Regulatory Landscape Remains Unclear for Mobile Health App Developers

8585047526_37a5bed3ff_bBy Mariko Kageyama

The digital health field has been growing exponentially and is now expanding rapidly into emerging markets. As a result, mobile health apps, or “mHealth apps,” have exploded in popularity. If you search for “health” on online app stores such as Apple’s App Store or Google Play, you will have no problem finding countless apps with various health-related purposes. One survey reports that nearly 260,000 mHealth apps were available worldwide by 2016.

However, what mHealth app developers and consumers may not realize is that these new technologies are becoming the target of increasingly tight regulations by both federal and state laws in the United States.

At the federal level, mobile health apps may be scrutinized under the following federal agency laws:

  • Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act – These acts regulate data privacy and security of health information. They are enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC);
  • Food, Drug, and Cosmetic Act (FDCA) – This act allows the Food and Drug Administration (FDA) to regulate the safety and effectiveness of “medical devices;” and
  • Federal Trade Commission Act (FTC Act) – This act both creates the FTC and allows it to enforce and penalize deceptive or unfair business practices including false or misleading claims about apps’ performance.

Among these major agency players, the FDA has struggled the most with trying to adapt its existing regulatory framework to include and regulate mHealth apps.

For instance, the FDA can regulate “medical devices,” but what qualifies as a “medical device” under FDA law? According to its 2015 Guidanace, the FDA does not want to regulate every single smartphone app that tangentially relates to fitness or wellness. Instead, the FDA only wants to keep an eye on a small subset of apps called “mobile medical apps” that may pose moderate to high risks to a patient’s safety if the apps fail to work as intended. “Mobile medical apps” can either be those connected to existing medical devices already regulated by FDA, or those that “transform” mobile platforms into an FDA-regulated device.

The FDA explains that a mobile app “transforms” into a medical device when it uses attachments, display screens, or sensors, or when it uses a mobile platform’s built-in features such as light, vibrations, and camera to create functionalities similar to those of currently regulated devices. But the exact actions that constitute a “transformation” are not yet known and remain open to significant agency discretion.

Therefore, if you were to create a new mHealth app that “transforms” a mobile device, you may need to seek FDA approval for a specific medical device classification based on the level of safety risks it poses. The classes are ranked I, II, or III and any class of device can be subject to what is known as Premarket Notification 510(k).

In anticipation of ambiguities in this field, multiple federal agencies collaborated in 2016 to create the Mobile Health Apps Interactive Tool. What is unique about this user-friendly educational website is that it is clearly intended for IT developers, not healthcare professionals or general consumers.

State laws have also come into play. Earlier in 2017, the New York Attorney General settled with three mHealth app developers for state law violations over their misleading marketing and privacy practices. Those mHealth apps are: My Baby’s Beat–Prenatal Listener; Heart Rate Monitor & Pulse Tracker; and Cardiio-Heart Rate Monitor + 7 Minute Workout. As illustrated in the settlement documents, these apps do not look any more sophisticated than other similar apps, but the New York AG maintained that these cardiac rate monitors probably fall under FDA Class II medical devices. Such a classification means that these are higher risk devices than Class I and thus subject to greater regulatory controls. Although the investigation did not go further, these state cases show that mHealth app developers and manufacturers can be exposing themselves to large amounts of liability at the state level as well as the federal level.

Despite this heightened oversight, the current FDA Guidance is clearly nothing more than a temporary fix when much more is needed to address these issues in such a rapidly growing and changing field. Because Congress has a less-than-great track record of quickly enacting laws, the FDA and other relevant agencies should act swiftly to reevaluate these regulations in order to ensure consumer health and safety while simultaneously fostering innovation in this massively beneficial field.

Picture Source

Virtual Trespass: Not in My Backyard

Picture1By Yonah Reback

Who could have predicted that last summer’s biggest fad would be the reemergence of a Japanese video game whose cultural relevance peaked fifteen years ago? If you had known that Pokémon Go would immediately sweep the nation’s interest upon its release in July 2016, call me—I want your stock tips for this summer. For the rest of us mortals, the game was a surprise hit, quickly drawing the attention of not just kids and gamers, but anyone tuned in to pop culture.  Continue reading “Virtual Trespass: Not in My Backyard”

Twitter Fights Back in the ‘Trump Era’ to Protect ‘Rogue’ Government Accounts

Picture1

By Jeff Bess

During the early days of Donald Trump’s presidency, Twitter accounts purporting to represent unofficial “resistance” factions of federal agencies emerged and proliferated alternative perspectives on the inner workings of the Trump administration and its policies. These accounts claim to represent holdover factions from the Obama administration and career officials in agencies and government organizations such as the National Parks Service and the Federal Bureau of Investigation. The accounts issued frequent tweets critiquing the Trump administration’s policies across a variety of issues. Agencies “represented” by “alternative” Twitter accounts run the gamut from the Department of Justice to NASA to the National Weather Service.

Continue reading “Twitter Fights Back in the ‘Trump Era’ to Protect ‘Rogue’ Government Accounts”

$5.3 Million Settlement over “Find Friends” iOS Feature

Picture1By Kiran Jassal

Eight companies (Foodspotting, Foursquare, Gowalla, Instagram, Kik, Path, Twitter, and Yelp) have agreed to a proposed settlement of $5.3 million in a case surrounding the “Find Friends” feature in iOS apps. As the name suggests, “Find Friends” allows consumers to quickly discover if any of their contacts are also using an app. Interestingly, both Apple and LinkedIn are among the companies named in the lawsuit; however, they are continuing to fight the case while the aforementioned entities have decided to settle. Continue reading “$5.3 Million Settlement over “Find Friends” iOS Feature”

Public Records in the Age of Trump

twitterBy Jeff Bess

It is  more than cliché to observe that the advent and evolution of the internet has deeply transformed modern society in many ways, both micro and macro. Indeed, not a clearer example exists than the role social media played in the 2016 presidential election. With over twenty million followers on Twitter and nearly 35,000 tweets, Donald Trump leaned into this direct line to the masses to set a new high water mark for social media ubiquity in pursuit of the White House.

Though derided by many as misguided or un-presidential, it is undeniable that Trump’s avid use of Twitter has been and continues to be effective. Indeed his prolific social media presence was a key source of the estimated $2 billion in earned media that greatly contributed to his success. And now that he is president, do his characteristic early morning, sometimes scattershot flurries of 140-character missives count as official government records? In other words, are they subject to federal document retention laws?

Continue reading “Public Records in the Age of Trump”

They Are Listening and It CAN Come Back to Haunt You

echo
Amazon Echo

By Tyler Quillin

 

How many smart devices with voice-activation capabilities surround you at any given moment? How many times have you thought about whether they are listening to everything you’re saying, just waiting for the word “Alexa” to wake them up from their idle eavesdropping? Well, some of your concerns may soon be answered by a court in Arkansas.

In late 2016, Bentonville Police Department of Arkansas obtained a search warrant for the recordings produce through Amazon’s “Echo” device pertaining to a bath tub murder. Echo is aptly described as an “always on” device. It continuously listens, waiting to hear the term “Alexa,” which “wakes” it up. Once awoken, Alexa will perform various tasks upon verbal request. She does everything from checking the weather or traffic, to answering trivia, to playing music through a Bluetooth connection.

Continue reading “They Are Listening and It CAN Come Back to Haunt You”

A Tale of Two Cameras

By Daniel Healow

cmera
Depending on your views about privacy and police accountability, it may be the best of times or the worst of times. Either way, it is clear that sensors, specifically cameras, have taken center stage as communities seek to objectively reconstruct confrontations between law enforcement and the public.

In what many call the “fastest technology upgrade in policing history”, body-worn cameras (BWCs) are quickly being deployed by police forces throughout the nation, inspiring widespread public support. Although a recent New York Times profile on the rollout of BWCs in Seattle highlighted the growing pains of rapidly deploying new technology, a summer survey found that  70% of Americans support BWCs becoming standard issue throughout all law enforcement. As an added bonus, the cameras appear to be increasing public accountability as well. Studies show public complaints of police misconduct down a whopping 93% in municipalities that have deployed the cameras. So the more cameras the better, right?

Continue reading “A Tale of Two Cameras”

Flying Pigs to Precede Comprehensive Federal Internet Voting Regime in United States

By Rob Philbrick
vote

The United States Postal Service Office of Inspector General released a national report last month finding that 84% of people surveyed expect drone deliveries to occur within the next ten years. Leading the international charge, Domino’s Pizza has already launched commercial drone deliveries in New Zealand. Assuming the resolution of various U.S. regulatory and socio-technical problems, it may be commonplace by the year 2030 for items to be shipped autonomously, up in the sky. In such a future, a breakfast ruined for lack of bacon is only a short drone flight away from remedy. So, as promised: flying pigs.

However, what appears to not be on the U.S.’s technology-dependent horizon is ubiquitous nationwide online election voting. What explains this?

Continue reading “Flying Pigs to Precede Comprehensive Federal Internet Voting Regime in United States”

Game of Drones

DronesBy Jessy Nations

Sometime during the past decade or so we started taking the idea of making robots a part of our everyday lives more seriously. Naturally, we went from joking about making machines serve us by doing our menial chores, to teaching them to kill. Once our base needs for violence and subservience were satisfied, we quickly began adapting this technology for the highest, noblest, and most human of all endeavors: bothering our neighbors. Meanwhile, our local legislatures are trying to rein these nuisances in and we have to work with seemingly outdated common law theories until they’re finished.

I’m talking, of course, about small flying robots known as drones. What was once the pinnacle of modern robotics – despite being a glorified RC helicopter with a camera –  is now available from the corner 711 for $30. (No seriously. I’ve almost bought one out of curiosity.)

Continue reading “Game of Drones”

EU Privacy Litigation: United States Now Filing An Amicus Brief in Facebook Case

EU FlagBy Jason Liu

The United States will be filing an amicus brief in the ongoing EU case between privacy activist Max Schrems and Facebook. Although not filed yet, the brief will provide vital information on the U.S.’ stance on privacy and international data transfers.

The case comes about because the Data Protection Commissioner of Ireland sought a declaratory action in the Irish High Court, alleging that Facebook was illegally transferring EU citizens’ data to the U.S. under EU law.

Past Privacy Actions in Europe

In the related pivotal case invalidating the U.S.-E.U. Safe Harbor agreement, Max Schrems, an Austrian privacy activist and attorney, brought a prior complaint with the Data Protection Commission (in Ireland) that Facebook was illegally transferring EU citizen information to the U.S. Schrems claimed that the personal data he provided to Irish Facebook servers was also transferred to the U.S.

But what is the Safe Harbor in question? EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The prior Safe Harbor agreement allowed U.S. companies to transfer EU citizen data to the U.S. if the U.S. government promised to protect the data.

Schrems claimed that the U.S. failed to provide legal protections against U.S. surveillance of data on U.S. servers. These claims were supported by the Edward Snowden revelations of 2013. The Snowden revelations included the NSA PRISM program that provided the U.S. government access to private industry servers of tech companies such as Google, Facebook, or Apple. Snowden also revealed surveillance of world leaders, XKeyscore (internet activity logging program), and various NSA practices used to overcome encryption and hacking methods.

Ultimately, the European Union Court of Justice (EUCJ) ruled that the Safe Harbor agreement was invalidated due to inadequate protection of EU citizens’ data to the U.S. in light of the Snowden revelations.

What is going on now?

Following the case, the Irish Data Protection Commissioner referred Schrems’ original complaint against Facebook to the Irish High Court and also the EUCJ. The current case is about Standard Contractual Clauses and the ability of tech companies to contract with EU citizens to have their data stored in U.S. servers. U.S. companies have argued the “model clauses” from template agreements provided by the EU Commission let EU member states send personal data to countries lacking “adequate levels” of protection under the 1998 Data Protection Act.

In response, Shrems stated that:

I see no way that the [EUCJ] can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see how there could be a solution.

What will be the U.S.’ amicus position?

Although unwritten, the U.S.’ amicus brief may contain stances from the U.S.-EU Privacy Shield that was recently ordered by the EU Commission. Notably, the new Privacy Shield will provide:

  • Strong obligations on companies and robust enforcement;
  • Redress options;
  • Clear safeguards and transparency obligations on U.S. government access; and
  • Annual joint review monitoring.

However, because the EU Order providing for the Privacy Shield was EU-centric, it has been difficult to discern which particular points are emphasized by the U.S. Thus, the amicus brief may be a unique opportunity to learn about the most compelling arguments of the U.S. in light of the new Privacy Shield.

Furthermore, although the amicus brief will be directed at international data transfers, it may also prove an important way to gauge how the U.S. views the domestic regulation of data. Through the Cybersecurity National Action Plan, the Obama administration has shown support for protecting privacy rights through the creation of the Federal Privacy Council.

Of course, any further insight into the U.S. treatment of consumer information is always welcome.

Image source: Pixabay