This month, the Federal Trade Commission (FTC) issued guidance on privacy and security best practices for health-related mobile apps, such as fitness apps connected with wearables, diet and weight loss apps, and health insurance portals. At the same time, the FTC unveiled an interactive tool designed to direct health app developers to federal laws and regulations that may apply to their apps. The Mobile Health Apps Interactive Tool, which is the product of collaboration among the FTC, Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA), seeks to unify guidance in a space governed by a complicated web of legal requirements. It also signals the continued focus of regulators on the protection of consumer health information in this rapidly evolving space.
The Mobile Health Apps Interactive Tool connects developers to more detailed information about potentially applicable laws and regulations based on their responses to a series of high-level questions regarding the nature of the app, how it functions, the data it collects, and the services it provides. For example, developers may be directed to certain provisions of the Health Insurance Portability and Accountability Act, the Federal Food, Drug and Cosmetics Act, the FTC Act and the FTC’s Health Breach Notification Rule. The FTC is clear, however, that the tool is “not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.”
The FTC guidance highlighted best practices for the privacy and security of health apps, which include the action items below.
1. Minimize data.
- Collect and retain consumer data only where there is a legitimate business need.
- Utilize effective de-identification where possible in order to achieve beneficial use of data while protecting consumer privacy.
- Limit risk associated with re-identification by tracking technological advancements, committing not to re-identify data, and contractually prohibiting vendors from re-identifying data.
2. Limit access and permissions.
- Employ privacy-protective default privacy settings for your app.
- Seek permission to access only the consumer information that your app really needs.
- Narrowly tailor information collection while enabling functionality by utilizing trusted user interface components instead of direct access to the application programming interface, where feasible.
3. Keep authentication in mind.
- Limit access to your data or functionality to trusted parties with a legitimate business need for access.
- Require users to select strong passwords and store passwords securely.
- Invest resources in design, testing, and implementation of authentication for user credentials.
4. Consider the mobile ecosystem.
- Conduct research and testing of a mobile platform’s security features when relying on a mobile platform to protect sensitive data.
- Understand and monitor how third party service providers are securing consumer data collected through your app.
- Ensure that third party code incorporated into your app is, and stays, secure.
5. Implement security by design.
- Incorporate data security at every stage of your app’s lifecycle: design, development, launch, and post-market.
- Foster a culture of security at your company and maintain an effective security program.
- Employ strong encryption methods for health information during storage and transmission.
- Protect your app from common security vulnerabilities, monitor new risks, and develop a plan to incorporate security updates or patches as needed.
6. Don’t reinvent the wheel.
- Take advantage of free and low-cost tools – such as software development kits (SDKs), software libraries, and cross-platform toolkits – as a cost-effective way to safeguard consumer information.
- Stay current on advancements in security and regular updates from security experts.
7. Innovate how you communicate with users.
- Use simple, clear, direct language to explain your privacy and security practices and the privacy and security features built in to your app, including through a privacy policy that is easily accessible through the app store, as well as on a website where users can view it on a larger screen.
- Do not copy and paste your privacy policy from another app; instead, ensure your privacy policy is informative and tailored to your specific app and practices.
- Update your privacy policy if your practices change.
- Obtain affirmative, express consent – outside of your app’s privacy policy and terms of use – before collecting or sharing a user’s health data.
- Inform users about sensitive or unexpected data your app will collect when they install the app and remind users again when the app begins to collect that data.
8. Don’t forget about other applicable laws.
- Consider other potentially applicable federal laws or regulations beyond those identified in the Mobile Health Apps Interactive Tool, such as the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule or the Children’s Online Privacy and Protection Rule if your app collects financial data or information from children under the age of 13.
- Seek guidance on what state laws may apply to your app in light of your particular circumstances.