FTC increasingly active in OCR, FDA's traditional purviews

By Jonah Comstock
Share
A brain training game fined by the FTC earlier this year. A brain training game fined by the FTC earlier this year.

Developers of mobile health apps need to be mindful of regulation from a number of different quarters. Among others, developers need to be aware of the FDA, OCR (HIPAA), and the FTC, which is increasingly regulating areas that would seem to be the purview of one of the other two groups.

At a HIMSS session on mobile and digital health regulation, Sharon Klein, a partner at Pepper Hamilton, talked about how the FTC is increasingly becoming involved in data privacy cases. According to Klein, a rise in consumer wellness devices and apps has created a category of health data that doesn't originate in the healthcare system and therefore isn't covered by HIPAA, but could still be sensitive.

"Those of us who have been practicing for decades, we all thought that if we truly understood HIPAA HITECH and we respected all the rules and the privacy and security, we were compliant with regulations, right?" she said. "Not today. The big word inside the beltway is 'non-HIPAA regulated medical data'. This is information that’s on our phones and the individual is providing it, not a covered entity. Information is flowing back and forth into the cloud and it is not necessary regulated by HIPAA HITECH, but it might well be regulated by the Federal Trade Commission."

Even when the consumer signs away their information, the FTC still reserves the right to make sure the consumer was informed in a responsible way of what they were agreeing to. Klein pointed to a case in February where the FTC cracked down on PaymentsMD, a medical billing software that was collecting extra medical information after only informing users via some fine print.

"PaymentsMD had a consent form in four parts, which originally the consumer thought was for the purpose of tracking medical bills," Klein said. "It’s a free app. But it failed to disclose comprehensive collection of consumer medical information for a patient health report. One of those authorizations, was to enable the mobile app vendor to collect real medical information and populate this patient health information which was then commercialized. ... The FTC objected to having a combined authorization, to having the consent in small print, to having the terms of use coming out six lines at a time. So they’re very much into the weeds in terms of transparency and choice and just-in-time disclosures."

Around the same time, in a move only tangentially related to healthcare, the FTC also went after webcam company TrendNet for lax security that allowed its private cameras (marketed for home security purposes and to monitor babies) to be accessed by anyone with an internet connection.

The FTC has issued its privacy guidelines in the form of a series of reports, the most recent of which dealt specifically with the internet of things. That document came out in January.

Although Klein did not mention it in her talk, MobiHealthNews has also observed a willingness on the part of the FTC to venture into the FDA's territory of regulating potentially dangerous medical apps. In February, the commission brought action against two mole detection apps that it felt couldn't back up their medical claims, and in January it went after a children's brain training game on similar grounds.

nike air max 2019 infrared