Medical App Developers Must Navigate Web of Regulation

With the demand for mobile health apps exploding, practices may be tempted to get in on the act by creating apps for their patients. But before they dive in legal experts at the Healthcare Information Management and Systems Society 2015 Annual Conference said it is important to understand the potential risks apps can pose to patient data and how mobile software is regulated in the United States.

By any measure the market for mobile health (mHealth) apps is exploding. The number of smart devices in the United States is doubling every five years, according to speaker Sharon Klein, a lawyer who specializes in mHealth and partner at Pepper Hamilton LLP. There is a growing, multi-billion dollar market for health apps, Klein said, yet the framework for regulating these products and the risks associated with them are still evolving.

"mHealth is facing a perfect storm of regulation," Klein said. She explained that there is currently a spider web of regulations related to health apps from the U.S. Food and Drug Administration (FDA), the Federal Trade Commission (FTC), the Federal Communications Commission, and HHS.

One of the chief concerns of regulators is the privacy and security of patient data collected and transmitted by health apps. This is a growing concern, Klein said, because medical identity theft is rampant, affecting 1.5 million Americans and costing the healthcare industry $30 billion a year.

Data thieves are commanding $50 for a complete medical identity - compared with $1 for a social security number - on the black market, Klein said. With such a premium on health data, thieves are selling any medical data they can acquire, even if it is not enough alone to commit medical identity fraud. Online data from multiple data breaches is often pooled allowing fraudsters to piece together enough of an individual's identity to fool insurers or healthcare institutions, Klein explained.

"It's becoming a sophisticated process," she said.

Once a patient's medical identity has been acquired that patient and his insurance company may be fraudulently charged for procedures the patient never received, she said.

While most practices may be familiar with the patient privacy regulations associated with HIPAA and the Health Information Technology for Economic and Clinical Health Act, understanding these laws is not enough for app developers, according to Klein. For example she explained that the FTC has taken action against an app developer for not adequately disclosing to users how their data was being used.

The FDA's regulatory requirements for apps vary based on the risks associated with the app and the intended use of the app, explained speaker Colleen Hittle, managing director of Navigant Consulting, Inc, which advises developers on the FDA approval process. Hittle noted that it is wise for app developers to talk with the FDA about which process their app should go through.

Knowing what is required of developers by various regulatory agencies is critical, according to both Hittle and Klein. Hittle emphasized the importance of carefully documenting every step in the app development process. Klein recommended that would-be developers read the guidelines set out by U.S. regulatory agencies, including the FTC's Protecting Consumer Privacy in an Era of Rapid Change report.

"Start thinking before you build an app," Klein said.