Privacy and security are important considerations for any app—and especially apps that collect and share consumers’ health information. As you design, market, and distribute your mobile health app, think about which U.S. federal laws may apply. Check out this interactive tool to help you navigate laws and rules that may apply to you or your app.
Who Should Use this Tool?
This tool is for anyone developing a mobile app that will access, collect, share, use, or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness, or addiction. Here are some examples:
- Apps that help consumers track or monitor fitness or activity, diet, mood, sleep, menstruation or fertility, smoking or alcohol consumption, or medications
- Apps that help consumers view, use, or share their medical records or health insurance claims data or otherwise access information from their doctor, health care clinic, or health plan
- Apps that sync with health platforms or internet-connected devices, like a fitness tracker, sleep monitor, blood pressure monitor, or a watch that records activity or heart rate
- Apps that diagnose or treat a disease or health condition, or record information that might be relevant to diagnosis or treatment
If your app relates to health information in these (or other) ways, you’re in the right place. This tool is meant to help you figure out the federal regulatory, privacy, and security laws and regulations that may apply. (Hint: More than one may apply.)
An important caveat: This tool is not offering legal advice and is provided for informational purposes only. Using this tool isn’t required by federal law and can’t guarantee compliance with applicable federal requirements. Instead, it’s meant to give you a snapshot of potential compliance obligations and point you to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.
What Are the Relevant Federal Laws and Regulations?
Health Insurance Portability and Accountability Act (HIPAA) Rules
The HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) protect the privacy and security of most individually identifiable health information held by health plans, most health care providers, and health care clearinghouses (these groups are called “covered entities”). Such information is referred to as protected health information, or PHI. In addition, the HIPAA Rules apply to people or companies who create, receive, maintain, or transmit health information for, or provide certain services to a covered entity (those groups are called “business associates”). The HIPAA Rules also require these entities to provide notifications of any breaches of health information. The Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS) enforces the HIPAA Rules. Importantly, the HIPAA Rules do not apply to health information maintained by anyone who isn’t a covered entity or business associate. For example, the HIPAA Rules likely wouldn’t apply to consumer health information maintained in an app that isn’t offered by a HIPAA covered entity or its business associate, even if the health information originated from a covered entity or business associate.
If health information is not protected by the HIPAA Rules, does this mean that there are no federally required protections for the information? No! Other federal laws likely apply. For example, the Federal Trade Commission (“FTC”) Act applies to most app developers. So, there’s a good chance the FTC Act will require you, among other things, to have reasonable privacy and security practices in place. More on that later.
For additional information and helpful resources about the HIPAA Rules, please visit OCR’s health information privacy page at https://www.hhs.gov/hipaa/index.html.
Federal Food, Drug, and Cosmetic Act (FD&C Act)
The Food and Drug Administration (FDA) enforces the FD&C Act, which among other things regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight of digital health devices on a subset of mobile health apps that could pose a risk to consumers if they don’t work as intended. The FDA considers a software function to be a medical device, and subject to FDA device regulation, if it meets the definition of device in section 201(h) of the FD&C Act. When a software function is intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the human body, the software function is a device under section 201(h) of the FD&C Act, if it is not a software function excluded from the device definition by the 21st Century Cures Act. FDA’s Digital Health Policy Navigator may be referenced to help in determining whether your product’s software functions are potentially the focus of the FDA’s oversight.
21st Century Cures Act & ASTP Information Blocking Regulations
Through the offices of its Inspector General (OIG) and Assistant Secretary for Technology Policy (ASTP) as well as the Centers for Medicare & Medicaid Services (CMS), HHS issues regulations — and takes other steps when necessary — to enforce the 21st Century Cures Act’s prohibition of “information blocking.” ASTP also maintains the ASTP/ONC Health IT Certification Program for the voluntary certification of health IT that meets certain technical requirements to support needs for interoperable health IT in the nation’s health information infrastructure.
The information blocking regulations issued through ASTP apply to practices likely to interfere with access, exchange, or use of electronic health information (EHI) and define certain exceptions to the definition of information blocking. When a health care provider, health IT developer of certified health IT, or health information network or health information exchange engages in any practice that is not required by law or covered by a regulatory exception, with the requisite knowledge about that practice, and that practice is likely to interfere with access, exchange, or use of EHI, that practice could be information blocking.
Importantly, the information blocking regulations function in complement with other laws, such as HIPAA and state laws, that protect the privacy and security of patients’ health information. The information blocking regulations do not require or excuse violation of other laws.
The information blocking regulations include specific exceptions for reasonable and necessary practices that protect the privacy and security of patients’ EHI. Privacy- and security-protective practices that meet these exceptions’ conditions will not be considered information blocking.
If a developer chooses to certify health IT through the voluntary ASTP/ONC Health IT Certification Program, that health IT must meet specific privacy and security requirements . These requirements include implementing appropriate privacy and security safeguards (certification criteria) and making certain publicly available statements (“attestations”) that ensure transparency about certain privacy and security features of the certified technology.
For additional information and helpful resources about the information blocking regulations or the voluntary certification of health IT, please visit HealthIT.gov.
Federal Trade Commission Act (FTC Act)
The FTC enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce, including those relating to the privacy and security of personal information that apps collect, use, maintain, or share, as well as the safety or performance that apps provide. Section 12 of the FTC Act prohibits false advertisements for food, drugs, devices, cosmetics, or services in or affecting commerce.
The FTC Act applies to most app developers – including developers of health apps. For example, if you develop an app and share consumers’ health information with third parties after telling or implying to consumers that their information will be kept private, you could be violating the FTC Act. Also, if you certify through the voluntary ASTP/ONC Health IT Certification Program and make certain transparency attestations about your app’s privacy or security features and then don’t live up to those promises, the FTC could bring an enforcement action against you.
FTC’s Health Breach Notification Rule
The FTC’s Health Breach Notification Rule requires entities covered by the Rule to provide notifications to consumers, the FTC, and, in some cases, the media, following certain breaches of personal health record information. The FTC’s Health Breach Notification Rule applies to most health apps that aren’t covered by HIPAA because most developers of health apps are acting as “health care providers” by furnishing health care services or supplies – in this case, apps – to consumers. (That definition of “health care provider” comes from 42 U.S.C. § 1320d, which is referenced in Section 318.2(e) of the FTC’s Rule.) If your app experiences a breach—that is, any incidents of unauthorized access, including sharing of identifying health information, without consumers’ authorization—you are likely required to notify consumers, the FTC, and, in some cases, the media. If you don’t provide that notice, you could face an FTC enforcement action seeking hefty civil penalties.
Children’s Online Privacy Protection Act (COPPA)
The FTC enforces the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule, which give parents control over the information that operators of websites and online services can collect from children. COPPA applies to the operator of any commercial website or online service (including a mobile app) that is directed to children under 13 or where the operator has actual knowledge that it collects, uses, or discloses personal information from children under 13. Before collecting children’s personal information – that includes online contact information, persistent identifiers, photos, video, audio, and geolocation information – COPPA requires the operator to (among other things) give parents notice of what personal information the operator is collecting from children and to get the parent’s verifiable consent. COPPA also requires that operators establish and maintain reasonable procedures for protecting the confidentiality, security, and integrity of children’s personal information.
Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA)
Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) authorizes the Commission to seek civil penalties for unfair or deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product. Substance use disorder treatment services are services that purport to provide treatment, referrals to treatment, or recovery housing for people with substance use disorders. Substance use disorder treatment products are products used or marketed for use in treating, curing, or preventing substance use disorders.
Which Federal Laws and Regulations May Apply?
1. Does/will your app collect, share, use, or maintain health information?
2. Does the information the app collects fall within the HIPAA Rules’ definition of “individually identifiable health information”?
3a. Are you a health plan?
3b. Are you a health care provider, such as a doctor, dentist, psychologist, hospital, health care clinic, or pharmacy?
4a. Do you develop, offer, or sell any certified health information technology?
4b. Do you enable electronic health information exchange among more than two unaffiliated parties?
5. Do consumers need a prescription to access your app?
6. Are you developing, offering, or operating an app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)? Or are you acting as a subcontractor to another entity providing services to a covered entity?
7. Is your app intended:
- for use in the diagnosis of disease or other conditions?
- for use in the cure, mitigation, treatment, or prevention of disease? or
- to affect the structure or any function of the body?
8. Is your app solely intended for:
- administrative support of a health care facility? and/or
- maintaining or encouraging a healthy lifestyle? and/or
- serving as electronic patient records? and/or
- transferring, storing, converting formats, or displaying data? and/or
- providing limited clinical decision support to a health care provider?
9. Does your app pose a “low risk” to patients?
For the purposes of regulating medical device applications, FDA considers “low risk” apps those that are intended to:
- help patients self-manage their disease or condition without providing specific treatment suggestions; or
- automate simple tasks for health care providers.
10. Does your app include a device software function that is the focus of FDA’s oversight?
If a software function that meets the definition of a device is used on a mobile platform, it may be referred to as a “mobile medical app.” If the software function is not a low risk software function for which FDA does not intend to enforce requirements under the FD&C Act at this time, then it is a device software function that is the focus of FDA’s regulatory oversight. The following are types of software functions that FDA considers to be device software functions that are a focus of its regulatory oversight:
- Software functions that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or analyzing medical device data (for example, an app that controls the delivery of insulin on an insulin pump by transmitting control signals to the pumps from the mobile platform).
- Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Software functions that use attachments, display screens, sensors, or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform (for example, an app that uses an attachment of a blood glucose strip reader to a mobile platform to function as a glucose meter).
- Software functions that become a regulated medical device by performing patient-specific analysis and providing patient-specific output(s) or directive(s) to health care professionals for use in the diagnosis, treatment, mitigation, cure, or prevention of a disease or condition. Additionally, software functions that perform patient-specific analysis and provide patient-specific diagnosis or treatment recommendations to patients, caregivers, or other users who are not health care professionals (for example, an app that uses patient-specific parameters and calculates dosage or creates a dosage plan for radiation therapy).
11. Is your app for use by consumers?
12. Does your app:
- collect, receive, or maintain identifiable health information for consumers?
- access health information in personal health records?
- send health information to personal health records?
- offer products or services through the website of an entity that maintains health records for consumers?
- provide services to an entity that maintains health records for consumers?
13. Is your app intended for children?
14. Does your app use child-oriented activities, incentives, design, music, or the like?
15. Do you have actual knowledge that children are using your app?
16. Does your app offer a substance use disorder treatment service or substance use disorder treatment product?
You’ve completed this interactive tool.
We hope this tool has helped you figure out which federal laws and regulations may apply to you and your mobile health app. No matter which laws and regulations may apply, consumers want your app to take the privacy and the security of their health information seriously. Here are some tips for how to protect consumers’ privacy and the security of their health information.
Glossary
Identifiable health information
In this tool, we use identifiable health information to mean demographic information and relates to a consumer’s past, present, or future physical or mental health or condition; the provision of health care; or the past, present, or future payment for provision of health care to the consumer, that identifies the consumer or for which there’s a reasonable basis to believe it can be used to identify the consumer. For example, the consumer’s IP address, if maintained by a health plan’s wellness app, is identifiable health information. Note: This term is inclusive of PHI, PHR-identifiable health information, and EHI as defined in the respective Rules discussed in this tool.
Terms from the HIPAA Rules (45 CFR Part 160 and 45 CFR Part 164)
HIPAA covered entities
A HIPAA covered entity is a health plan, a health care clearinghouse, or a health care provider who conducts certain electronic transactions. See 45 CFR 160.103 for definition of a covered entity.
Health care providers who conduct certain electronic transactions
HIPAA covered health care providers include doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies that conduct certain payment and coverage-related health care transactions electronically. For example, a provider that electronically submits a claim to a health plan is a covered health care provider. Providers range from small physician practices to large hospital systems. See 45 CFR 160.103 for definitions of health care provider and transaction.
Health plans include health insurance companies; health maintenance organizations (HMOs); company health plans; and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs. Read HHS’s Covered Entities and Business Associates for more information. See also 45 CFR 160.103 for definition of health plan.
Health care clearinghouses are entities that process nonstandard health information they receive from another entity into standard data elements or a standard transaction, or vice versa. For example, an entity that processes nonstandard health information into a standard transaction to send claim information from a health care provider to a health plan is health care clearinghouse. A health care clearinghouse is acting as a business associate when it conducts these services for another covered entity or business associate. Read HHS’s Covered Entities and Business Associates for more information. See 45 CFR 160.103 for definitions of health care clearinghouse and transaction.
A HIPAA business associate creates, receives, maintains, or transmits PHI for certain functions or activities on behalf of, or provides certain services to, a covered entity (or another business associate). These functions or activities include claims processing, data analysis, utilization review, and billing. A business associate also is a person who provides data transmission services with respect to PHI to a covered entity and who requires access to the information on a routine basis, a person who offers a personal health record on behalf of a covered entity, or a subcontractor to another business associate. See 45 CFR 160.103. Consult these resources for more information on business associates:
- Business Associates
- Resources for Mobile Health Apps Developers
- Direct Liability of Business Associates under HIPAA
- Business Associates, Frequently Asked Questions
- Sample Business Associate Agreement Provisions
Protected health information (PHI)
Protected health information (PHI) is individually identifiable health information maintained or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral, with certain exceptions. See this description of PHI and 45 CFR 160.103.
Individually identifiable health information (IIHI)
Individually identifiable health information (IIHI) generally is information that is created or received by a health care provider, health plan, employer, or health care clearinghouse; relates to a physical or mental health or condition of an individual or the provision of or payment for health care to an individual; and identifies or could be used to identify the individual. See 45 CFR 160.103 for full definition.
Terms from the Federal Food, Drug, and Cosmetic Act (Section 201(h)(1) and 520(o)) and FDA Guidance
Medical device
Under section 201(h)(1) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), a device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory which is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes. The term “device” does not include software functions excluded pursuant to section 520(o) of the FD&C Act.
Section 520(o) of the Federal Food, Drug, and Cosmetic Act: (o) REGULATION OF MEDICAL AND CERTAIN DECISIONS SUPPORT SOFTWARE —
(1) The term device, as defined in section 201(h), shall not include a software function that is intended—
(A) for administrative support of a health care facility, including the processing and maintenance of financial records, claims or billing information, appointment schedules, business analytics, information about patient populations, admissions, practice and inventory management, analysis of historical claims data to predict future utilization or cost-effectiveness, determination of health benefit eligibility, population health management, and laboratory workflow;
(B) for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;
(C) to serve as electronic patient records, including patient-provided information, to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart, so long as—
(i) such records were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such professionals;
(ii) such records are part of health information technology that is certified under section 3001(c)(5) of the Public Health Service Act; and
(iii) such function is not intended to interpret or analyze patient records, including medical image data, for the purpose of the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;
(D) for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device, unless such function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings; or
(E) unless the function is intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system, for the purpose of—
(i) displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines);
(ii) supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and
(iii) enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.
Device software function, including mobile medical app
FDA refers to software functions that are medical device functions as “device software functions.” Software functions that meet the definition of a device may be deployed on mobile platforms, other general-purpose computing platforms, or in the function or control of a hardware device. If a software function that meets the definition of a medical device is deployed on a mobile platform, it may be referred to as a “mobile medical app.” To determine if your app is a mobile medical app that is the focus of FDA’s regulatory oversight, see Section V.A. of the FDA’s Policy for Device Software Functions and Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff (“Device software functions: Subset of software functions that are the focus of FDA’s regulatory oversight”). Also, see Appendix C of the FDA’s Policy for Device Software Functions and Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff (“Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps)”), which provides examples of software functions that are device software functions. You can also visit the FDA’s website on Device Software Functions and Mobile Medical Applications.
If you have further questions about determining whether your app is a medical device, visit the Digital Health Center of Excellence website, email digitalhealth@fda.hhs.gov or contact the FDA via Device Advice: Comprehensive Regulatory Assistance; CDRH Division of Industry and Consumer Education (DICE).
Terms from the FTC’s Health Breach Notification Rule (16 CFR Part 318)
Vendor of personal health records (PHR), PHR related entity, or third party service provider
A vendor of personal health records offers or maintains PHRs – EHRs that have the technical capacity to draw from multiple sources and that are managed, shared, and controlled primarily by or for the individual – directly to consumers.
PHR related entity
A PHR related entity interacts with a PHR vendor, either by offering products or services through the vendor’s website (regardless of whether that vendor is covered by HIPAA), or by accessing identifiable health information in, or sending identifiable health information to a PHR.
Third Party Service Provider
A third party service provider offers services to a PHR vendor or PHR related entity involving the access, use, maintenance, modification, disclosure, or disposal of health information.
Terms from the Information Blocking Regulations (45 CFR part 171)
Electronic Health Information
Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:
(1) Psychotherapy notes as defined in 45 CFR 164.501; or
(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Access, Exchange, and Use
Access
Access means the ability or means necessary to make electronic health information available for exchange or use.
Exchange
Exchange means the ability for electronic health information to be transmitted between and among different technologies, systems, platforms, or networks.
Use
Use means the ability for electronic health information, once accessed or exchanged, to be understood and acted upon.
Information Blocking “Actors”
Health care provider includes a: hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.
Detailed statutory citations for specific health care provider types were removed in order to present a simplified view of the “health care provider” definition. HHS information resources, such as a fact sheet, about this definition are available through ASTP's official website, HealthIT.gov.
Health Information Network or Health Information Exchange
Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.
Health IT Developer of Certified Health IT
Health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT that is not offered to others, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ASTP/ONC Health IT Certification Program).