mHealth on the Horizon: Federal Agencies Paint Regulatory Landscape with Broad Brushstrokes

by Dan Vorhaus and Phil Ross (cross-posted from Genomics Law Report)

For years, and with increasing frequency, health care and information technology companies have touted the potential of mobile medical and health applications and technologies to improve the quality and delivery of health care through the use of technology. While the future of mobile health (frequently referred to as “mHealth”) is undoubtedly filled with promise, the legal and regulatory landscape in which mHealth technologies reside is only now beginning to take shape.

As mHealth developers, funders and even users consider investing in the field, or including in particular mHealth technologies, they should keep in mind the emergent and fluid nature of the mHealth regulatory landscape. Here, we outline the likely key players and discuss several recent and projected initiatives with respect to the oversight of mHealth technologies:

The Food & Drug Administration (FDA). The FDA is responsible for protecting and promoting the public health through the regulation of, among other things, food safety, pharmaceutical drugs, and medical devices. Under emerging FDA mHealth oversight, the key question is which mobile medical technologies constitute “medical devices” that the FDA will focus on for regulatory action?

medical device is generally defined as an instrument or machine whose purpose is to diagnose, cure, or treat a disease or other condition. Through draft guidance released in July 2011, the FDA expressed its intention to regulate only mobile medical applications that present the greatest risk to patients when they do not work as intended. The guidance defined a small subset of mobile medical apps that may affect the performance of currently regulated medical devices and will thus require FDA oversight. This subset included medical apps used as an accessory to a medical device already regulated by the FDA (for example, an app that connects the mobile device to vital signs monitors, cardiac monitors, or similar devices), as well as apps that transform a mobile platform into a regulated medical device through the use of attachments or sensors (for example, an app that acts as a blood glucose meter by using an attachment to a mobile device, or an app that uses a mobile device in determining blood donor eligibility prior to collection of blood). Further, certain mobile apps were intentionally excluded from FDA regulation, including mobile apps that are electronic copies of medical textbooks and reference materials, as well as those apps that are used only to record and track decisions related to maintaining general health and wellness (and not treatment). In the FDA’s recently published list of proposed guidance documents that it intends to publish during the 2013 fiscal year, the FDA listed “mobile medical applications” on its “A-list” for final guidance, and continues to seek comments, suggestions and draft language from interested persons.

In addition, in July 2012, President Obama signed into law the FDA Safety and Innovation Act (FDASIA). The FDASIA directed the FDA to develop, within 18 months, a strategic framework for information-technology regulation that “promotes innovation, protects patient safety, and avoids regulatory duplication.” This framework is intended to include mHealth technologies. Further, the FDASIA created a multi-agency commission to propose a strategy for regulating mobile health apps. However, the commission’s strategy is not due to be released until later in 2013; quite likely after the FDA releases its first set of final regulations for mHealth devices.

The Federal Communications Commission (FCC). While the FCC might not automatically be associated with the regulation of health care, the FCC has the authority to manage the electromagnetic spectrum. Therefore, the FCC may regulate every medical device that uses radio technology.

The FCC has taken several steps in recent years to promote mobile technology in health care. The FCC released the country’s first National Broadband Plan in 2010, which included suggested methods to aid innovation and improvement in the health care system. The FCC and the FDA also entered into aMemorandum of Understanding in 2010 in order to “promote collaboration and ultimately to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.” Earlier this year, the FCC adopted new rules that made the U.S. the first country in the world to allocate spectrum for Medical Body Area Network (MBAN) devices.

Even more recently, the FCC released a report by its mHealth Task Force that included a number of recommendations to government, education, and the private sector to expand their collaboration efforts and to adopt policies intended to foster growth in mobile health technologies, including a recommendation that the FCC “play a leadership role in advancing mobile health adoption.” The FCC has already announced plans to act on at least some of the mHealth Task Force recommendations, including by the end of the year in some cases.

The Federal Trade Commission (FTC). The FTC has also been active in the area of mobile health technologies. Pursuant to the Federal Trade Commission Act (FTCA), the FTC regulates unfair or deceptive acts and practices, including false and misleading claims about a product or service. In recent years, the agency has shown a willingness to regulate mHealth devices and apps. For example, last year the FTC sanctioned two apps developers for claiming, without the necessary research to support that claim, to be able to treat acne through colored lights emitted from a mobile device.

The FTC has also exhibited a strong and growing interest in mobile applications more broadly, recently publishing a resource—Marketing Your Mobile App: Getting It Right from the Start—to aid developers in avoiding regulatory pitfalls in designing mobile apps. While not specifically aimed at mHealth developers, the recommendations—including truthful claims, complete disclosure about information practices and the inclusion of “privacy by design” features—are clearly applicable to mHealth apps.

For example, if an mHealth app developer makes claims about the app’s capabilities, there must be “competent and reliable evidence” to support those claims. In the context of mobile health applications, as the FTC further notes, this requires competent and reliable scientific evidence. The FTC’s aforementioned action against the acne app developers is instructive: the developers claimed that their app could treat acne, but had no scientific evidence to support the claim.

The Department of Health and Human Services (HHS). In addition to the FDA, which is a division of HHS, HHS also oversees certain other privacy and security aspects of mHealth, including under its authority to enforce the Health Insurance Portability and Accountability Act (HIPAA). While a detailed analysis of HIPAA is beyond the scope of this article, HIPAA generally requires covered entities (i.e., health care providers, health plans and health care clearinghouses), along with their service providers and other “business associates,” to comply with security and privacy regulations designed to protect patients’ protected health information (“PHI”). Numerous health care providers have embraced mHealth (even if many of them do not necessarily understand why they are pursuing mHealth initiatives), meaning that many mHealth technologies, and especially those that collect, access or transmit PHI, are likely to directly or indirectly implicate HIPAA.

In addition, mHealth technologies are frequently integrated or intended to be compatible with electronic health records (EHRs), which implicates the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). HITECH was passed in order to encourage eligible providers and hospitals to make “meaningful use” of health information technology, including EHRs, by providing incentive payments to those eligible groups. Expectedly, increased tax-payer funding brings increased regulation to its recipients, and HITECH accordingly tightened the enforcement and civil penalties under HIPAA and applied certain HIPAA liability provisions to business associates that were previously inapplicable. HITECH also provides individuals with a right to obtain their PHI in an electronic format from a provider that has implemented an EHR system. Any mHealth developer who wishes to take advantage of HITECH’s incentive payments should make itself aware of the applicable HIPAA and HITECH regulation, including the recently issued Stage 2 Meaningful Use Regulations.

These considerations, along with the constant threat of health care data breaches—exacerbated by the portability and vulnerability of mobile devices—make mHealth an area of increasing importance for HHS. It should come as no surprise, then, that HHS recently established its own mHealth Initiative.

State Regulation. Even after navigating the myriad Federal agencies and regulations applicable to mobile health applications and products, there remains the matter of additional state law requirements. As we were reminded again last year in Bonanni, a HIPAA preemption case arising in Michigan, Federal statutes and regulations frequently establish only a “floor” (e.g., for the protection of PHI), with states having the freedom to enact their own more stringent legislation. Similarly, California’s Online Privacy Protection Act requires all mobile app providers to conspicuously post a privacy policy for review by end users. Earlier this fall,California’s attorney general put developers (including mHealth developers) on notice that, starting in December, the law (which carries fines of up to $2,500 per download of a non-compliant app) will be enforced.

As health data privacy and the oversight of mobile applications each continue to garner attention at the state level, mHealth constituents should expect to pay close attention to what’s happening in state capitols, as well as in Washington, D.C.

What’s Next? As is seemingly always the case with emerging technologies, the regulation and oversight of mHealth technologies lags behind. But as the above summary highlights, mHealth oversight is hardly non-existent, and mHealth companies and their investors ignore existing oversight at their own peril.

As for forthcoming oversight of mHealth technologies, while there is always the possibility of new legislation at the state and/or federal level (for example, a recent proposal in the House of Representatives would create a special Office of Mobile Health at the FDA), it is far more likely that additional oversight will come from within the existing legislative framework. With that in mind, it is encouraging that the major Federal agencies responsible for the oversight of mHealth technologies already have active mHealth programs in place. It is even more encouraging that inter-agency communication and coordination is, at least on paper, a clear priority.

How exactly this will ultimately play out over the next few years remains to be seen, of course, but the issuance of some additional Federal-level oversight for mHealth technologies appears nearly assured. Fortunately, there are already numerous opportunities for those businesses and individuals interested in the future of mHealth to make their voices heard.

Be Sociable, Share!