Mobile apps that collect and report health-related data have increased consumers’ knowledge and tracking of their individual health issues in inventive ways– a consumer can count her daily steps and caloric intake, monitor blood pressure, and track many other variables. Some apps are interactive and are capable of transmitting data to health professionals—or other third parties – with or without the consumer’s knowledge. These apps are subject to a myriad of privacy and data protection laws, depending on the nature and purpose of the app and the data collected.
To help app develops through this legal maze, on April 5, 2016, the US Federal Trade Commission (FTC) launched an interactive online tool for app developers — at https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool — as well as a Best Practices Guide for mobile health app developers – at https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-app-developers-ftc-best-practices#keep .
The online tool was developed by the FTC in conjunction with two offices of the Department of Health and Human Services (the Office of National Coordinator for Health Information Technology or ONC, and the HHS Office for Civil Rights) as well as the Food and Drug Administration (FDA). It is intended to help the developers understand which federal laws may apply to their apps.
The online tool asks developers about 10 high-level questions about the app, such as its function, the data it collects, and the services it provides to users. Based on the developer’s answers to those questions, the app developer is directed to detailed information about the federal laws that might apply to the app – such as the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Food, Drug and Cosmetics Act (FD&C Act).
If the app is subject to the FTC Act, the FTC’s online Best Practices for Mobile Health App Developers gives many helpful suggestions for app developers – and their marketers and investors. The FTC advises health-related app developers to focus on eight “best practices”:
- Minimize data collected – to what is needed, and retain only as needed.
- Limit access and permissions – make sure that permission requests are clear and observed.
- Keep authentication in mind – what password and access protections are advisable.
- Consider the mobile ecosystem – what platform protects the data security; how will data be shared (if at all).
- Implement security by design – critical in the FTC’s view.
- Don’t reinvent the wheel – take advantage of existing tools to protect consumer data and privacy.
- Communicate clearly with users – ensure transparency and consumer consent.
- Check compliance with other applicable laws – many states also regulate health-related data security.
Both the Best Practices advice and the online tool for mobile app develops reflect the FTC’s basic Privacy Principles: privacy and data security issues should be basic building blocks for any online app; consumers should be well-informed and give specific consent for the use of their data; and the app developers should honor their commitments and promises. While these seem like simple concepts, the devil is in the details – which of course is why the FTC released these understandable and easy-to-uses guidance tools. While these tools are specifically designed for health app developers, they are useful reminders and helpful guidance for all involved with consumer privacy and data security issues.