mHealth Apps: A Guide to HIPAA, FDA Approvals, and Certifications
Author: Jennifer Bishop
Mobile health apps have the potential to make doctors more efficient and reduce the cost of health care. In addition, these apps can increase patient satisfaction and understanding, while empowering them to take charge of their own health. No wonder there are more than 40,000 mobile health apps currently available, with new, exciting apps launched every day. When creating an app for the mobile health space, there are a plethora of rules and regulations that determine how your app handles data privacy and security. All these rules and regulations can have a chilling effect on innovation in the mHealth space. The goal of this post is to point out some of the key regulations that app developers need to keep in mind when developing medical apps.
HIPAA and HITECH
There are two major laws that relate to health information privacy that must be followed when developing mobile health apps. The first is HIPAA. The Health Insurance Portability Accountability Act (HIPAA) has been around since 1996 and is well understood by the medical community. The second is HITECH, which stands for Heath Information Technology for Economic and Clinical Health, and was signed into law in 2009. HITECH adds on to HIPAA regulations. Medical app developers should be familiar with HIPAA and HITECH to ensure their apps are compliant with all the necessary rules and regulations. Is your app subject to HIPAA? Not every medical app is:
- HIPAA only applies to covered entities (health care providers, health plans, and health care clearing houses). Therefore, if you can avoid data sharing with covered entities, there are far fewer rules.
- HIPAA only applies to health related data.
Adam Greene’s MobiHealthNews article, When HIPAA Applies to Mobile Applications, goes into greater detail on this topic. If your app is subject to HIPAA, here are some things to keep in mind:
- Encrypt your data at every point in the process.
- Email is generally not HIPAA compliant. Data needs to be encrypted at all times, and many email systems don’t have this ability. There are HIPAA compliant email solutions, but you need to make sure you are using one of them.
- Keep health information out of notifications you use in your app. Notifications can pop up even if a phone is locked, and this violates the expectation of privacy that HIPAA requires.
- To have encryption on for iPhones, you need to have a lock code set. Therefore, users of your app need to be required to have a passcode.
There are many other details to consider when creating a HIPAA compliant app. The Department of Health and Human Services has provided a comprehensive list here: Security Standards: Technical Safeguards As for HITECH, HITECH doesn’t replace HIPAA, rather it adds greater fines and penalties for non-compliance. It also requires notification in the event of a privacy breach. In general, if you are following HIPAA, you will be following HITECH as well.
FDA Approval Process
When creating a mobile health app, you also need to consider whether your app needs FDA approval. The first step is to determine if your app could be considered a medical device. The FDA defines a medical device as: “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”
For details, see: FDA: Classify Your Medical Device - Is the Product a Medical Device?
If your app could be considered a medical device, the next step is to determine if it is a Class I, Class II, or Class III medical device. A Class I device is considered low to moderate risk and is subject to general controls only. A Class II device is considered moderate to high risk, and is subject to general controls and special controls. General controls relate to items such as misbranding and misleading labeling. Special controls are device specific, and include items such as performance standards, post market analysis, and patient registries. A Class III device is considered high risk, and can be subject to a premarket approval (see below for more details on this). For a description of requirements by class, see: FDA: Regulatory Controls. Classification is determined based on the intended use of the device, as well as the indicated use of the device. The FDA has a product classification that you can search to see what the class for your device would be: FDA: Product Classification.
Premarket Notification (510k) vs. Premarket approval (PMA)
Any class of device can be subject to Premarket Notification (510k), so you need to check if your device is exempt from this requirement. The product classification database includes this information (submission type will be listed as 510(k)). “A 510(k) is a premarket submission made to FDA to demonstrate that the device to be marketed is at least as safe and effective, that is, substantially equivalent, to a legally marketed device (21 CFR 807.92(a)(3)) that is not subject to PMA. Submitters must compare their device to one or more similar legally marketed devices and make and support their substantial equivalency claims.” Premarket Approval (PMA) are only required for certain Class III medical devices. The product classification database for Class III devices will list PMA as submission type if a PMA is required. According to the FDA “PMA approval is based on a determination by FDA that the PMA contains sufficient valid scientific evidence to assure that the device is safe and effective for its intended use(s). An approved PMA is, in effect, a private license granting the applicant (or owner) permission to market the device. The PMA owner, however, can authorize use of its data by another.”
FDA’s Role in mHealth
The FDA’s guidance for mobile medical apps, revised in Feburary 2015, details how the FDA applies its regulatory authority to mHealth apps. The FDA defines a mobile medical app as an app that is used as an accessory to a regulated medical device, or transforms a medical device into a regulated medical device. The FDA does not regulate wellness apps, but some wellness apps walk a fine line between wellness and apps the FDA may consider a medical device. For example, on May 21st, 2013, The FDA sent an official warning letter to Biosense Technologies Private Limited in regards to their uChek Urine Analyzer. If your app is likely to interpret medical data in any way, the safe bet is to be prepared to get FDA approval. As an example, EPI Mobile Health solutions developed an ECG device to be used with a mobile phone. The FDA required a 510(k) prior to allowing the import of the device. Rules and regulations in the mobile health space are changing rapidly. Since the FDA has not yet published their final guidelines, keep an eye on this space for new developments.
Finally, what about certifications? This may well turn out to be the easiest way to make sure your mobile health app is compliant with all the relevant rules and regulations. Happtique has started offering this service (right now they only are certifying Medical Education and Nursing apps). While Happtique developed their standards with key organizations such as the Healthcare Information and Management Systems Society (HIMSS) and the FDA, these organizations have not formally endorsed Happtique or advocated app developers to obtain this certification. It is uncertain if this will become the industry standard or not. We recommend waiting on the FDA guidelines to see if that sheds any more light on what certifications are valuable.
When developing a mHealth app, there are many rules and regulations to consider during development. These include HIPAA and HITECH for data privacy. If the mHealth app can be considered a medical device, become familiar with the FDA process. Certifications may be the future of mHealth apps, but this is still a very new space.