The tendency for technology to outpace regulations is a legitimate concern, especially when it comes to technology related to health. As new mobile medical applications and devices hit the market, the U.S. government has been trying to figure out how these new technologies, devices, and services should be regulated. The federal laws below regulate the creation and use of mobile medical applications in order to protect the safety, privacy, and security of their users.
Food and Drug Administration Safety and Innovation Act (FDASIA)
FDASIA was signed into law on July 9, 2012, and enables the Food and Drug Administration (FDA) to charge user fees from drug companies in order to fund the testing of new drugs, generic drugs, and medical devices. The intention of the law is to expedite innovation in order to speed patient access to medical products, and it includes provisions to help the FDA ensure the safety of drugs in an increasingly global medical supply chain.
What this means is that the FDA can more efficiently regulate new mobile health products. Per the recommendations posted on the Office of the National Coordinator for Health Information Technology, FDA, and Federal Communications Commission websites, medical devices are considered to fall into one of three categories: products with administrative health IT functions, products with health management IT functions, and products with medical device health IT functions. The FDA intends to focus primarily on regulating the third, as it poses the most risk to consumers.
Health Insurance Portability and Accountability Act (HIPAA)
This law was passed in 1996 in order to make the health care system more efficient and to protect the privacy of individuals whose medical data is processed electronically. The law standardizes the methods by which entities in the health care industry transfer electronic medical data, and institutes rules regulating the use of individuals’ medical data.
Protected Health Information is any kind of information held by an entity covered by the law that can be linked to an individual. Under this definition, Protected Health Information is coded by reference to eighteen personal identifiers, including names, medical record numbers, and IP addresses. This information must be protected by “Covered Entities”—those in charge of this information, which can be health care providers, their business associates, or any entity that can be reasonably expected to come into contact with medical data on a daily basis. In the case of a security breach that compromises private health information, the law provides a sliding-scale of fines depending on the entity’s level of culpability, and the entity is required to notify the individuals affected of the breach.
HIPAA requires certain mobile medical app developers to comply with its rules and protect private medical data only if they are classified as a “Covered Entity” under the law, meaning they’re affiliated with a health care provider or are a business associate of one.
Federal Food, Drug, and Cosmetic Act (FD&C)
In 1938, after some particularly egregious examples of deaths and injuries linked to new consumer products, stricter controls over drugs and food were enacted in the form of FD&C. This law, along with many amendments added over the years, is still in place today.
The law allows the FDA to place stricter controls on medical device manufacturers, requiring that they file reports on the device’s safety and effectiveness, which the FDA then reviews before allowing it to go to market. Medical devices are sorted according to the risk they pose to consumers into Class I, Class II, and Class III. Class I poses the least risk—for instance, dental floss is Class I—whereas Class II products, including condoms, involve greater risk and therefore invite greater regulatory control. Class III are the highest-risk devices and therefore require an even greater level of regulation, and must be approved by the FDA before going to market; an example of a Class III medical device would be something like a replacement heart valve.
Federal Trade Commission (FTC)
The FTC has a dual role of protecting consumers as well as promoting competition in order to ensure fair prices and high quality for consumer products. For consumers they regulate the marketplace in order to prevent “unfair, deceptive or fraudulent practices.” For instance, they might research a product that claims to cure acne in order to substantiate the claims of the product’s manufacturers. If not, the FTC can sue them, thereby protecting consumers from unfair practices in the marketplace.
This goes for mobile medical devices and applications, too. The FTC investigates companies that market them in order to protect consumers from false advertising claims, thereby improving the quality of products in the marketplace.
FTC’s Health Breach Notification Rule: This rule requires that entities not covered by HIPAA notify consumers of a security breach of medical information. It specifies when and how to provide the notification, and applies to vendors of Personal Health Records (PHRs), PHR-related entities, or a third party affiliated with them.
This applies to mobile medical devices or applications if they interact with PHRs. For instance, if a consumer uses a product to upload information into a personal health record, the product is beholden to this law. However, if a consumer simply inputs personal medical information into a product in a way that doesn’t interact with personal health records—for instance, if a consumer inputs their weight each month into an application meant simply to track fitness goals—then the law does not apply, and the notification requirements don’t apply in the event of a security breach.
Children’s Online Privacy Protection Rule (COPPA)
COPPA protects children’s privacy by giving parents control over what websites can gather personal information from their children. To comply with COPPA, websites and mobile apps must do the following: post clear, comprehensive online privacy policies; provide notice directly to parents, and obtain their verifiable consent, before collective children’s personal information online; give choice to parents regarding the way their children’s personal information is used, while prohibiting the company or operator from sharing it with third parties; and provide parents with access to the information in question for review.
Moreover, the law protects children by maintaining the security and privacy of children’s information, and the companies or operators in question can only retain the information for the purposes for which it was originally collected—also consented to by parents—and must be deleted as soon as that purpose has been fulfilled.
To learn to speak the language of health law and distinguish your role as a leader with specialized health care compliance expertise, look to pursue a Master in Health Law and Policy from Hofstra Law.