Privacy and security are important considerations for any app—and especially apps that collect and share consumers’ health information. As you design, market, and distribute your mobile health app, think about which U.S. federal laws may apply. Check out this interactive tool to help you navigate laws and rules that may apply to you or your app.
Who Should Use this Tool?
This tool is for anyone developing a mobile app that will access, collect, share, use, or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness, or addiction. Here are some examples:
- Apps that help consumers track or monitor fitness or activity, diet, mood, sleep, menstruation or fertility, smoking or alcohol consumption, or medications
- Apps that help consumers view, use, or share their medical records or health insurance claims data or otherwise access information from their doctor, health care clinic, or health plan
- Apps that sync with health platforms or internet-connected devices, like a fitness tracker, sleep monitor, blood pressure monitor, or a watch that records activity or heart rate
- Apps that diagnose or treat a disease or health condition, or record information that might be relevant to diagnosis or treatment
If your app relates to health information in these (or other) ways, you’re in the right place. This tool is meant to help you figure out the federal regulatory, privacy, and security laws and regulations that may apply. (Hint: More than one may apply.)
An important caveat: This tool is not offering legal advice and is provided for informational purposes only. Using this tool isn’t required by federal law and can’t guarantee compliance with applicable federal requirements. Instead, it’s meant to give you a snapshot of potential compliance obligations and point you to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.
What Are the Relevant 鶹ý Laws and Regulations?
Health Insurance Portability and Accountability Act (HIPAA) Rules
The HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) protect the privacy and security of most individually identifiable health information held by health plans, most health care providers, and health care clearinghouses (these groups are called “covered entities”). Such information is referred to as protected health information, or PHI. In addition, the HIPAA Rules apply to people or companies who create, receive, maintain, or transmit health information for, or provide certain services to a covered entity (those groups are called “business associates”). The HIPAA Rules also require these entities to provide notifications of any breaches of health information. The Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS) enforces the HIPAA Rules. Importantly, the HIPAA Rules do not apply to health information maintained by anyone who isn’t a covered entity or business associate. For example, the HIPAA Rules likely wouldn’t apply to consumer health information maintained in an app that isn’t offered by a HIPAA covered entity or its business associate, even if the health information originated from a covered entity or business associate.
If health information is not protected by the HIPAA Rules, does this mean that there are no federally required protections for the information? No! Other federal laws likely apply. For example, the 鶹ý Trade Commission (“FTC”) Act applies to most app developers. So, there’s a good chance the FTC Act will require you, among other things, to have reasonable privacy and security practices in place. More on that later.
For additional information and helpful resources about the HIPAA Rules, please visit OCR’s health information privacy page at .
鶹ý Food, Drug, and Cosmetic Act (FD&C Act)
The Food and Drug Administration (FDA) enforces the FD&C Act, which among other things regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight of digital health devices on a subset of mobile health apps that could pose a risk to consumers if they don’t work as intended. The FDA considers a software function to be a medical device, and subject to FDA device regulation, if it meets the definition of device in section 201(h) of the FD&C Act. When a software function is intended for use in the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the human body, the software function is a device under section 201(h) of the FD&C Act, if it is not a software function excluded from the device definition by the 21st Century Cures Act. FDA’s may be referenced to help in determining whether your product’s software functions are potentially the focus of the FDA’s oversight.
21st Century Cures Act & ASTP Information Blocking Regulations
Through the offices of its (OIG) and (ASTP) as well as the Centers for Medicare & Medicaid Services (CMS), HHS issues regulations — and takes other steps when necessary — to enforce the prohibition of “.” ASTP also maintains the for the that meets certain technical requirements to support needs for interoperable health IT in the nation’s health information infrastructure.
The issued through ASTP apply to practices likely to interfere with access, exchange, or use of (EHI) and define certain exceptions to the definition of information blocking. When a engages in any practice that is not required by law or covered by a regulatory exception, , and that practice is likely to interfere with access, exchange, or use of EHI, that practice could be information blocking.
Importantly, the function in complement with other laws, such as HIPAA and state laws, that protect the privacy and security of patients’ health information. The information blocking regulations do not require or excuse violation of other laws.
The information blocking regulations include for reasonable and necessary practices that protect the privacy and security of patients’ EHI. Privacy- and security-protective practices that meet these exceptions’ conditions will not be considered information blocking.
If a developer chooses to certify health IT through the voluntary ASTP/ONC Health IT Certification Program, that health IT must meet specific . These requirements include implementing appropriate (certification criteria) and making certain publicly available statements (“attestations”) that ensure transparency about of the certified technology.
For additional information and helpful resources about the or the voluntary , please visit .
鶹ý Trade Commission Act (FTC Act)
The FTC enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce, including those relating to the privacy and security of personal information that apps collect, use, maintain, or share, as well as the safety or performance that apps provide. Section 12 of the FTC Act prohibits false advertisements for food, drugs, devices, cosmetics, or services in or affecting commerce.
The FTC Act applies to most app developers – including developers of health apps. For example, if you develop an app and share consumers’ health information with third parties after telling or implying to consumers that their information will be kept private, you could be violating the FTC Act. Also, if you certify through the voluntary ASTP/ONC Health IT Certification Program and make certain transparency attestations about your app’s privacy or security features and then don’t live up to those promises, the FTC could bring an enforcement action against you.
FTC’s Health Breach Notification Rule
The FTC’s Health Breach Notification Rule requires entities covered by the Rule to provide notifications to consumers, the FTC, and, in some cases, the media, following certain breaches of personal health record information. The FTC’s Health Breach Notification Rule applies to most health apps that aren’t covered by HIPAA because most developers of health apps are acting as “health care providers” by furnishing health care services or supplies – in this case, apps – to consumers. (That definition of “health care provider” comes from 42 U.S.C. § 1320d, which is referenced in Section 318.2(e) of the FTC’s Rule.) If your app experiences a breach—that is, any incidents of unauthorized access, including sharing of identifying health information, without consumers’ authorization—you are likely required to notify consumers, the FTC, and, in some cases, the media. If you don’t provide that notice, you could face an FTC enforcement action seeking hefty civil penalties.
Children’s Online Privacy Protection Act (COPPA)
The FTC enforces the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule, which give parents control over the information that operators of websites and online services can collect from children. COPPA applies to the operator of any commercial website or online service (including a mobile app) that is directed to children under 13 or where the operator has actual knowledge that it collects, uses, or discloses personal information from children under 13. Before collecting children’s personal information – that includes online contact information, persistent identifiers, photos, video, audio, and geolocation information – COPPA requires the operator to (among other things) give parents notice of what personal information the operator is collecting from children and to get the parent’s verifiable consent. COPPA also requires that operators establish and maintain reasonable procedures for protecting the confidentiality, security, and integrity of children’s personal information.
Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA)
Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) authorizes the Commission to seek civil penalties for unfair or deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product. Substance use disorder treatment services are services that purport to provide treatment, referrals to treatment, or recovery housing for people with substance use disorders. Substance use disorder treatment products are products used or marketed for use in treating, curing, or preventing substance use disorders.
Which 鶹ý Laws and Regulations May Apply?
1. Does/will your app collect, share, use, or maintain health information?
2. Does the information the app collects fall within the HIPAA Rules’ definition of “individually identifiable health information”?
3a. Are you a health plan?
3b. Are you a health care provider, such as a doctor, dentist, psychologist, hospital, health care clinic, or pharmacy?
4a. Do you develop, offer, or sell any certified health information technology?
4b. Do you enable electronic health information exchange among more than two unaffiliated parties?
5. Do consumers need a prescription to access your app?
6. Are you developing, offering, or operating an app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)? Or are you acting as a subcontractor to another entity providing services to a covered entity?
7. Is your app intended:
- for use in the diagnosis of disease or other conditions?
- for use in the cure, mitigation, treatment, or prevention of disease? or
- to affect the structure or any function of the body?
8. Is your app solely intended for:
- administrative support of a health care facility? and/or
- maintaining or encouraging a healthy lifestyle? and/or
- serving as electronic patient records? and/or
- transferring, storing, converting formats, or displaying data? and/or
- providing limited clinical decision support to a health care provider?
9. Does your app pose a “low risk” to patients?
For the purposes of regulating medical device applications, FDA considers “low risk” apps those that are intended to:
- help patients self-manage their disease or condition without providing specific treatment suggestions; or
- automate simple tasks for health care providers.
10. Does your app include a device software function that is the focus of FDA’s oversight?
If a software function that meets the definition of a device is used on a mobile platform, it may be referred to as a “mobile medical app.” If the software function is not a low risk software function for which FDA does not intend to enforce requirements under the FD&C Act at this time, then it is a device software function that is the focus of FDA’s regulatory oversight. The following are types of software functions that FDA considers to be device software functions that are a focus of its regulatory oversight:
- Software functions that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or analyzing medical device data (for example, an app that controls the delivery of insulin on an insulin pump by transmitting control signals to the pumps from the mobile platform).
- Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices. Software functions that use attachments, display screens, sensors, or other such similar components to transform a mobile platform into a regulated medical device are required to comply with the device classification associated with the transformed platform (for example, an app that uses an attachment of a blood glucose strip reader to a mobile platform to function as a glucose meter).
- Software functions that become a regulated medical device by performing patient-specific analysis and providing patient-specific output(s) or directive(s) to health care professionals for use in the diagnosis, treatment, mitigation, cure, or prevention of a disease or condition. Additionally, software functions that perform patient-specific analysis and provide patient-specific diagnosis or treatment recommendations to patients, caregivers, or other users who are not health care professionals (for example, an app that uses patient-specific parameters and calculates dosage or creates a dosage plan for radiation therapy).
11. Is your app for use by consumers?
12. Does your app:
- collect, receive, or maintain identifiable health information for consumers?
- access health information in personal health records?
- send health information to personal health records?
- offer products or services through the website of an entity that maintains health records for consumers?
- provide services to an entity that maintains health records for consumers?
13. Is your app intended for children?
14. Does your app use child-oriented activities, incentives, design, music, or the like?
15. Do you have actual knowledge that children are using your app?
16. Does your app offer a substance use disorder treatment service or substance use disorder treatment product?
You’ve completed this interactive tool.
We hope this tool has helped you figure out which federal laws and regulations may apply to you and your mobile health app. No matter which laws and regulations may apply, consumers want your app to take the privacy and the security of their health information seriously. Here are some tips for how to protect consumers’ privacy and the security of their health information.
Glossary
Identifiable health information
In this tool, we use identifiable health information to mean demographic information and relates to a consumer’s past, present, or future physical or mental health or condition; the provision of health care; or the past, present, or future payment for provision of health care to the consumer, that identifies the consumer or for which there’s a reasonable basis to believe it can be used to identify the consumer. For example, the consumer’s IP address, if maintained by a health plan’s wellness app, is identifiable health information. Note: This term is inclusive of PHI, PHR-identifiable health information, and EHI as defined in the respective Rules discussed in this tool.
Terms from the HIPAA Rules ( and )
HIPAA covered entities
A HIPAA covered entity is a health plan, a health care clearinghouse, or a health care provider who conducts certain electronic transactions. See for definition of a covered entity.
Health care providers who conduct certain electronic transactions
HIPAA covered health care providers include doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies that conduct certain payment and coverage-related health care transactions electronically. For example, a provider that electronically submits a claim to a health plan is a covered health care provider. Providers range from small physician practices to large hospital systems. See for definitions of health care provider and transaction.
Health plans include health insurance companies; health maintenance organizations (HMOs); company health plans; and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs. Read HHS’s for more information. See also for definition of health plan.
Health care clearinghouses are entities that process nonstandard health information they receive from another entity into standard data elements or a standard transaction, or vice versa. For example, an entity that processes nonstandard health information into a standard transaction to send claim information from a health care provider to a health plan is health care clearinghouse. A health care clearinghouse is acting as a business associate when it conducts these services for another covered entity or business associate. Read HHS’s for more information. See for definitions of health care clearinghouse and transaction.
A HIPAA business associate creates, receives, maintains, or transmits PHI for certain functions or activities on behalf of, or provides certain services to, a covered entity (or another business associate). These functions or activities include claims processing, data analysis, utilization review, and billing. A business associate also is a person who provides data transmission services with respect to PHI to a covered entity and who requires access to the information on a routine basis, a person who offers a personal health record on behalf of a covered entity, or a subcontractor to another business associate. See. Consult these resources for more information on business associates:
Protected health information (PHI)
Protected health information (PHI) is individually identifiable health information maintained or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral, with certain exceptions. See of and .
Individually identifiable health information (IIHI)
Individually identifiable health information (IIHI) generally is information that is created or received by a health care provider, health plan, employer, or health care clearinghouse; relates to a physical or mental health or condition of an individual or the provision of or payment for health care to an individual; and identifies or could be used to identify the individual. See for full definition.
Terms from the 鶹ý Food, Drug, and Cosmetic Act (Section 201(h)(1) and 520(o)) and FDA Guidance
Medical device
Under section 201(h)(1) of the 鶹ý Food, Drug, and Cosmetic Act (FD&C Act), a device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory which is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes. The term “device” does not include software functions excluded pursuant to section 520(o) of the FD&C Act.
Section 520(o) of the 鶹ý Food, Drug, and Cosmetic Act: (o) REGULATION OF MEDICAL AND CERTAIN DECISIONS SUPPORT SOFTWARE —
(1) The term device, as defined in section 201(h), shall not include a software function that is intended—
(A) for administrative support of a health care facility, including the processing and maintenance of financial records, claims or billing information, appointment schedules, business analytics, information about patient populations, admissions, practice and inventory management, analysis of historical claims data to predict future utilization or cost-effectiveness, determination of health benefit eligibility, population health management, and laboratory workflow;
(B) for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;
(C) to serve as electronic patient records, including patient-provided information, to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart, so long as—
(i) such records were created, stored, transferred, or reviewed by health care professionals, or by individuals working under supervision of such professionals;
(ii) such records are part of health information technology that is certified under section 3001(c)(5) of the Public Health Service Act; and
(iii) such function is not intended to interpret or analyze patient records, including medical image data, for the purpose of the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition;
(D) for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device, unless such function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings; or
(E) unless the function is intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system, for the purpose of—
(i) displaying, analyzing, or printing medical information about a patient or other medical information (such as peer-reviewed clinical studies and clinical practice guidelines);
(ii) supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and
(iii) enabling such health care professional to independently review the basis for such recommendations that such software presents so that it is not the intent that such health care professional rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.
Device software function, including mobile medical app
FDA refers to software functions that are medical device functions as “device software functions.” Software functions that meet the definition of a device may be deployed on mobile platforms, other general-purpose computing platforms, or in the function or control of a hardware device. If a software function that meets the definition of a medical device is deployed on a mobile platform, it may be referred to as a “mobile medical app.” To determine if your app is a mobile medical app that is the focus of FDA’s regulatory oversight, see Section V.A. of the FDA’s (“Device software functions: Subset of software functions that are the focus of FDA’s regulatory oversight”). Also, see Appendix C of the FDA’s (“Examples of Software Functions that are the focus of FDA’s regulatory oversight (Device Software Functions and Mobile Medical Apps)”), which provides examples of software functions that are device software functions. You can also visit the FDA’s website on .
If you have further questions about determining whether your app is a medical device, visit the Digital Health Center of Excellence website, email digitalhealth@fda.hhs.gov or contact the FDA via ; CDRH Division of Industry and Consumer Education (DICE).
Terms from the FTC’s Health Breach Notification Rule ()
Vendor of personal health records (PHR), PHR related entity, or third party service provider
A offers or maintains PHRs – EHRs that have the technical capacity to draw from multiple sources and that are managed, shared, and controlled primarily by or for the individual – directly to consumers.
PHR related entity
A interacts with a PHR vendor, either by offering products or services through the vendor’s website (regardless of whether that vendor is covered by HIPAA), or by accessing identifiable health information in, or sending identifiable health information to a PHR.
Third Party Service Provider
A offers services to a PHR vendor or PHR related entity involving the access, use, maintenance, modification, disclosure, or disposal of health information.
Terms from the Information Blocking Regulations ()
Electronic Health Information
means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in , but EHI shall not include:
(1) Psychotherapy notes as defined in ; or
(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Access, Exchange, and Use
Access
means the ability or means necessary to make electronic health information available for exchange or use.
Exchange
means the ability for electronic health information to be transmitted between and among different technologies, systems, platforms, or networks.
Use
means the ability for electronic health information, once accessed or exchanged, to be understood and acted upon.
Information Blocking “Actors”
includes a: hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.
Detailed statutory citations for specific health care provider types were removed in order to present a simplified view of the “health care provider” definition. HHS information resources, such as a fact sheet, about this definition are available through ASTP's official website, .
Health Information Network or Health Information Exchange
means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts and .
Health IT Developer of Certified Health IT
means an individual or entity, other than a health care provider that self-develops health IT that is not offered to others, that develops or offers health information technology (as that term is defined in ) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to (ASTP/ONC Health IT Certification Program).