According to Statista, as of the third quarter of 2020, there were 47,140 healthcare apps on Google Play and 48,608 on Apple Store. These numbers reach more than 400,000 when including mHealth apps such as fitness trackers or other health smart devices associated app.
In September 2020, there were more than 18,000 health-related mobile apps were downloaded on Google Play. Despite their differences, most of these applications share a common point: they collect personal data and must be regulated. But is it the case, and what are the mobile health laws applicable to health apps in the global world we live in?
More than 2.6 billion people use mHealth apps for tracking the weight, fitness, use health chatbots, and connect with a physician for a telemedicine consultation. The market is estimated to be over $40 billion. In 2025, Global Market Insight estimates the market to reach $289 billion.
The world is global, and big data is now a buzz word. We need to remember that for mHealth applications, the health information they collect represents very sensitive data that deserve to be protected. Being used in various countries, the applications need to comply with the local regulations of the user.
In the European Union, mobile medical apps must be compliant with EU laws such as The General Data Protection Regulation (GDPR) and The Data Protection Law Enforcement Directive.
In the U.S, mobile health laws regulate mobile health applications according to their purpose and data collection capabilities. At the Federal level, to ensure the privacy, safety, and security of the users, they include the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act) and the FTC’s Health Breach Notification Rule.
According to the final usage and how the data are shared or transmitted, the mobile health app will have to comply with one or more federal laws. The Federal Trade Commission (FTC) provides an interactive tool to define which one(s) will apply. If you plan to develop, are developing, or are already using a mobile health app, we strongly recommend to give it a look.
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA of 1996 was established to create confidentiality systems within and beyond healthcare facilities and keep health information private. Only those who “need to know” should have access to the data, and the non-authorized users should be penalized.
The protected information links a specific patient to healthcare information (name, social security number, telephone number, email address, street address, among others).
Mobile Health apps such as fitness trackers do not have to comply with HIPAA. They are intended for the patient’s personal use. Healthcare providers and health insurances fall under the “covered entities.” It means that apps developed for hospitals, doctors, or telehealth services should be HIPAA compliant.
Bear in mind that there is no certification for HIPAA compliance; it is the developing entity’s responsibility to ensure that the safeguards put in place are robust enough.
Federal Food, Drug, and Cosmetic Act (FD&C Act)
The Food and Drug Administration regulates medical devices according to the potential risks they carry for the user’s health. Class I medical devices such as a bandage pose a low risk, while an implanted pacemaker is considered Class III (the highest) due to the real threat to life it poses in case of malfunction.
Some Mobile Health apps. can be seen as a “software as a medical device.” For example, an App on a tablet interfacing with an imaging device such as an MRI or scanner and being used for diagnostic purposes will be considered part of the medical device. Hence the need for regulation by the FDA.
Federal Trade Commission Act (FTC Act)
To protect the consumers and ensure fair trade, some mobile health apps fall under the FTC Act. If an app. falls under the FDA purview, the FTC act will apply and prohibits deceptive or unfair practices.
The FTC will protect consumers from false advertising claims, thereby improving products’ quality and increasing confidence in the marketplace.
FTC’s Health Breach Notification Rule
Entities and mHealth apps not covered by the HIPAA have the legal obligation to notify the FTC and the consumers in case of a security breach. Recently 85% of the Covid-19 tracing apps were found to present severe security breaches. Weak encryption was the main reason for such data leaks.
Information Technology and Health care are two fields in constant evolution. Regulating mobile health apps is a work in progress. With the exponential increase in data collection and storage, a robust legal framework is a must-have to let users safely take advantage of the many benefits they offer.
To conclude
Mobile health laws are evolving and are still a work in progress. When developing a health app. always make sure that you follow the right legal framework. Even more importantly, always put the security and privacy of the data first. Amazon healthLake offers a new solution to store the health data collected in the cloud in an appropriately secured way. It may be a solution worth considering.