In a move sure to cause murmurs in the large and growing mobile health application industry, the Office of New York Attorney General Eric Schneiderman (OAG) has used state trade laws to extract concessions and monetary penalties from mHealth app developers, including the developer of a supposed fetal heart monitoring smartphone app.

Designed by Israel-based Matis Ltd., the app, originally marketed as “My Baby’s Beat—Baby Heart Monitor App,” is designed to register fetal heartbeat sounds using only the smartphone microphone, and to isolate and amplify those sounds.^[1] The OAG’s investigation revealed that Matis claimed that its app transformed a smartphone into a fetal heart monitor and therefore could be used to play an unborn baby’s heart rate,^[2] even though the app was not an FDA-approved fetal heart monitor.^[3]

The OAG emphasized that Matis made claims that its app functioned as a fetal stethoscope without providing sufficient evidence substantiating that the app actually plays the sound of the fetal heartbeat (as opposed to, for example, the heartbeat of the mother.)^[4]  In the OAG’s opinion, the developer had used in-app and promotional imagery, text, and categorization to characterize its app as comparable to a medical device,^[5] without making clear enough whether the developers had adequate evidence to support claims of medical reliability.^[6]

Matis had taken some precautions against false advertising liability; for instance, “My Baby’s Beat—Baby Heart Monitor App” incorporated various disclaimers and a warning to seek professional help with any medical questions or concerns.^[7]  Even so, the OAG determined that the developer had “[m]arket[ed] a Health Measurement App without substantiation of its accuracy and that it measures what it purports to measure,” which would “constitute [a] deceptive business practice[] in violation of” New York consumer protection statutes.^[8]  Under the settlement, Matis agreed to remove all references to the app’s functionality as a medical device as well as display the following disclaimer: “This app is NOT a medical device, has not been reviewed by the FDA, and is NOT intended as a replacement for medical advice of any kind. For any medical questions or concerns regarding your pregnancy and your baby’s health, please consult with your doctor/midwife.”^[9]

OAG also objected to the app’s privacy policy, which, did not disclose to users that Matis collected and stored the following information: (i) a global unique identifier of the user’s device; (ii) an internal numeric score indicating how engaged the user is with the app; (iii) the user’s feedback regarding the app (such as ratings and emails); and (iv) recordings that users share via the app.^[10] Notably, Matis stated that it would not sell or otherwise transfer data it collects from consumers to any other person or entity but may “combine users’ information with information from other users to create aggregated data”, which may be disclosed to third parties.^[11] Importantly, Matis represented that the aggregated data did not  contain any information that could be used to identify users, did not warn customers of the possibility that those third parties could use other sources of information  to “re-identify” users and associate them with private health data.^[12]

Accordingly, the State, with the counsel of Assistant Attorney General Michael Reisman (a member of OAG’s Health Bureau), charged Matis a $20,000 civil penalty.^[13]  The developer also promised to maintain enhanced consumer disclosure practices that it had developed and implemented in response to OAG’s investigations.^[14]  The app now requires affirmative consent to Matis’s privacy policy and discloses that Matis collects (i) an internal numeric score indicating how engaged the user is with the app; (ii) the user’s feedback regarding the app (such as ratings and emails); and (iii) recordings that users share via the app; however, Matis no longer collects the global unique device identifier and limits its sharing of aggregated data to only those third parties responsible for Matis’ storage, security, and internal analytics.^[15]  As part of the settlement, Matis did not admit to the OAG’s findings, though it did fully cooperate with the agency’s investigation.

Notably, the FDA has adopted a comprehensive strategy for evaluating whether certain mobile health apps meet the Food, Drug, and Cosmetic Act’s (FDCA) definition of a “device” and are therefore, subject to enforcement.  Whether the federal agency would agree with OAG in this particular case, that smartphone fetal pulse detector apps “transform[] a mobile platform into a medical device”^[16] and merit intervention is uncertain; however, the OAG’s actions demonstrate that states are willing to impose their own interpretations, separate and apart from the FDA, thereby subjecting those entering the healthcare market to multiple enforcement schemes that may not always align.  An active role for states in this realm raises the question whether states will agree with the FDA when it comes to which apps pose less risk and deserve “enforcement discretion” under the federal FDCA.^[17]

OAG’s enforcement action also highlights the potential for gaps between state and federal requirements regarding app user privacy protections.  The Federal Trade Commission (FTC) has actively pursued entities under its Section 5 authority for “unfair and deceptive” practices in the form of inadequate and/or misleading privacy policies,^[18] and has warned about what practices it views as unacceptable.  While the FTC has released guidance with respect to privacy and security practices and policies, there are no authoritative regulations dictating what standards are required. Overlapping enforcement by federal agencies (FTC and, for HIPAA-covered entities, the HHS-Office for Civil Rights) and state Attorneys General offices dramatically increases the likelihood of a conflict, and subjects mobile health app developers to uncertainty with respect to the sufficiency of their policies and practices.

State enforcement actions, such as New York’s, demonstrate that digital health companies are subject to a number of regulatory schemes and developers must be cognizant of both the federal requirements as well as independent state consumer protection laws that could potentially be implicated by their products.  Health app developers should review their privacy and security policies as well as their marketing claims to ensure that they are compliant with applicable laws and regulations.

_{[1] See Assurance of Discontinuance 2, 5, In the Matter of Matis Ltd., No. 16-101 (Feb. 13, 2017), https://ag.ny.gov/sites/default/files/matis_aod_executed.pdf.}

_{[2] Id. at 3.}

_{[3] Id. at 7.}

_{[4] Id. at 7.}

_{[5] Id. at 4–7.}

_{[6] Id. at 7.}

_{[7] Id. at 6 n.7.}

_{[8] Id. at 12.}

_{[9] Id. at 13-14.}

_{[10] Id. at 10.}

_{[11] Id. at 10.}

_{[12] Id. at 10–11.}

_{[13] Id. at 15.}

_{[14] See id. at 13–14.}

_{[15] Id. at 11.}

_{[16] “Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff” (Feb. 9, 2015), https://www.fda.gov/downloads/UCM263366.pdf.}

_{[17] See id. at 15.}

_{[18] See, e.g., FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015).}