Federal Agencies Provide User-Friendly Guidance on Compliance with Data Privacy Laws

18 April 2016 Health Care Law Today Blog

How federal privacy laws apply to mobile health applications has been an area of significant ambiguity. Recently, the Federal Trade Commission’s (FTC), the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Food and Drug Administration (FDA), and the HHS Office of the National Coordinator for Health Information Technology (ONC) joined together to provide a user-friendly web-based interactive tool to guide developers who are entering the heavily regulated mobile health industry with high-level guidance on how to navigate this complex regulatory environment. As noted by the director of the FTC Bureau of Consumer Protection, “Mobile App developers need clear information about the laws that apply to their health-related products.” In addition, the FTC released Best Practices Guidance for Mobile Health Developers to provide practical guidance for industry participants.

The FTC’s User-Friendly Legal/Regulatory Issue Spotting Tool

The tool, while published on the FTC’s website, addresses the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act), and the FTC’s Health Breach Notification rule. The tool is a decision tree to help developers get a preliminary understanding of whether and how these laws apply to them. By asking questions about the company itself, the application’s clients and audience, whether the application stores identifiable data and the application’s interaction with the health care industry and patients, the tool focuses on the relevant legal hurdles. Along with the decision tree, the tool includes a glossary that provides relevant definitions along with helpful links to expansive source materials.

The FTC’s Best Practices Guidance

The FTC guidance describes business practices for mobile health developers. Overall, the guidance reiterates many industry best practices such as:

  • Only maintaining de-identified data unless identifiable information is absolutely necessary;
  • Engaging third parties who are contractually bound to implement and follow through with data security measures; and
  • Adding processes to thwart hacker access to client information such as adding salt (random data to hash passwords) to account information storage.

If developers are unfamiliar with these industry practices, the guidance even provides links to data security resources for developers from independent and government sources. The guidance further emphasizes minimizing data sharing and storage, maximizing data security for stored information, and instituting processes and points of contact on each workforce team to manage data retention and security.

Key Takeaways

The health industry is heavily regulated. In a world where direct-to-consumer technology and business-to-business enterprise solutions are rapidly growing, the regulatory barriers can sometimes thwart innovation that can revolutionize the sector. The web-based tool notes, “It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.” Mobile health developers should seek out legal advice regarding the complete regulatory landscape early on. By carefully addressing compliance issues before bringing a product to market, developers can ensure that legal issues do not hamper the product’s launch or distract from its real mission: to help patients, providers, and payors be better and do better.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services