To use the tool, developers answer a series of high-level questions about the nature of their app, including about its function and the data it collects. Based on the answers to those questions, the tool advises the developer about whether the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, or the Federal Food, Drug and Cosmetic Act likely applies to the app. In some cases, the tool links out to other guidance that may be relevant for the app, such as FTC’s guidance for complying with the Health Breach Notification Rule. The FTC developed the tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights and the Food and Drug Administration.

Along with the tool, the FTC released recommended best practices for privacy and security in mobile health apps. The guidance encourages developers to minimize the information their apps collect, to limit and control access to the apps and to the data they collect, and to implement “security by design.” This health-app-specific guidance builds upon the FTC’s general guidance for mobile app developers. For those developing apps, FDA’s policies regarding whether such apps are regulated as medical devices should also be considered.

The main lesson that is underscored in all of these tools is the same: Consider the nature of the information collected and its potential use at the concept phase and rather than after development is complete. All too often, as companies rush to submit apps for approval on an app store, legal compliance is an afterthought. As we have learned from the 100+ privacy and data security settlements that the FTC has released, these issues can be very difficult to cure on the back end.

Ms. Sweeney’s presentation, while highlighting the maxim that transparency establishes trust, documented the flow of consumer health data provided to hospitals, noting that consumer health data may flow – and often does flow – from hospitals to entities that are not covered by HIPAA. Additionally, although de-identified when sold, this information may be easily re-identified. Mr. Ho presented the results of an FTC study on the health information collected and transmitted by 12 mobile apps and two wearables. While the Commission did not review privacy policies, the study results revealed that the apps transmitted consumer health information to 76 third parties, many of which collected device information or persistent device identifiers (sometimes from multiple apps) and additional information, such as gender, zip code, and geolocation. Mr. Ho stated that there are significant health concerns when data is capable of being aggregated.

The panel, moderated by two FTC Division of Privacy and Identity Protection attorneys, featured Dr. Christopher Burrow, the Executive Vice President of Humetrix, Joseph Lorenzo Hall, Chief Technologist for the Center for Democracy and Technology, Sally Okun, Vice President for Advocacy, Policy and Patient Safety at PatientsLikeMe, and Joy Pritts, Chief Privacy Officer in the Department of Health & Human Services’ Office of the National Coordinator for Health Information Technology. The panelists spent a significant amount of time discussing the various entities covered – and not covered – by HIPAA, as well as the array of health-related websites and apps that are available to consumers. Some of the concerns raised were: (1) the potential for sensitive health information to be shared in ways consumers would not reasonably anticipate (and the inability to predict what consumers may deem “sensitive”); (2) the lack of a standard definition of “de-identified data”; (3) the potential for data re-identification; and (4) the ever-expanding definition of what constitutes “health” information.

Information on the seminar, including a transcript, is available here, and the FTC is accepting comments until June 9.