For years, and with increasing frequency, health care and information technology companies have touted the potential of mobile medical and health applications and technologies to improve the quality and delivery of health care through the use of technology. The field is expanding at a rapid pace, with one current survey estimating that there are approximately 15,000 health-related apps available and that downloads of these apps have doubled over the past year.1Joseph Conn, Most-healthful Apps, Modern Healthcare (Dec. 10, 2012), available at
http://www.modernhealthcare.com/. While the future of mobile health (frequently referred to as “mHealth”) is undoubtedly filled with promise, the legal and regulatory landscape in which mHealth technologies reside is only now beginning to take shape.
As mHealth developers, funders and even users consider investing their time and dollars in the field, including in particular mHealth technologies, they should keep in mind the emergent and fluid nature of the mHealth regulatory landscape. Such a nascent environment makes advance planning and careful organization more critical than ever, whether in obtaining consent from a patient before communicating via mHealth apps, coordinating with providers and payers to maximize an mHealth app’s utility and uptake, or interacting with regulators in order to ensure compliance with new laws. In this article we outline the likely key players and discuss several recent and projected initiatives with respect to the oversight of mHealth technologies:
The Food and Drug Administration (FDA). The FDA is responsible for protecting and promoting the public health through the regulation of, among other things, food safety, pharmaceutical drugs, and medical devices. Under emerging FDA mHealth oversight, the key issue is how new mobile medical technologies will be integrated into the existing FDA regulatory framework, including which mHealth technologies and products will be deemed to be “medical devices,” thereby ensuring FDA oversight.
Under Section 201(h) of the Federal Food Drug & Cosmetic Act (FDCA), a medical device2FDA, Is the Product A Medical Device?, available at
http://www.fda.gov/medicaldevices/deviceregulationandguidance/overview/classifyyourdevice/ucm051512.htm. is defined in part as an instrument, machine or other apparatus which is (i) “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease” or (ii) “intended to affect the structure or any function of the body.”
The FDA has never promulgated an overarching policy covering the regulation of software applications—mobile or otherwise—in the use and delivery of healthcare and the recent proliferation of mHealth software applications and related technologies has resulted in significant uncertainty. Through draft guidance3Draft Guidance for Industry and FDA Staff (July 21, 2011), http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf. 5 MELR 476, 7/27/11 released in July 2011, the FDA expressed its intention to regulate only mobile medical applications that present the greatest risk to patients when they do not work as intended. The draft guidance defined a small subset of “Mobile Medical Apps” that may affect the performance of currently regulated medical devices and will thus require FDA oversight. This subset included medical apps used as an accessory to a medical device already regulated by the FDA,4For example, an app that connects the mobile device to vital signs monitors, cardiac monitors, or similar devices. as well as apps that transform a mobile platform into a regulated medical device through the use of attachments or sensors.5For example, an app that acts as a blood glucose meter by using an attachment to a mobile device, or an app that uses a mobile device in determining blood donor eligibility prior to collection of blood. As with so much of FDA device regulation, the classification of an mHealth application as a medical device, which is a prerequisite for regulation under the draft guidance, would depend on the app’s “intended use.”
While the draft guidance has yet to be finalized, the FDA did recently list “mobile medical applications” on its “A-list” for final guidance on the agency’s list of proposed guidance documents slated for publication during the 2013 fiscal year.6FDA, CDRH Fiscal Year 2013 (FY 2013) Proposed Guidance Development, available at
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/MDUFAIII/ucm321367.htm.
Republicans in the House of Representatives have also taken notice of the FDA’s presence in the mHealth arena, recently sending a letter to the FDA that raised several questions and concerns regarding the FDA’s draft guidance.7Letter from Congress of the U.S. House of Representatives, Committee on Energy and Commerce, to Margaret A. Hamburg, MD, Commissioner, FDA (March 1, 2013), http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/letters/030113FDAsmartphones.pdf
7 MELR 169, 3/20/13; on March 20, FDA submitted a response: http://op.bna.com/hl.nsf/r?Open=kcpk-95zsw6 (see related item in Regulatory News section of this issue). These included whether the FDA (1) had determined when it would provide final or updated guidance; (2) had fully considered the potential tax consequences for mobile medical device makers and app developers of the 2.3% medical device excise tax8IRS, Medical Device Excise Tax, available at
http://www.irs.gov/uac/Newsroom/Medical-Device-Excise-Tax. under the Affordable Care Act (ACA);9Letter from Congress of the U.S. House of Representatives, Committee on Energy and Commerce, to Margaret A. Hamburg, MD, Commissioner, FDA (March 1, 2013), http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/letters/030113FDAsmartphones.pdf. and (3) would consider “actual use” in addition to “intended use” in its analysis and regulation of mHealth applications. In addition to putting the FDA on notice that it is watching the FDA’s mHealth activities closely, by its letter Congress (or at least some members of the House) is making clear its intent to balance regulatory oversight with economic considerations, a tension that has previously been evident in other attempted FDA regulatory initiatives.
Meanwhile, several mHealth applications have already obtained FDA approval,10One recent study found that more than 75 mobile apps have already been cleared by the FDA, available at
http://mobihealthnews.com/research/75-fda-regulated-mobile-medical-apps. including a mobile ultrasound system11Accessdata.FDA.gov, 510(k) Premarket Notification, Mobius Ultrasound Imaging System (January 20, 2011), available at
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPMN/pmn.cfm?ID=34639. that combines smartphone technology with an attached ultrasound probe12MobiSante.com, Mobile and Accessible Ultrasound Imaging, available at
http://www.mobisante.com. in order to provide a lower-cost and more flexible alternative to purchasing a classic ultrasound unit, as well as a wireless wetness detector,13Accessdata.FDA.gov, Fresenius Medical Care, 510(k) Summary, Hemodialysis Machine (December 1, 2010), http://www.accessdata.fda.gov/cdrh_docs/pdf7/K070049.pdf. designed to prevent blood loss for dialysis patients at home by detecting venous needle displacement.14Fresenius Medical Care, Dialysis Products, WetAlert™ Wireless Wetness Detector, available at
http://www.fmcna.com/fmcna/HomeTherapies/WetAlert/wet-alert.html. Certain mobile apps were intentionally excluded from FDA regulation, including mobile apps that are electronic copies of medical textbooks and reference materials, as well as those apps that are used only to record and track decisions related to maintaining general health and wellness (and not treatment). And many other mHealth technologies likely fall outside the narrow purview of the mobile medical software applications that are the subject of the FDA’s draft guidance. Nevertheless, mHealth application developers and their investors should be paying close attention to this guidance as it works its way through the FDA.
In addition to the draft guidance already in progress, the FDA is also tasked with the implementation of the FDA Safety and Innovation Act15FDA Safety and Innovation Act (2012), http://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htm. (FDASIA), which was signed into law by President Obama in July 2012. The FDASIA directed the FDA to develop, within 18 months, a strategic framework for health information technology regulation that “promotes innovation, protects patient safety, and avoids regulatory duplication.” This framework is intended to include mHealth technologies. The report outlining this framework is not required to be delivered until later in 2013; and will likely arrive after the FDA releases its first set of final regulations for mHealth devices. Meanwhile, however, the FDA, Office of the National Coordinator for Health IT (ONC) and Federal Communications Commission (FCC) recently announced the formation of a workgroup to solicit inter-agency and public participation in the development of the required health IT regulatory framework.16FDA, Health IT Regulatory Framework, available at
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/ucm338920.htm. mHealth stakeholders should consider direct or indirect participation in this FDASIA workgroup.
The Federal Communications Commission (FCC). While the ONC and FDA are natural candidates to participate in the regulation of mHealth, the FCC’s role in the conversation—and its participation in the FDASIA workgroup—is perhaps less intuitive. Generally speaking, the FCC has the authority to manage the electromagnetic spectrum and, therefore, a regulatory stake in every medical device that uses radio technology.
In addition to its participation in the FDASIA workgroup, the FCC has taken several steps in recent years to promote mobile technology in health care. The FCC released the country’s first National Broadband Plan17broadband.gov, Connecting America: The National Broadband Plan, available at
http://www.broadband.gov/plan. in 2010, which included suggested methods to aid innovation and improvement in the health care system. The FCC and the FDA also entered into a Memorandum of Understanding18FDA-FCC memo available at http://op.bna.com/hl.nsf/r?Open=bbrk-962n2w. (4 MELR 532, 7/28/10) in 2010 in order to “promote collaboration and ultimately to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.”
In May 2012, the FCC took an even more concrete step when the commission adopted new rules19Jennifer Hutchens, Amit Bhagwandass, Removing Cables: New FCC Rule Paves Way for Utilization of Wireless Medical Technology (August 8, 2012), available at http://www.genomicslawreport.com/. that made the U.S. the first country in the world to allocate spectrum for Medical Body Area Network (MBAN)20FCC, Medical Body Area Networks First Report and Order (May 24, 2012), available at
http://www.fcc.gov/document/medical-body-area-networks-first-report-and-order
6 MELR 357, 5/30/12. devices. MBANs are low-power wideband networks consisting of sensors that are worn on a patient’s body and transmit data about the patient over wireless networks to a control device. The FCC touted its authorization of MBANs as a key to “transform patient care, lower health care costs, and spur wireless medical innovation.”21FCC, FCC Dedicates Spectrum Enabling Medical Body Area Networks (May 24, 2012), available at
http://www.fcc.gov/document/fcc-dedicates-spectrum-enabling-medical-body-area-networks.
Even more recently, the FCC released a report22mHealth Task Force, Findings and Recommendations (September 24, 2012), http://www2.itif.org/2012-mhealth-taskforce-recommendations.pdf. by its mHealth Task Force that included a number of recommendations to government, education, and the private sector to expand their collaboration efforts and to adopt policies intended to foster growth in mobile health technologies, including a recommendation that the FCC “play a leadership role in advancing mobile health adoption.” In September 2012, the FCC announced plans to act on at least some of the mHealth Task Force recommendations,23FCC blog, FCC Acts on Key mHealth Task Force Recommendations to Spur Adoption of Wireless Health Technology (September 25, 2012), available at
http://www.fcc.gov/blog/fcc-acts-key-mhealth-task-force-recommendations-spur-adoption-wireless-health-technology. and had already taken action on many of these items, including the recruitment of a permanent FCC Health Care Director,24FCC blog, FCC Begins Search for Health Care Director and Launches New Health Website (December 13, 2012), available at
http://www.fcc.gov/blog/fcc-begins-search-health-care-director-and-launches-new-fcc-health-website. the expansion of broadband connectivity for health technology,25FCC, New Healthcare Connect Fund Expands Access to Broadband for Healthcare (December 12, 2012), available at
http://www.fcc.gov/document/new-healthcare-connect-fund-expands-access-broadband-healthcare. and the creation of a new FCC health care-dedicated website.26FCC Health Care Initiatives, available at
http://www.fcc.gov/health.
The Federal Trade Commission (FTC). The FTC has also been active in the area of mobile health technologies. Pursuant to the Federal Trade Commission Act (FTCA), the FTC regulates unfair or deceptive acts and practices, including false and misleading claims about a product or service. In recent years, as the market for mHealth products and services has expanded, the agency has shown a willingness to regulate mHealth companies in an attempt to safeguard consumers and patients. For example, last year the FTC sanctioned two apps developers27FTC, “Acne Cure” Mobile App Marketers Will Drop Baseless Claims Under FTC Settlements (September 8, 2011), available at
http://ftc.gov/opa/2011/09/acnecure.shtm. for claiming, without the necessary research to support that claim, to be able to treat acne through colored lights emitted from a mobile device.
The FTC has also exhibited a strong and growing interest in data privacy and mobile applications in a broader sense, recently publishing a resource—Marketing Your Mobile App: Getting It Right from the Start
28FTC, Marketing Your Mobile App: Get It Right from the Start (August 2012), available at
http://business.ftc.gov/documents/bus81-marketing-your-mobile-app. —to aid developers in avoiding regulatory pitfalls in designing mobile apps. While not specifically aimed at mHealth developers, the recommendations—including truthful claims, complete disclosure about information practices and the inclusion of “privacy by design” features—are clearly applicable to mHealth apps, particularly given the sensitive nature of data collected and used by many mHealth apps.
For example, if an mHealth app developer makes claims about the app’s capabilities, there must be “competent and reliable evidence” to support those claims. In the context of mobile health applications, as the FTC further notes, this requires competent and reliable scientific evidence. The FTC’s aforementioned action against the acne app developers is instructive: the developers claimed that their app could treat acne, but had no scientific evidence to support the claim. mHealth developers should consider investing a small amount up-front to understand the FTC best practices for app development and marketing in order to avoid a significant later compliance issue.
The Department of Health and Human Services (HHS). Beyond the FDA (a division of HHS), HHS also oversees certain other privacy and security aspects of mHealth, including pursuant to its authority to enforce the Health Insurance Portability and Accountability Act (HIPAA). While a detailed analysis of HIPAA is beyond the scope of this article, HIPAA generally requires covered entities29HHS, Understanding HIPAA Privacy For Covered Entities and Business Associates, available at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. (i.e., health care providers, health plans and health care clearinghouses), along with their service providers and other “business associates,”30HHS, Understanding HIPAA Privacy For Business Associates (December 3, 2002, Revised April 3, 2003), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html. to comply with security and privacy regulations designed to protect patients’ protected health information (“PHI”). Numerous health care providers have embraced mHealth (even if many of them do not necessarily understand why they are pursuing mHealth initiatives),31FierceMobileHealthcare.com, Gienna Shaw, Many mHealth Programs Lack Focus, Direction (September 24, 2012), available at
http://www.fiercemobilehealthcare.com/story/many-mhealth-programs-lack-focus-direction/2012-09-24. meaning that many mHealth technologies, and especially those that collect, access or transmit PHI, are likely to directly or indirectly implicate HIPAA.
In addition, mHealth technologies are frequently integrated or intended to be compatible with electronic health records (EHRs), which implicates the Health Information Technology for Economic and Clinical Health Act of 200932HHS, HITECH Act Enforcement Interim Final Rule, available at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html. (HITECH). HITECH was passed in order to encourage eligible providers and hospitals to make “meaningful use”33HealthIT.gov, Meaningful Use, available at
http://www.healthit.gov/policy-researchers-implementers/meaningful-use. of health information technology, including EHRs, by providing incentive payments to those eligible groups. Expectedly, increased tax-payer funding brings increased regulation to its recipients, and HITECH accordingly tightened the enforcement and civil penalties34HHS, HITECH Act Enforcement Interim Final Rule, available at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html. under HIPAA and applied certain HIPAA liability provisions to business associates35HIMSS, Business Associate Agreements under the HITECH Act: A Summary of Policy and Legal Issues for the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) (November 24, 2009), search by title at http://www.himss.org/. that were previously inapplicable. HITECH also provides individuals with a right to obtain their PHI in an electronic format from a provider that has implemented an EHR system. Any mHealth developer who wishes to take advantage of HITECH’s incentive payments should make itself aware of the applicable HIPAA and HITECH regulation, including the recently issued Stage 2 Meaningful Use Regulations.36HealthIT.gov, Meaningful Use Stage 2, available at
http://www.healthit.gov/policy-researchers-implementers/meaningful-use-stage-2. In addition, mHealth developers subject to HIPAA should be aware of the recently released guidance regarding de-identification of PHI,37HHS, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (November 26, 2012), available at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html. which is the process of removing patient identifiers from health information in order to reduce the privacy risks to individuals and thereby promote secondary use of the remaining data for research and other beneficial studies.
Finally, in January 2013, HHS released the long-anticipated omnibus final rule38Federal Register, Vol. 78, No. 17, Rules and Regulations, Final Rule (January 25, 2013), http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. (the Final Rule) under the authority of HITECH and the Genetic Information Nondiscrimination Act (GINA). Among other significant changes, the Final Rule expanded the definition of a “business associate” to include a subcontractor who “creates, receives, maintains, or transmits PHI” on behalf of a business associate. Providers and developers of mHealth apps need to re-evaluate whether they are now—or are likely to become as they pursue their current course of business development—responsible for HIPAA compliance under the expanded definition of business associate, and how to address their compliance obligations both contractually and practically in the development of mHealth apps and other products. As discussed above, a small investment up-front in understanding these issues can help head off significant compliance problems and regulatory constraints farther on down the road.
These considerations, along with the constant threat of health care data breaches39Health care data breaches are concerning not just from a regulatory perspective, but also from a business perspective in terms of the practical costs associated with such a breach. One study determined that a health care data breach on average costs a health care organization $2.4 million over a two-year period: available at
http://www2.idexpertscorp.com/assets/uploads/ponemon2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf. —which are exacerbated by the portability and vulnerability of mobile devices—make mHealth an area of increasing importance for HHS. It should come as no surprise, then, that HHS has recently enacted a variety of mHealth Initiatives.40HHS, mHealth Initiative, available at
http://www.hhs.gov/open/initiatives/mhealth.
State Regulation. Even after navigating the myriad Federal agencies and regulations applicable to mobile health applications and products, there remains the matter of additional state law requirements. As we were reminded again in 2011 in Isidore Steiner DPM PC v. Bonnani, a HIPAA preemption case arising in Michigan,41Jennifer Hutchens, Phillip C. Ross, Don’t Forget About State Law: Michigan Decision Reminds Health Care Providers of HIPAA Preemption Issue (June 28, 2011), available at http://www.genomicslawreport.com/. Federal statutes and regulations frequently establish only a “floor” (e.g., for the protection of PHI), with states having the freedom to enact their own more stringent legislation. Similarly, while not a Federal requirement, California’s Online Privacy Protection Act requires all mobile app providers to conspicuously post a privacy policy for review by end users. In October 2012, California Attorney General Kamala D. Harris put developers (including mHealth developers) on notice42California Attorney General, Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law (October 30, 2012), available at
http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. that, starting in December, the law (which carries fines of up to $2,500 per download of a non-compliant app) will be enforced. Following through on this warning, the Attorney General filed the first enforcement action43The People of the State of California v. Delta Air Lines, Inc., No. CGC-12-526741, Superior Court of CA, County of San Francisco, Register of Actions (December 6, 2012 through March 2013). under California’s Online Privacy Protection Act against Delta Airlines for allegedly failing to post a privacy policy44BNA’s Privacy & Data Security Law Resource Center (December 10, 2012), available at
http://www.bna.com/california-ag-sues-n17179871357. that covers its mobile app and that is reasonably accessible from within the mobile app itself.
States are also rapidly expanding their efforts to understand and oversee mobile applications and technologies, including through the issuance of regulatory guidance and the passage of new legislation. Some efforts have even focused on the use of such technology in the practice of medicine. For instance, in January 2013, California released a publication titled Privacy on the Go: Recommendations for the Mobile Ecosystem
45California Attorney General, Privacy On The Go, Recommendations for the Mobile Ecosystem (January 2013), http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf. and Rhode Island issued Guidelines for the Appropriate Use of Telemedicine and the Internet in Medical Practice.46Rhode Island Department of Health, proposed Guidelines for the Appropriate Use of Telemedicine and the Internet in Medical Practice (January 4, 2013), http://op.bna.com/hl.nsf/r?Open=bbrk-95yncu.
As health data privacy and the oversight of mobile applications each continue to garner attention at the state level, mHealth constituents should expect to pay close attention to what’s happening in state capitols, as well as in Washington, D.C.
What’s Next? As is seemingly always the case with emerging technologies, the regulation and oversight of mHealth technologies lags behind. But as the above summary highlights, mHealth oversight is hardly non-existent, and mHealth companies and their investors ignore existing oversight at their own peril.
As for forthcoming oversight of mHealth technologies, while there is always the possibility of new legislation at the state and/or federal level (for example, an ongoing47Neil Versel, Lawmaker: Proposed FDA Office of Wireless Health would give industry ‘confidence’ (February 11, 2013), available at
http://mobihealthnews.com/20249/lawmaker-proposed-fda-office-of-wireless-health-would-give-industry-confidence. proposal in the House of Representatives would create a special Office of Mobile Health at the FDA,48House of Representatives’ Proposal to foster further innovation and entrepreneurship in the health information technology sector, 112th Congress, 2d Session, H.R. 6626 (December 3, 2012), http://www.personalizedmedicinebulletin.com/files/2012/12/HR-6626.pdf. while another proposal in the House would regulate how the developers of mobile apps—including health apps—collect personal data),49The Application Privacy, Protection, and Security (APPS) Act of 2013, (January 16, 2013), available at
http://apprights-hankjohnson.house.gov/2013/01/apps-act.shtml. it is far more likely that additional oversight will come from within the existing legislative framework. With that in mind, it is encouraging that the major Federal agencies responsible for the oversight of mHealth technologies already have active mHealth programs in place, and even more encouraging that inter-agency communication and coordination appears to be a clear priority. With additional Federal- and state-level regulation of mHealth technologies inevitable, now is the time for mHealth stakeholders to make their voices heard and seek to not only understand, but to shape, the emerging mHealth legal and regulatory landscape.
