A new tool from the Federal Trade Commission offers a good primer for health app developers on federal privacy and security rules — but doesn’t delve much deeper, according to app makers and privacy advocates.
The Web-based tool asks developers a series of yes-or-no questions to see which elements of the government’s overlapping patchwork of relevant rules — the Health Insurance Portability and Accountability Act; the Federal Food, Drug, and Cosmetic Act; Federal Trade Commission Act; and FTC’s Health Breach Notification Rule — might apply to their products. But there are critical questions the tool doesn’t answer, Morgan Reed, executive director of ACT | The App Association, said in an email.
In particular, he said health app companies need better guidance around how to use the cloud for storing and sharing data under the rules set forth by HIPAA, a major health law to safeguard patients’ health information.
“While companies need to know where they fit in the regulatory ecosystem, the most pressing issue is understanding how to meet those requirements” — something his group has pushed for in the past few years — he said.
[Read more: FTC debuts web tool for health app makers]
Michelle De Mooy, deputy director of the Center for Democracy and Technology’s Privacy and Data Project, said the tool provides “a quick-and-dirty look at compliance … and there’s definitely room for that in this space.” But she said it’s missing some critical rules that could come into play for developers, like California’s Confidentiality of Medical Information Act.
Medical apps are a growing industry: Nearly 2 billion people are expected to download mobile health apps by 2017, according to a report from PwC, formerly Pricewaterhouse Coopers, and the connected health market is projected be worth nearly $61 billon globally by 2020. Even so, the regulatory landscape for these apps is fragmented, De Mooy said.
She added that she hopes the fact several federal agencies worked together to build the tool — the FTC developed it with help from several offices within the Department of Health and Human Services, including the Food and Drug Administration — means the government will have a “unified, comprehensive” regulatory framework in the future.
Roy Wyman, an attorney at Nashville-based Nelson Mullins Riley & Scarborough LLP who represents several app developers, said the tool is “helpful to an extent” but worries “it can give a sense of false security because the rules are very complex.”
A small tweak to a product could have big implications: Based on the FTC tool, an app that allowed, say, diabetes patients to share information may seem to fall outside HIPAA. But if developers add a capability to allow a case manager or doctor into the discussion, those health care professionals may be less apt to use it if the app doesn’t adhere to HIPAA security rules.
“There’s a lot of nuance to this. So I’d really recommend that they get counsel early on in this process,” he said.
Andrew Boyd, a University of Illinois at Chicago health informatics professor whose cardiology-related app is currently undergoing clinical trials, thinks FTC’s tool is great for developers to get acquainted with the byzantine regulatory landscape.
“It helps you delineate ‘hey, clearly we’re on the side of regulation,’ [or] ‘clearly, oh, we don’t have to worry about this,” he said.
But Boyd agreed with Wyman.
“If you’re planning on commercializing a consumer health app and you don’t have an attorney involved about what the liability risks are, that’s a bad business plan,” he said.
Contact the reporter on this story via email Whitney.Wyckoff@fedscoop.com, or follow her on Twitter @whitneywyckoff. Sign up for all the federal IT news you need in your inbox every morning at 6:00 here: fdscp.com/sign-me-on.