Correction: A previous version of this article said the ONC, not the OCR, released the HIPAA omnibus rule.
This year has been a big year for health app regulation: FDA released its final guidance on regulation of mobile medical apps earlier this year, and the Office of Civil Rights released its final HIPAA omnibus rule in January. But there is a third agency regulating health apps, in cases where neither the FDA's harm standard nor HIPAA apply: the Federal Trade Commission.
At the mHealth Summit in National Harbor, Maryland, William Baker, an attorney with Wiley Rein LLP, talked about the FTC's role in regulating apps, as well as the role played by state attorneys general and industry self-regulation.
Baker said FTC regulation is concerned with "misleading or unfair trade practices," such as the commission's removal of dermatology apps from the iOS and Google Play stores in 2011. But the agency is also concerned with privacy and security of data that isn't covered under HIPAA, like, potentially, data from health and fitness apps. Though not a health app, the FTC did crack down on an app just last week for data security reasons -- a flashlight app that gave user's geographic location to third parties without permission.
"The end user license agreement didn't disclose that it was collecting precise geographic data," he said. "There was an accept and refuse button. The app was already collecting and transmitting data before the button appeared, and if you clicked refuse, it did it anyway."
Recently, the FTC's pursuit of medical research company LabMD has suggested that the commission is no longer limiting itself to non-PHI privacy concerns. The Georgia company has sued in response, alleging that the FTC is overstepping its bounds.
Baker said that app developers might have to fear another group even more than the FTC when it comes to privacy and security, however: The state of California. Because California's covered class is California consumers, Baker said, the Attorney General there will go after any app company nationwide that has Californian customers. Other states have laws worded that way, but California has already proven itself especially aggressive in matters of app privacy. Last year, California AG Kamala Harris convinced Google, Apple and others to require their developers to include privacy statements, just shortly after suing Delta Airlines for violating California online privacy laws.
Finally, Baker talked about efforts in the industry to better self-regulate apps. He said the Better Business Bureau has a seal for apps now, and the Mobile Marketing Association has a set of opt-in privacy and security guidelines.
He also was involved in a National Telecommunications & Information Administration multistakeholder group proposed by the White House. The group of 30 to 40 stakeholders completed its guidelines for mobile app privacy in late July and is currently testing them among its members, Baker said.