Skip to main content
mobile health app banner

Privacy and security are important considerations for any app—and especially apps that collect and share consumers’ health information. As you design, market, and distribute your mobile health app, think about which U.S. federal laws may apply. Check out this interactive tool to help you navigate laws and rules that may apply to you or your app.

Who Should Use this Tool?

This tool is for anyone developing a mobile app that will access, collect, share, use, or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness, or addiction. Here are some examples:

  • Apps that help consumers track or monitor fitness or activity, diet, mood, sleep, menstruation or fertility, smoking or alcohol consumption, or medications
  • Apps that help consumers view, use, or share their medical records or health insurance claims data or otherwise access information from their doctor, health care clinic, or health plan
  • Apps that sync with health platforms or internet-connected devices, like a fitness tracker, sleep monitor, blood pressure monitor, or a watch that records activity or heart rate
  • Apps that diagnose or treat a disease or health condition, or record information that might be relevant to diagnosis or treatment

If your app relates to health information in these (or other) ways, you’re in the right place. This tool is meant to help you figure out the federal regulatory, privacy, and security laws and regulations that may apply. (Hint: More than one may apply.)

An important caveat: This tool is not offering legal advice and is provided for informational purposes only. Using this tool isn’t required by federal law and can’t guarantee compliance with applicable federal requirements. Instead, it’s meant to give you a snapshot of potential compliance obligations and point you to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.

What Are the Relevant Federal Laws and Regulations?

Health Insurance Portability and Accountability Act (HIPAA) Rules

The HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) protect the privacy and security of most individually identifiable health information held by health plans, most health care providers, and health care clearinghouses (these groups are called “covered entities”). Such information is referred to as protected health information, or PHI. In addition, the HIPAA Rules apply to people or companies who create, receive, maintain, or transmit health information for, or provide certain services to a covered entity (those groups are called “business associates”). The HIPAA Rules also require these entities to provide notifications of any breaches of health information. The Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS) enforces the HIPAA Rules. Importantly, the HIPAA Rules do not apply to health information maintained by anyone who isn’t a covered entity or business associate. For example, the HIPAA Rules likely wouldn’t apply to consumer health information maintained in an app that isn’t offered by a HIPAA covered entity or its business associate, even if the health information originated from a covered entity or business associate.

If health information is not protected by the HIPAA Rules, does this mean that there are no federally required protections for the information? No! Other federal laws likely apply. For example, the Federal Trade Commission (“FTC”) Act applies to most app developers. So, there’s a good chance the FTC Act will require you, among other things, to have reasonable privacy and security practices in place. More on that later.

For additional information and helpful resources about the HIPAA Rules, please visit OCR’s health information privacy page at https://www.hhs.gov/hipaa/index.html.

Federal Food, Drug, and Cosmetic Act (FD&C Act)

The Food and Drug Administration (FDA) enforces the FD&C Act, which among other things regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight of digital health devices on a subset of mobile health apps that could pose a risk to consumers if they don’t work as intended. The FDA considers a software function to be a medical device, and subject to FDA device regulation, if it meets the definition of device in section 201(h) of the FD&C Act. When a software function is intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the human body, the software function is a device under section 201(h) of the FD&C Act, if it is not a software function excluded from the device definition by the 21st Century Cures Act. FDA’s Digital Health Policy Navigator may be referenced to help in determining whether your product’s software functions are potentially the focus of the FDA’s oversight.

21st Century Cures Act & ASTP Information Blocking Regulations

Through the offices of its Inspector General (OIG) and Assistant Secretary for Technology Policy (ASTP) as well as the Centers for Medicare & Medicaid Services (CMS), HHS issues regulations — and takes other steps when necessary — to enforce the 21st Century Cures Act’s prohibition of “information blocking.” ASTP also maintains the ASTP/ONC Health IT Certification Program for the voluntary certification of health IT that meets certain technical requirements to support needs for interoperable health IT in the nation’s health information infrastructure.

The information blocking regulations issued through ASTP apply to practices likely to interfere with access, exchange, or use of electronic health information (EHI) and define certain exceptions to the definition of information blocking. When a health care provider, health IT developer of certified health IT, or health information network or health information exchange engages in any practice that is not required by law or covered by a regulatory exception, with the requisite knowledge about that practice, and that practice is likely to interfere with access, exchange, or use of EHI, that practice could be information blocking.

Importantly, the information blocking regulations function in complement with other laws, such as HIPAA and state laws, that protect the privacy and security of patients’ health information. The information blocking regulations do not require or excuse violation of other laws.

The information blocking regulations include specific exceptions for reasonable and necessary practices that protect the privacy and security of patients’ EHI. Privacy- and security-protective practices that meet these exceptions’ conditions will not be considered information blocking.

If a developer chooses to certify health IT through the voluntary ASTP/ONC Health IT Certification Program, that health IT must meet specific privacy and security requirements . These requirements include implementing appropriate privacy and security safeguards (certification criteria) and making certain publicly available statements (“attestations”) that ensure transparency about certain privacy and security features of the certified technology.

For additional information and helpful resources about the information blocking regulations or the voluntary certification of health IT, please visit HealthIT.gov.

Federal Trade Commission Act (FTC Act)

The FTC enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce, including those relating to the privacy and security of personal information that apps collect, use, maintain, or share, as well as the safety or performance that apps provide. Section 12 of the FTC Act prohibits false advertisements for food, drugs, devices, cosmetics, or services in or affecting commerce.

The FTC Act applies to most app developers – including developers of health apps. For example, if you develop an app and share consumers’ health information with third parties after telling or implying to consumers that their information will be kept private, you could be violating the FTC Act. Also, if you certify through the voluntary ASTP/ONC Health IT Certification Program and make certain transparency attestations about your app’s privacy or security features and then don’t live up to those promises, the FTC could bring an enforcement action against you.

FTC’s Health Breach Notification Rule

The FTC’s Health Breach Notification Rule requires entities covered by the Rule to provide notifications to consumers, the FTC, and, in some cases, the media, following certain breaches of personal health record information. The FTC’s Health Breach Notification Rule applies to most health apps that aren’t covered by HIPAA because most developers of health apps are acting as “health care providers” by furnishing health care services or supplies – in this case, apps – to consumers. (That definition of “health care provider” comes from 42 U.S.C. § 1320d, which is referenced in Section 318.2(e) of the FTC’s Rule.) If your app experiences a breach—that is, any incidents of unauthorized access, including sharing of identifying health information, without consumers’ authorization—you are likely required to notify consumers, the FTC, and, in some cases, the media. If you don’t provide that notice, you could face an FTC enforcement action seeking hefty civil penalties.

Children’s Online Privacy Protection Act (COPPA)

The FTC enforces the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule, which give parents control over the information that operators of websites and online services can collect from children. COPPA applies to the operator of any commercial website or online service (including a mobile app) that is directed to children under 13 or where the operator has actual knowledge that it collects, uses, or discloses personal information from children under 13. Before collecting children’s personal information – that includes online contact information, persistent identifiers, photos, video, audio, and geolocation information – COPPA requires the operator to (among other things) give parents notice of what personal information the operator is collecting from children and to get the parent’s verifiable consent. COPPA also requires that operators establish and maintain reasonable procedures for protecting the confidentiality, security, and integrity of children’s personal information. 

Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA)

Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) authorizes the Commission to seek civil penalties for unfair or deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product. Substance use disorder treatment services are services that purport to provide treatment, referrals to treatment, or recovery housing for people with substance use disorders. Substance use disorder treatment products are products used or marketed for use in treating, curing, or preventing substance use disorders.

Which Federal Laws and Regulations May Apply?

1. Does/will your app collect, share, use, or maintain health information?

Yes

GO TO QUESTION 2.

No

Even if you don’t deal with health information, there’s a good chance that the FTC Act applies to how your app handles other personal information. Look into FTC jurisdiction to know whether to search for more FTC guidance, such as the FTC’s best practices on app security. And keep in mind that if you collect personal information from kids, COPPA likely applies.

GO TO QUESTION 11.

2. Does the information the app collects fall within the HIPAA Rules’ definition of “individually identifiable health information”?

Yes

The HIPAA Rules protect most individually identifiable health information maintained by covered entities and their business associates. Such information is referred to as protected health information, or PHI. So, if the health information you hold is identifiable, the HIPAA Rules may apply to you. And even if the HIPAA Rules apply to you, you also may need to comply with other laws like the FTC Act. GO TO QUESTION 3.

No

HIPAA:  The HIPAA Rules protect most individually identifiable health information maintained by covered entities and their business associates. Such information is referred to as protected health information, or PHI. So, if the health information you hold is not identifiable, HIPAA doesn’t apply. Keep in mind, however, that information may be identifiable even if it has been stripped of the patient’s name and address. To learn more about when health information is considered to be identifiable and protected under the HIPAA Rules, review the HHS guidance on de-identification.

Information blocking regulations:  The regulations promote lawful access, exchange, and use of electronic health information (EHI). EHI is a specifically defined subset of PHI. So, if the health information you hold isn’t individually identifiable, the information blocking regulations don’t apply. To learn more about the definition of EHI and its incorporation of terms defined in the HIPAA Rules, please see ASTP’s Understanding Electronic Health Information (EHI) fact sheet.

FDA and FTC:  Be aware that even if the health information you touch isn’t identifiable, laws like the FD&C Act or the FTC Act may still apply to you. GO TO QUESTION 7.

3a. Are you a health plan?

Yes

HIPAA:  As HHS guidance about entities covered by HIPAA explains, you likely are a HIPAA covered entity subject to the HIPAA Rules.

The HIPAA Privacy Rule

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of individually identifiable health information created, received, maintained, or transmitted by a HIPAA covered entity or business associate. This information is called protected health information, or PHI. The Rule also sets limits and conditions on how those entities may use and disclose PHI without the individual’s authorization. In addition, the Rule also gives individuals rights over their health information, including the right to examine and obtain a copy of their health records, as well as to direct the covered entity to transmit an electronic copy of the individual’s PHI in an electronic health record (EHR) to a person or entity of their choosing, such as a mobile health app. Business associates are required to comply with certain provisions of the Privacy Rule. This fact sheet explains more about the obligations of business associates

The HIPAA Security Rule

The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards that covered entities and their business associates must use to assure the confidentiality, integrity, and availability of electronic PHI. Business associates must comply with the entire Security Rule.

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media, following a breach of unsecured PHI. Business associates must provide notice to the covered entity.

For additional guidance on whether HIPAA applies to your mobile app, visit OCR’s Resources for Mobile Health Apps Developers, which includes hypothetical health app use scenarios and links to frequently asked questions (FAQs). Developers of consumer apps that request PHI from a covered entity through an application programming interface (API) will need to learn about the HIPAA individual access right. For more information about HIPAA protections, the OCR website is a good place to start. Review the Privacy Rule guidance and the HIPAA and health IT FAQs. Find out about HIPAA security standards that may apply.

Information blocking regulations:  Unless you also meet the specific definition of an “actor” under the information blocking regulations, you likely are not covered by these regulations. Information blocking actors include “health care providers,” “developers of certified health IT,” and “health information networks or health information exchanges,” as defined in the information blocking regulations. To learn more, see ASTP’s Information Blocking Actors fact sheet.

GO TO QUESTION 4a

No

GO TO QUESTION 3b.

3b. Are you a health care provider, such as a doctor, dentist, psychologist, hospital, health care clinic, or pharmacy?

Yes

HIPAA:  As HHS guidance about entities covered by HIPAA explains, you likely are a covered entity subject to the HIPAA Rules.

Information blocking regulations:  Please note that the information blocking regulations include a specific definition of “health care provider.”  If you are a “health care provider” as defined in the information blocking regulations, these regulations apply to you regardless of whether you are also a HIPAA covered entity. In practice, most health care providers under the information blocking regulations are also HIPAA covered entities. Such health care providers should be aware that the information blocking regulations do not lessen their obligations under the HIPAA Rules or applicable federal or state law. To learn more, please visit the information blocking page of HealthIT.gov.

GO TO QUESTION 4a

No

GO TO QUESTION 4a

4a.  Do you develop, offer, or sell any certified health information technology?

Yes

Information blocking regulations:  A person or business that develops or offers ASTP/ONC Certified Health IT is a “health IT developer of certified health IT” (other than a health care provider that self-develops health IT that is not offered to others). If you develop, offer, or sell at least one “module” certified under the ASTP/ONC Program, you meet the definition of “health IT developer of certified health IT.” For as long as you fit that definition, your conduct is subject to the Information blocking regulations across all of your health IT—not just to particular certified modules. To learn more, please start at the information blocking page of HealthIT.gov

HIPAA:  You also may be a HIPAA business associate, and therefore, subject to the HIPAA Rules, if you create, receive, maintain, or transmit PHI for a HIPAA covered entity or a business associate of a covered entity.

GO TO QUESTION 4b.

No

GO TO QUESTION 4b.

4b. Do you enable electronic health information exchange among more than two unaffiliated parties?

Yes

Information blocking regulations:  If you determine, control, or have discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of EHI among more than two unaffiliated individuals or entities for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501, you may be a “health information network or health information exchange” for purposes of the information blocking regulations. To explore whether you meet the definition of a “health information network or health information exchange,” and learn more about the information blocking regulations, please start at the information blocking page of HealthIT.gov.  

HIPAA:  You also may be a HIPAA business associate, and therefore subject to the HIPAA Rules, if you create, receive, maintain, or transmit PHI for a HIPAA covered entity or a business associate of a covered entity. In addition, the definition of a business associate specifies that a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI is a business associate.

GO TO QUESTION 5.

No

Information blocking regulations:  If you do not meet the Information Blocking regulations’ definition of “health care provider,” “health IT developer of certified health IT,” or “health information network or health information exchange,” these regulations likely don’t apply directly to your conduct.

If you think you or your users may have experienced information blocking, visit HealthIT.gov to learn more. You can submit a claim through the information blocking portal. Any information received by ASTP/ONC in connection with a claim or suggestion of possible information blocking and that could reasonably be expected to facilitate identification of the source of the information would fall under protections in section 3022(d)(2) of the Public Health Service Act. These protections limit the public disclosure of the source of the information.

GO TO QUESTION 5.

5. Do consumers need a prescription to access your app? 

Yes

HIPAA:  You may be a HIPAA covered health care provider and therefore subject to the HIPAA Rules.

GO TO QUESTION 7 to see if the FD&C Act also applies. (We’ll get to the FTC Act later.)

No

GO TO QUESTION 6.

6. Are you developing, offering, or operating an app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)? Or are you acting as a subcontractor to another entity providing services to a covered entity?

Yes

HIPAA:  You likely are a HIPAA business associate, and therefore subject to the HIPAA Security Rule and specific provisions of the HIPAA Privacy and Breach Notification Rules. (Other laws, like the FTC Act, may also apply, but we’ll get to that.)

GO TO QUESTION 7.

No

HIPAA:  You likely are not covered by HIPAA. (Other laws, like the FTC Act, may also apply, but we’ll get to that.)

GO TO QUESTION 7

7. Is your app intended:

  • for use in the diagnosis of disease or other conditions?
  • for use in the cure, mitigation, treatment, or prevention of disease? or
  • to affect the structure or any function of the body?
Yes

FDA:  Your app may be a medical device subject to the FD&C Act. (Other laws, like the FTC Act, may also apply, but we’ll get to that.)

HIPAA:  You may be a HIPAA covered health care provider, and therefore, subject to the HIPAA Rules.

GO TO QUESTION 8.

No

FDA:  Your app generally isn’t considered a medical device under the FD&C Act. For examples of mobile apps that are not medical devices, see Appendix A of the FDA’s Policy for Device Software Functions and Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff. Even though an app may not be considered a medical device, other laws may apply.

GO TO QUESTION 11.

8. Is your app solely intended for:

  • administrative support of a health care facility? and/or
  • maintaining or encouraging a healthy lifestyle? and/or
  • serving as electronic patient records? and/or
  • transferring, storing, converting formats, or displaying data? and/or
  • providing limited clinical decision support to a health care provider?
Yes

FDA:  If an app’s intended use meets certain criteria in section 520(o) of the FD&C Act, then your app may not be a medical device under the FD&C Act and device regulation by the FDA. (Other laws, like the FTC Act, may also apply, but we’ll get to that.) 

 

Some software functions are excluded from the definition of device in the FD&C Act. Read the glossary definition of a medical device. If your app is intended to solely serve any of these functions, it’s probably not a medical device:

  1. For providing administrative support of a health care facility
  2. For maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition
  3. For serving as electronic patient records
  4. For transferring, storing, converting formats, or displaying clinical laboratory test or other device data, results, and findings, unless such function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings
  5. For providing certain clinical decision support for a health care professional.

 

Read the full text of section 520(o)(1) of the FD&C Act in the glossary definition for medical device below and Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act Guidance for Industry and Food and Drug Administration Staff for details on the software functions described in A-D. See Clinical Decision Support Software Guidance for Industry and Food and Drug Administration Staff for details on the software functions described in E above. FDA’s Digital Health Policy Navigator may be referenced to help in determining whether your product’s software functions are potentially the focus of the FDA’s oversight.

HIPAA: You may be a HIPAA business associate, and, therefore, subject to the HIPAA Rules, if you create, receive, maintain, or transmit PHI for a HIPAA covered entity, or a business associate of a covered entity.

GO TO QUESTION 11.

No

FDA:  If your app does not meet the criteria in section 520(o) of the FD&C Act for exclusion from the device definition, your app is likely subject to regulation by the FDA.

 

GO TO QUESTION 9

9. Does your app pose a “low risk” to patients?

For the purposes of regulating medical device applications, FDA considers “low risk” apps those that are intended to:

  • help patients self-manage their disease or condition without providing specific treatment suggestions; or
  • automate simple tasks for health care providers.
Yes

FDA:  The FDA considers your app to be low risk and does not intend to enforce requirements under the FD&C Act at this time. For additional information about mobile apps over which the FDA does not intend to enforce compliance with its regulatory requirements, see Appendix B of the FDA’s Policy for Device Software Functions and Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff.

GO TO QUESTION 11.

No

FDA:  The FDA doesn’t consider your app to be low risk. 

GO TO QUESTION 10.

10. Does your app include a device software function that is the focus of FDA’s oversight?

If a software function that meets the definition of a device is used on a mobile platform, it may be referred to as a “mobile medical app.” If the software function is not a low risk software function for which FDA does not intend to enforce requirements under the FD&C Act at this time, then it is a device software function that is the focus of FDA’s regulatory oversight. The following are types of software functions that FDA considers to be device software functions that are a focus of its regulatory oversight:

  • Software functions that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or analyzing medical device data (for example, an app that controls the delivery of insulin on an insulin pump by transmitting control signals to the pumps from the mobile platform).
  • Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Software functions that use attachments, display screens, sensors, or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform (for example, an app that uses an attachment of a blood glucose strip reader to a mobile platform to function as a glucose meter).
  • Software functions that become a regulated medical device by performing patient-specific analysis and providing patient-specific output(s) or directive(s) to health care professionals for use in the diagnosis, treatment, mitigation, cure, or prevention of a disease or condition. Additionally, software functions that perform patient-specific analysis and provide patient-specific diagnosis or treatment recommendations to patients, caregivers, or other users who are not health care professionals (for example, an app that uses patient-specific parameters and calculates dosage or creates a dosage plan for radiation therapy).
Yes

FDA:  The FDA intends to apply its regulatory oversight.

FDA Information

The FDA focuses its regulatory oversight on a subset of mobile apps that are medical devices and whose functionality could pose a risk to consumers if they don’t work as intended. 

Mobile medical apps that undergo FDA review will be evaluated according to the same regulatory standards and risk-based approach that the agency applies to other medical devices. 

The FDA classifies medical devices into three categories, Class I, Class II, and Class III, based on the risk the devices pose to consumers, intended use, and indications for use. Class I devices are considered low risk devices and subject to the least regulatory controls. Class II devices are moderate risk devices and require greater regulatory controls to provide reasonable assurance of the device’s safety and effectiveness, and Class III devices are generally the highest risk devices and subject to the highest level of regulatory control.

With a few exceptions, FDA evaluates Class II and Class III devices for their safety and effectiveness before they are allowed to be sold to the public through a premarket submission process. There are fees associated with filing a premarket submission. Medical device manufacturers must register their establishment and list the devices they market in the FDA’s device registration and listing database. In addition, the mobile medical app manufacturer must comply with all other relevant laws and regulations, such as Quality System (QS) Regulation/Medical Device Good Manufacturing Practices (“CGMP”) and Medical Device Reporting.

The FDA links above can help you to determine your app’s classification and regulatory requirements. Have a question about the FDA’s digital health policies? Visit the Digital Health Center of Excellence website and/or email digitalhealth@fda.hhs.gov.

Information blocking regulations:  The information blocking regulations will also apply if your app, or any health IT you develop, offer, or sell is or includes any “module” or product certified under the ASTP/ONC Health IT Certification Program. If that’s the case, you would be considered a developer of certified health IT and would be an “actor” under the information blocking regulations. You would also be subject to the Conditions and Maintenance of Certification requirements of the ASTP/ONC Health IT Certification Program. Learn more about information blocking and the Conditions and Maintenance of Certification requirements on HealthIT.gov.

HIPAA:  You may be a HIPAA covered health care provider or business associate, and therefore, subject to the HIPAA Rules.

GO TO QUESTION 11.

No

FDA:  Please visit the Digital Health Center of Excellence website and/or contact the FDA at digitalhealth@fda.hhs.gov to determine if you need to comply with the FDA’s regulatory requirements.

GO TO QUESTION 11.

11. Is your app for use by consumers?

Yes

FTC:  The FTC Act likely applies to you. Please note, however, that the FTC Act does not apply to certain entities, like most nonprofits.

The FTC Act

The FTC Act prohibits deceptive or unfair acts or practices. What does this mean in practice?

Tell the Truth.  First, you cannot make deceptive or misleading claims to consumers – expressly or by implication – about things that are important to them, such as whether you’ll keep users’ health information private or whether your app will deliver the health benefits you promise.

 

If you fail to disclose material information – say, the fact that health information will be publicly posted online or that a company will contact pharmacies, insurance companies, and the like to get information about you – you could face an FTC enforcement action. So, it’s important to watch what you say – and think carefully about whether you need to explain your practices in more detail.

The best way to do this is to review your user interface, privacy policy, and other consumer-facing statements to make sure that your representations to consumers are true, backed up by science if you’re making health benefit claims, and are consistent with your practices. If your practices change, make sure your representations keep pace, because you have an obligation to inform consumers about material, retroactive changes to your data policies and to get their affirmative express consent for the new use of their personal data. 

Make sure you really understand your data practices. What data are you collecting and why? What do you do with that data, how do you store it, and to whom do you disclose it? Understanding your data practices is an essential first step to making sure that your privacy promises conform with your practices.

Do More Good than Harm.  Second, you cannot engage in acts or practices that cause, or are likely to cause, substantial injury to consumers that they cannot reasonably avoid, and that are not outweighed by countervailing benefits to consumers or competition (to put it another way, that do more harm than good). For example, exposure of health information can have serious consequences for consumers related to employment, insurance, and reputation, and can cause embarrassment and emotional distress. In light of these potential harms, it’s important to take reasonable steps to ensure the privacy and security of consumers’ health information. What is “reasonable” security? That will depend on the amount and type of data you hold and the size and nature of your business.

 

As a starting point, the FTC has resources on health privacy and advice on how to protect consumers’ privacy and the security of their data. The FTC also has guidance on how to ensure your health benefit, safety, performance, and other claims are truthful, substantiated, and not misleading.

GO TO QUESTION 12.

No

FTC: The FTC Act likely does not apply to you.

GO TO QUESTION 12.

12. Does your app:

  • collect, receive, or maintain identifiable health information for consumers?
  • access health information in personal health records?
  • send health information to personal health records?
  • offer products or services through the website of an entity that maintains health records for consumers?
  • provide services to an entity that maintains health records for consumers?
Yes

FTC:  If the answer to any of these questions is “Yes,” you may be a “vendor” of personal health records (PHR), a PHR related entity, or third party service provider who must comply with the FTC’s Health Breach Notification Rule. July 2024 amendments to the Health Breach Notification Rule explain that most health app developers act as “covered health care providers” when they furnish health care services or supplies – in this case, their app – to consumers. Most health apps not covered by HIPAA are subject to the FTC’s Rule (as long as they have the technical capacity to draw information from multiple sources – such as user inputs and data from a connected fitness tracker – and are managed, shared, and controlled by or primarily for the individual).

As you consider whether the Rule may apply to you, think through the flow of information to and from your app:

  • What application programing interfaces (APIs) do you use? Does your app sync with other health, wellness, diet, fitness, or other apps? 
  • Does your app connect to any health tracking platforms, wearables, health monitoring devices, or virtual assistants that handle health-related issues?
  • Does your app allow users to upload data from other sources or send data from your app elsewhere? 

 

Whether the Rule applies may depend on the answers to these questions, so take some time to make sure you understand your data flows.

FTC’s Health Breach Notification Rule

If you are a vendor of personal health records or a PHR related entity, the Health Breach Notification Rule requires you to notify affected consumers, the FTC, and in some cases, the media following a breach of unsecured personal health information. Third party service providers to PHR vendors and PHR related entities must notify these PHR vendors and PHR related entities in the event of a breach.

Information blocking regulations:  You may also be an “actor” regulated by the information blocking regulations or subject to the Conditions and Maintenance of Certification requirements of the ONC Health IT Certification Program. Learn more about information blocking and the Conditions and Maintenance of Certification requirements on HealthIT.gov.

HIPAA:  You likely are not a HIPAA covered entity or business associate. However, developers of consumer apps that request PHI from a covered entity through an API will want to learn about the HIPAA individual access rights. Individuals have the right to direct a covered entity to transmit an electronic copy of the individual’s PHI in an EHR to a person or entity of their choosing, such as a mobile health app. See OCR’s Individuals’ Right under HIPAA to Access their Health Information page at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

GO TO QUESTION 13.

No

FTC:  The FTC’s Health Breach Notification Rule does not apply.  

GO TO QUESTION 13

13. Is your app intended for children?

Yes

COPPA:  If your intended audience is children under 13, then your app is “directed to children” and you must comply with the Children’s Online Privacy Protection Rule. To comply with the COPPA Rule, you must:

  • Post a clear and comprehensive online privacy policy describing your information practices for personal information collected online from children
  • Provide direct notice to parents and – with limited exceptions – obtain verifiable parental consent before collecting personal information online from children
  • Give parents the choice of consenting to your collection and internal use of a child’s information, but you are prohibited from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)
  • Provide parents access to their child’s personal information to review and/or have the information deleted
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information
  • Maintain the confidentiality, security, and integrity of information you collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

To learn more about your obligations under COPPA, read Complying with COPPA: Frequently Asked Questions. Do you need more information? Email CoppaHotLine@ftc.gov or visit the FTC’s Children’s Privacy page.

 

GO TO QUESTION 16.

No

GO TO QUESTION 14.

14. Does your app use child-oriented activities, incentives, design, music, or the like?

Yes

COPPA:  If your app is “directed” to children, then you must comply with COPPA. Under COPPA, there is no one-size-fits-all answer about what makes a site “directed to children.” The COPPA Rule sets out factors the FTC will consider in determining whether your content is child-directed:

  • the subject matter
  • visual content
  • the use of animated characters or child-oriented activities and incentives
  • the kind of music or other audio content
  • the age of models
  • the presence of child celebrities or celebrities who appeal to children
  • language or other characteristics of the site
  • whether advertising that promotes or appears on the site is directed to children, and
  • competent and reliable empirical evidence about the age of the audience

To comply with the COPPA Rule, you must:

  • Post a clear and comprehensive online privacy policy describing your information practices for personal information collected online from children;
  • Provide direct notice to parents and – with limited exceptions – obtain verifiable parental consent before collecting personal information online from children;
  • Give parents the choice of consenting to your collection and internal use of a child’s information, but you are prohibited from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  • Provide parents access to their child’s personal information to review and/or have the information deleted;
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  • Maintain the confidentiality, security, and integrity of information you collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

To learn more about your obligations under COPPA, read Complying with COPPA: Frequently Asked Questions. Do you need more information? Email CoppaHotLine@ftc.gov or visit the FTC’s Children’s Privacy page.

GO TO QUESTION 16.

No

GO TO QUESTION 15.

15. Do you have actual knowledge that children are using your app?

Yes

COPPA:  If you have “actual knowledge” that you are collecting, using, or disclosing personal information from children under 13, you must comply with the COPPA Rule.

To comply with the COPPA Rule, you must:

  • Post a clear and comprehensive online privacy policy describing your information practices for personal information collected online from children;
  • Provide direct notice to parents and – with limited exceptions – obtain verifiable parental consent before collecting personal information online from children;
  • Give parents the choice of consenting to your collection and internal use of a child’s information, but you are prohibited from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  • Provide parents access to their child’s personal information to review and/or have the information deleted;
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  • Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

 

To learn more about your obligations under COPPA, read Complying with COPPA: Frequently Asked Questions. Do you need more information? Email CoppaHotLine@ftc.gov or visit the FTC’s Children’s Privacy page.

GO TO QUESTION 16.

No

If your app is not directed to children and you don’t have actual knowledge that you are collecting personal information from children, COPPA doesn’t apply. Keep in mind, however, that if user profiles, complaints, or other sources put you on notice of child users, then you may have “actual knowledge” that you are collecting personal information from children. Therefore, COPPA would apply.

GO TO QUESTION 16.

16. Does your app offer a substance use disorder treatment service or substance use disorder treatment product?

Yes

OARFPA:  If your app offers a substance use disorder treatment service or substance use disorder treatment product, then your app must comply with the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). To comply with OARFPA, you must not engage in any unfair or deceptive practices with respect to any substance use disorder treatment service or substance use disorder treatment product. 15 U.S.C. § 45d(a). OARFPA defines “substance use disorder treatment product” to mean “a product for use or marketed for use in treatment, cure, or prevention of a substance use disorder, including an opioid use disorder.” P.L. 115-271 § 8022, 15 U.S.C § 45d. OARFPA defines “substance use disorder treatment service to mean a service that purports to provide referrals to treatment, treatment, or recovery housing for people diagnosed with, having, or purporting to have a substance use disorder, including an opioid use disorder.” P.L. 115-271 § 8022, 15 U.S.C § 45d.

You’ve completed this interactive tool.

No

If your app is not related to a substance use disorder treatment service or substance use disorder treatment product, OARFPA does not apply.

You’ve completed this interactive tool.

We hope this tool has helped you figure out which federal laws and regulations may apply to you and your mobile health app. No matter which laws and regulations may apply, consumers want your app to take the privacy and the security of their health information seriously. Here are some tips for how to protect consumers’ privacy and the security of their health information.

Glossary

Identifiable health information

In this tool, we use identifiable health information to mean demographic information and relates to a consumer’s past, present, or future physical or mental health or condition; the provision of health care; or the past, present, or future payment for provision of health care to the consumer, that identifies the consumer or for which there’s a reasonable basis to believe it can be used to identify the consumer. For example, the consumer’s IP address, if maintained by a health plan’s wellness app, is identifiable health information. Note: This term is inclusive of PHI, PHR-identifiable health information, and EHI as defined in the respective Rules discussed in this tool.

Terms from the HIPAA Rules (45 CFR Part 160 and 45 CFR Part 164)

HIPAA covered entities

A HIPAA covered entity is a health plan, a health care clearinghouse, or a health care provider who conducts certain electronic transactions. See 45 CFR 160.103 for definition of a covered entity.

Health care providers who conduct certain electronic transactions

HIPAA covered health care providers include doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies that conduct certain payment and coverage-related health care transactions electronically. For example, a provider that electronically submits a claim to a health plan is a covered health care provider. Providers range from small physician practices to large hospital systems. See 45 CFR 160.103 for definitions of health care provider and transaction.

Health plans

Health plans include health insurance companies; health maintenance organizations (HMOs); company health plans; and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs. Read HHS’s Covered Entities and Business Associates for more information. See also 45 CFR 160.103 for definition of health plan.

Health care clearinghouses

Health care clearinghouses are entities that process nonstandard health information they receive from another entity into standard data elements or a standard transaction, or vice versa. For example, an entity that processes nonstandard health information into a standard transaction to send claim information from a health care provider to a health plan is health care clearinghouse. A health care clearinghouse is acting as a business associate when it conducts these services for another covered entity or business associate. Read HHS’s Covered Entities and Business Associates for more information. See 45 CFR 160.103 for definitions of health care clearinghouse and transaction.

HIPAA business associate

A HIPAA business associate creates, receives, maintains, or transmits PHI for certain functions or activities on behalf of, or provides certain services to, a covered entity (or another business associate). These functions or activities include claims processing, data analysis, utilization review, and billing. A business associate also is a person who provides data transmission services with respect to PHI to a covered entity and who requires access to the information on a routine basis, a person who offers a personal health record on behalf of a covered entity, or a subcontractor to another business associate. See 45 CFR 160.103. Consult these resources for more information on business associates:

Protected health information (PHI)

Protected health information (PHI) is individually identifiable health information maintained or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral, with certain exceptions. See this description of PHI and 45 CFR 160.103.

Individually identifiable health information (IIHI)

Individually identifiable health information (IIHI) generally is information that is created or received by a health care provider, health plan, employer, or health care clearinghouse; relates to a physical or mental health or condition of an individual or the provision of or payment for health care to an individual; and identifies or could be used to identify the individual. See 45  CFR 160.103 for full definition.

 

Terms from the Federal Food, Drug, and Cosmetic Act (Section 201(h)(1) and 520(o)) and FDA Guidance

 

Medical device

Under section 201(h)(1) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), a device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory which is:

  1. recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
  2. intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
  3. intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes. The term “device” does not include software functions excluded pursuant to section 520(o) of the FD&C Act.

Section 520(o) of the Federal Food, Drug, and Cosmetic Act: (o) REGULATION OF MEDICAL AND CERTAIN DECISIONS SUPPORT SOFTWARE —

(1) The term device, as defined in section 201(h), shall not include a software function that is intended—

(A) for administrative support of a health care facility, including the processing and maintenance of financial records, claims or billing information, appointment schedules, business analytics, information about patient populations, admissions, practice and inventory management, analysis of historical claims data to predict future utilization or cost-effectiveness, determination of health benefit eligibility, population health management, and laboratory workflow;

(B) for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;

(C) to serve as electronic patient records, including patient-provided information, to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart, so long as—

(i) such records were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such professionals;

(ii) such records are part of health information technology that is certified under section 3001(c)(5) of the Public Health Service Act; and

(iii) such function is not intended to interpret or analyze patient records, including medical image data, for the purpose of the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;

(D) for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device, unless such function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings; or

(E) unless the function is intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system, for the purpose of—

(i)   displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines);

(ii)  supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and

(iii) enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.

Device software function, including mobile medical app

FDA refers to software functions that are medical device functions as “device software functions.” Software functions that meet the definition of a device may be deployed on mobile platforms, other general-purpose computing platforms, or in the function or control of a hardware device. If a software function that meets the definition of a medical device is deployed on a mobile platform, it may be referred to as a “mobile medical app.” To determine if your app is a mobile medical app that is the focus of FDA’s regulatory oversight, see Section V.A. of the FDA’s Policy for Device Software Functions and Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff (“Device software functions: Subset of software functions that are the focus of FDA’s regulatory oversight”). Also, see Appendix C of the FDA’s Policy for Device Software Functions and Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff (“Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps)”), which provides examples of software functions that are device software functions. You can also visit the FDA’s website on Device Software Functions and Mobile Medical Applications.

If you have further questions about determining whether your app is a medical device, visit the Digital Health Center of Excellence website, email digitalhealth@fda.hhs.gov or contact the FDA via Device Advice: Comprehensive Regulatory Assistance; CDRH Division of Industry and Consumer Education (DICE).

^ top

Terms from the FTC’s Health Breach Notification Rule (16 CFR Part 318)

Vendor of personal health records (PHR), PHR related entity, or third party service provider

Vendor of PHRs

A vendor of personal health records offers or maintains PHRs – EHRs that have the technical capacity to draw from multiple sources and that are managed, shared, and controlled primarily by or for the individual – directly to consumers.

PHR related entity

A PHR related entity interacts with a PHR vendor, either by offering products or services through the vendor’s website (regardless of whether that vendor is covered by HIPAA), or by accessing identifiable health information in, or sending identifiable health information to a PHR.

Third Party Service Provider

A third party service provider offers services to a PHR vendor or PHR related entity involving the access, use, maintenance, modification, disclosure, or disposal of health information.

Terms from the Information Blocking Regulations (45 CFR part 171)

Electronic Health Information

Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:

(1) Psychotherapy notes as defined in 45 CFR 164.501; or

(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

 

Access, Exchange, and Use

Access

Access means the ability or means necessary to make electronic health information available for exchange or use.

 

Exchange

 

Exchange means the ability for electronic health information to be transmitted between and among different technologies, systems, platforms, or networks.

 

Use

 

Use means the ability for electronic health information, once accessed or exchanged, to be understood and acted upon.

Information Blocking “Actors”

Health Care Provider

Health care provider includes a: hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.

Detailed statutory citations for specific health care provider types were removed in order to present a simplified view of the “health care provider” definition. HHS information resources, such as a fact sheet, about this definition are available through ASTP's official website, HealthIT.gov.

Health Information Network or Health Information Exchange

Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:

(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and

(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.

Health IT Developer of Certified Health IT

Health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT that is not offered to others, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ASTP/ONC Health IT Certification Program).