The Federal Trade Commission (FTC) has released a new interactive tool & best practice guide to help developers of health apps navigate a complex and confusing regulatory maze.
While most clinicians would probably expect the FDA to the be most active player when it comes to oversight of medical and health apps, the FDA medical app guidance released a few years ago made it clear that they intended to focus on a very narrow sliver of commercially available medical apps. The FTC has increasingly asserted its regulatory muscle when it comes to health apps, particularly those that make specific health claims.
And while they’ve come down on some clearly unscrupulous actors, like makers of health apps claiming to treat specific diseases, many regulators have acknowledged that the regulatory scheme can be incredibly confusing for well intentioned developers. And to their credit, we’ve often seen regulators from the FDA on the road meeting with numerous stakeholders to provide guidance and solicit feedback. Recently, the Office of Civil Rights (OCR) published some practical guidance on when HIPAA applies to health apps.
The latest resources from the FTC were developed in collaboration with the FDA, OCR, and others intended to provide some clarity for a developer trying to figure out what regulations may apply to their app. The first is an interactive tool that asks a series of basic questions about things like the health app functionality, developer association with a provider or insurer, and collection of protected health information. Based on answers, it tells you what regulations may apply and provides links for more information.
The second resource is a health app best practices guidance from the FTC that provides some great tips as well as useful resources for development of a health app. Most of these best practices focus on data security and privacy, imploring developers to minimize the user data they collect, implement authentication steps, limit third party data access, and so on. Some of it is (hopefully) common sense, like only storing data you actually need or not transmitting passwords in plain text. However, given recent studies highlighting some startling deficiencies in health apps approach to privacy, its clearly worth a read for most health app developers.