General

What Laws Apply to My Health-Related App? Check the FTC Website

Published: Apr. 07, 2016

Updated: Oct. 05, 2020

The FTC recently released a Mobile Health Apps Interactive Tool aimed at assisting app developers in determining what laws apply to them in the health space. Developed in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, the Office of Civil Rights, and the Food and Drug Administration, the Interactive Tool asks a series of questions about the health-related app. As a user answers questions, the site advises on federal laws that might apply to the app, including the FTC Act and HIPAA.

As part of its focus on health-related apps, the FTC simultaneously released a set of best practices for mobile health-app developers with regard to privacy and data security. Some key principles include:

  • Data Minimization: The FTC emphasizes that companies should minimize the amount of personally-identifiable data that is collected and retained, as this reduces the amount of data that must be protected. The FTC further emphasized de-identification of data as an alternative means of data minimization.
  • Limiting Access and Permissions: Similar to the principle of data minimization, the FTC urges app developers to limit the type of access granted to apps, e.g. to a user’s list of contacts.
  • Authenticating Users: The FTC asks developers to adequately authenticate users by, for example, implementing two-factor authentication where appropriate and requiring complex passwords.
  • Consider the Mobile Ecosystem: Where app developers use third-party service providers, the FTC expects those developers to ensure that service providers can adequately safeguard data. Likewise, where app developers use someone else’s code in an app, the developers should be mindful of any security flaws of that code.
  • Security by Design: Consistent with the FTC’s continued focus on data security, the FTC advises health app developers to implement security by design. Among other things, this means that organizations should appoint an individual to be responsible for data security, ensure engineers are trained in secure coding practices, use encryption at rest and in transit, and monitor the data being collected and retained by the organization.
  • Use Available Resources: The FTC emphasizes the availability of free and low-cost tools that can be used to protect personal information. These include resources from the SANS Institute, OWASP, and the California Department of Justice’s Privacy on the Go.
  • Communication is Key: Emphasizing transparency, the FTC urges app developers to adequately notify users about the app’s data collection, use, and disclosure policies.
  • Be Aware of Other Laws: The FTC also reminds app developers to be mindful of federal and state laws that may govern the apps.

These releases signal the FTC’s continued focus on the growing industry of apps in the health sector. In addition to the FTC’s Interactive Tool, developers can also use ZwillGen’s Privacy Navigator to get a high-level overview of privacy and security laws that may impact their business.