The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its “Mobile Health App Interactive Tool”.
Companies may use this tool to evaluate whether their mobile health app falls triggers HIPAA, the FTC Act, the Food Drug and Cosmetic Act (FD&C Act), the 21st Century Cures Act and ONC Information Blocking Regulations, the FTC’s Health Breach Notification Rule, and COPPA. Previously, the tool largely focused on applicability of HIPAA, the FTC Act, and the FD&C Act. This resource, which has existed for several years, includes new questions and considerations. The questions posed in the tool also contemplate more specific examples and use cases than before.
Putting it into Practice. Companies collecting health information are reminded of the myriad of laws (both federal and state) that may apply. The updated mobile health interactive tool can be used by organizations as an initial starting point in evaluating potential laws. Given emerging new laws (like the Information Blocking Regulations) and the broad interpretation of existing laws (like the FTC Health Breach Notification Rule) now is a good time for companies to re-access whether they are complying with all relevant laws. These additional resources also signal that the FTC is likely to have increased expectations of companies in the forthcoming year. Companies are also reminded of forthcoming state comprehensive privacy laws – several of which introduce concepts around the collecting of “sensitive” information. Both California and Virginia’s laws, coming into effect January 1, 2023, have requirements for collecting sensitive (or health) information if no exceptions apply.