Mobile Health App Developers Seek Guidance on Federal Regulations

Tracking health using mobile technology — also known as mHealth — is a booming field, with more than 100,000 health and fitness apps currently available for download onto smartphones. As developers seek to create the next wearable activity tracker or a new app to monitor pacemakers, experts are questioning the role of regulations, the U.S. Food and Drug Administration (FDA) and federal privacy laws.

Federal agencies have made progress in developing and communicating regulatory guidance for mHealth technologies, according to two experts who spoke at a 19 November Capitol Hill briefing about the regulatory future of mHealth. However, these agencies, particularly the FDA, must devote more resources to meet the needs in this growing field, which is expected to be a $26 billion industry by 2017.

The "Your iPhone Will See You Now: Mobile Health in the 21st Century" briefing brought together Bradley Merrill Thompson, leader of the medical device regulatory practice and digital health practice at law firm Epstein, Becker & Green; and Deven McGraw, deputy director for health information privacy in the U.S. Department of Health and Human Services' Office for Civil Rights.

The event was organized by AAAS as part of its project to explore the legal challenges of mHealth, funded by the Robert Wood Johnson Foundation. Rep. Mike Honda (D-Calif.), whose district includes Silicon Valley, home to scores of mHealth app developers, sponsored the session.

"The technology, exciting and promising as it is, raises complex policy and legal issues," said Deborah Runkle, a senior program manager at AAAS and the session's moderator.

Determining whether technologies are regulated or are subject to medical privacy laws can be a complex task, particularly because mHealth encompasses such a broad range of technologies, according to the panelists. Mobile health technologies can work independently, can be embedded in a medical device, or can be an accessory to a medical device, Thompson said.

Thompson said the FDA has started by determining which technologies it will not be regulating. The agency announced in February that it would not regulate the simplest mHealth technology: software that is used primarily to store, transfer, display, or convert data from a medical device, such as a program that stores blood pressure readings for later review. However, Thompson said this guidance conflicts with existing rules and called for the agency to address the discrepancy.

Thompson praised the FDA for its decision earlier this year to step back from the regulation of "wellness" apps, allowing app developers to claim that their product can help patients with a particular disease live a healthy life. For instance, developers of a calorie-tracking app can say it is particularly helpful for people with diabetes.

The FDA will "permit you to make claims of relationships to diseases as long as you don't claim to cure them or diagnose them," Thompson noted. "That is very important for the industry."

For mHealth technologies that are regulated by the FDA, the agency must assign the correct level of oversight, Thompson said. He noted that the agency classifies a huge range of regulated devices into three categories based on the risk they pose. Class I, which includes tools as simple as tongue depressors, receives the least oversight, while Class II (which includes glucose readers) and Class III (which includes pacemakers) are more strictly regulated.

Thompson identified several particular areas the agency must address, including the regulation of apps that guide the use of pharmaceuticals. These products are overseen by both the FDA's Center for Drug Evaluation and Research and the Center for Devices and Radiological Health. Because emerging mHealth technologies can blur the boundaries of existing centers within the FDA, the agency must be more adaptable in fulfilling its oversight obligations in a timely and effective manner, so that innovation is encouraged, not blocked, he said.

As the field of mHealth continues to grow, Thompson said the FDA does not presently have the financial and personnel resources to keep pace with the developing technology, and called upon Congress to ensure that the FDA has the resources it needs to respond to the mobile health sector in fast-paced Silicon Valley.

The Department of Health and Human Services is also working to reach innovators directly to help answer their questions about regulation of their products, McGraw said. HHS recently launched an online portal specifically for health app developers to ask questions about the Health Insurance Portability and Accountability Act of 1966, or HIPAA.

HIPAA is often misunderstood, McGraw said. The law includes three parts: the privacy rule, which protects individually identifiable health information; the security rule, which sets national standards for the security of electronic protected health information; and the breach notification rule, under which "covered entities" — the health plans and providers to which HIPAA applies — must provide notice of a breach of protected health information.

But not every entity is always covered by HIPAA, McGraw said. Whether the developer of a health app is bound by HIPAA can involve many factors, including who an app is marketed to, who is benefiting from the information gathered by the app, and who gets to keep the data after the user's account is deactivated, McGraw said.

According to McGraw, HIPAA may cover a mobile health app — for example, an augmentative communication app for children with autism — used in certain circumstances, such as when a doctor recommends an app to facilitate his or her practice. The same app may not be covered by HIPAA when it is marketed and used directly by consumers.

"It's not always easy to figure these out," McGraw said, but if HHS continues to populate its online portal with answers to frequently asked questions, "it will hopefully be a very popular and useful tool for developers," she said.