By Mary Hildebrand, CIPP/E/US, Matt Savare, and Cassandra Porter, CIPP/US
Mobile app usage has penetrated nearly every industry and facet of our lives, from banking and dating to transportation and dining. This is especially true in the health and wellness sector. In 2014, the number of U.S. consumers using mobile health apps was only 16 percent. Two years later, this percentage doubled to 33 percent 1 and continues to grow rapidly. Despite this meteoric growth, many developers and publishers of mobile health apps do not understand the panoply of laws and regulations that govern their products. Luckily, guidance is available.
In April 2016, the Federal Trade Commission (“FTC”) along with several federal agencies 2 released an interactive tool 3 to assist developers and publishers of mobile health apps in determining which United States federal laws may apply to their applications. By working through ten “yes or no” questions, developers are able to evaluate the app’s functions and operations (e.g., whether it creates, receives, maintains or transmits information, how the information will be used and accessed, and who will be using the information) and whether they trigger duties in connection with U.S. privacy law. A developer’s answers direct it to consider various laws and protocols, such as the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) and the FTC’s Health Breach Notification Rule (the “FTC Breach Rule”) 4 that may be applicable.
Although each of the questions identified by the tool is important, for most mobile health app developers and publishers, two questions should remain at the forefront of this analysis: First, will the app create, receive, maintain or transmit health information (“HI”) between the consumer and “another party”? Second, who is the “other party”? If it is a “Covered Entity” or “Business Associate” HIPPA may apply.5 If neither a Covered Entity nor a Business Associate is involved, developers should pay close attention to the standards established under the FTC Breach Rule.
Under HIPAA, a “Covered Entity” may include health plans, clearinghouses and certain health care providers 6. For these purposes, health plans include health insurance companies, health maintenance organizations, employer sponsored health plans, and government programs that pay for health care, like Medicare. The term clearinghouse refers to organizations that process health information on behalf of other organizations. A health care provider includes those entities that we would typically assume that HIPAA is most applicable: doctors, nursing homes and pharmacies. A “business associate” may be a third-party administrator that assists a health plan with claims processing, a consultant, a health care clearinghouse, and/or a covered entity performing work for another covered entity.
An app that collects demographic information (e.g., the user’s birthdate or IP address), along with data regarding the user’s past, present, or future physical or mental health or condition, or data concerning the provision of healthcare, may be subject to the HIPAA Security Rule and/or the HIPAA Privacy and Breach Notification Rules 7. Why? Because the act of creating, receiving, maintaining and/or transmitting HI on behalf of a Covered Entity or a Business Associate is governed by HIPAA.
However, if HIPAA doesn’t apply, the FTC Breach Rule may if the app stores or organizes personal health records. A personal health record (“PHR”) is “an electronic record of ‘identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.’”8 The FTC Breach Rule requires that notice be provided to users if their PHR-identifiable health information is unsecured and an unauthorized acquisition occurs 9. In English: similar to HIPPA, the FTC Breach Rule requires certain safeguards to protect HI and for notice to be provided if a breach involving certain HI occurs.
Even if an app is not anticipated to collect or transmit HI, at some point this possibility may present itself. Accordingly, mobile app developers should generally be familiar with HIPAA and the FTC Breach Rule security measures and practices as a way to anticipate costs (and ways to create cost savings) in the long term. For example, the process to encrypt data before transmission to an end user may seem like an expensive safeguard. However, if the app is used to transmit HI, this safeguard will be critical to ensuring it is compliant with applicable privacy law. Developers may also consider early in an app’s development whether additional security measures should be included in the app’s security protocol. For example, can the app be wiped remotely from another device in the event sensitive data is compromised? And, who will control the decision as to whether an app will transmit data to a third party? If the end user is not in control, clear and conspicuous disclosures to the end user will need to be made.
In sum, having a basic understanding of HIPAA, the FTC Breach Rule, and the FTC Act along with addressing each of these laws in the design of your mobile health app is crucial in this highly-regulated environment.
¹ “Consumers’ Use of Health Apps and Wearable’s Doubled in Past Two Years, Accenture Survey Finds” Business Wire, March 3, 2016, http://www.businesswire.com/news/home/20160303005016/en/Consumers%E2%80%99-Health-Apps-Wearables-Doubled-Years-Accenture (last visited Oct. 13, 2016).
² The agencies include the U.S. Department of Health & Human Services, the Office of the National Coordinator for Health Information Technology, the Office for Civil Rights, and the Federal Drug Administration.
³ The tool is accessible here: https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool (last visited Nov. 16, 2016).
4 As of February 2010, the FTC Breach Rule covers businesses not otherwise subject to HIPAA if there is a breach of unsecured, individually identifiable electronic health information. See “Complying with the FTC’s Health Breach Notification Rule” April 2010 https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule (last visited Nov. 16, 2016).
5 Admittedly, determining who (or what) is a “Covered Entity” or a “Business Associate” under HIPAA can be difficult. Luckily, there is a tool to help make this determination. See Covered Entity Guidance at https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf (last visited Nov. 16, 2016).
6 See 45 C.F.R. § 160.103.
7 For additional examples, please see “Health App Use Scenarios & HIPAA” at http://hipaaqsportal.hhs.gov/ (last visited Sept. 13, 2016).
8 See “Complying with the FTC’s Health Breach Notification Rule” at https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule (last visited Nov. 16, 2016). For example, according to FTC guidance, an “online service that allows consumers to store and organize medical information from many sources in one online location” is an example of a “vendor of personal health records.” Id. However, entities covered by HIPAA are not vendors of PHRs. Id.
9 Id., “What Triggers the Notification Requirement”
10 See “Sharing Consumer Health Information? Look to HIPAA and the FTC Act” at https://www.ftc.gov/system/files/documents/plain-language/pdf-0219_sharing-health-info-hipaa-ftcact.pdf (last viewed Nov. 16, 2016).