if they collect detailed health data.
This is a critical gap that many health app developers and their users misunderstand. The fact that an app collects blood pressure readings, glucose levels, or mental health data does not make it subject to HIPAA. HIPAA’s protections — prohibition on unauthorized disclosure, minimum necessary standard, individual rights of access and correction — do not apply to data collected by non-covered app developers. The applicable protections come from the FTC Act, the FTC Health Breach Notification Rule, and applicable state privacy laws.
The FDA regulates “medical devices,” a term that encompasses software functions meeting certain criteria under 21 U.S.C. § 321(h). Under the FDA’s Digital Health Center of Excellence guidance framework, software that is intended to diagnose a disease or condition, or to cure, treat, mitigate, or prevent a disease or condition, is a medical device subject to FDA oversight. This can include apps that claim to detect atrial fibrillation, analyze moles for skin cancer risk, or provide clinical decision support to healthcare professionals.
However, the FDA also exercises enforcement discretion for categories of lower-risk software functions, including general wellness apps that promote healthy lifestyle choices (exercise, nutrition, stress management) without making specific disease-related claims. Developers who want to characterize their apps as general wellness products rather than medical devices must be careful that their marketing materials, app store descriptions, and in-app content do not make specific disease claims that would bring the app within the FDA’s regulatory scope.
Beyond federal law, health app developers must contend with an expanding landscape of state privacy laws that impose additional obligations for health data. Several states have enacted dedicated health privacy statutes that apply to health data collected by non-HIPAA-covered entities:
Health app development sits at the intersection of technology law, healthcare regulation, and consumer privacy law. Getting the legal framework right from the start — before your app is in market and before regulators come calling — is far less expensive than fixing compliance failures after the fact. Revision Legal’s corporate and internet attorneys advise health app developers on regulatory compliance, privacy policy drafting, and FTC and FDA regulatory matters. Contact us through the form on this page or call 855-473-8474.
Browsewrap and clickwrap agreements must be updated to remain legally enforceable as courts scrutinize their clarity. Here’s how to ensure your online agreements will hold up.
Read more about Update Your Browsewrap and Clickwrap Agreements
The FTC updated its endorsement guidelines to address influencer marketing and social media disclosures. Here’s what the revised guidelines require from brands and content creators.
Read more about FTC Revised Online Endorsement Guidelines
The FTC Act prohibits unfair or deceptive acts and practices in commerce. Here’s how the FTC defines deceptive business practices and what enforcement actions the agency takes.
Read more about Deceptive Business Practices and the FTC Act