December 1, 2020

Volume X, Number 336

Advertisement

November 30, 2020

Subscribe to Latest Legal News and Analysis

Federal Agencies Provide User-Friendly Guidance on Compliance with Data Privacy Laws

How federal privacy laws apply to mobile health applications has been an area of significant ambiguity. Recently, the Federal Trade Commission’s (FTC), the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Food and Drug Administration (FDA), and the HHS Office of the National Coordinator for Health Information Technology (ONC) joined together to provide a user-friendly web-based interactive tool to guide developers who are entering the heavily regulated mobile health industry with high-level guidance on how to navigate this complex regulatory environment. As noted by the director of the FTC Bureau of Consumer Protection, “Mobile App developers need clear information about the laws that apply to their health-related products.” In addition, the FTC released Best Practices Guidance for Mobile Health Developers to provide practical guidance for industry participants.

The FTC’s User-Friendly Legal/Regulatory Issue Spotting Tool

The tool, while published on the FTC’s website, addresses the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act), and the FTC’s Health Breach Notification rule. The tool is a decision tree to help developers get a preliminary understanding of whether and how these laws apply to them. By asking questions about the company itself, the application’s clients and audience, whether the application stores identifiable data and the application’s interaction with the health care industry and patients, the tool focuses on the relevant legal hurdles. Along with the decision tree, the tool includes a glossary that provides relevant definitions along with helpful links to expansive source materials.

The FTC’s Best Practices Guidance

The FTC guidance describes business practices for mobile health developers. Overall, the guidance reiterates many industry best practices such as:

  • Only maintaining de-identified data unless identifiable information is absolutely necessary;

  • Engaging third parties who are contractually bound to implement and follow through with data security measures; and

  • Adding processes to thwart hacker access to client information such as adding salt (random data to hash passwords) to account information storage.

If developers are unfamiliar with these industry practices, the guidance even provides links to data security resources for developers from independent and government sources. The guidance further emphasizes minimizing data sharing and storage, maximizing data security for stored information, and instituting processes and points of contact on each workforce team to manage data retention and security.

Key Takeaways

The health industry is heavily regulated. In a world where direct-to-consumer technology and business-to-business enterprise solutions are rapidly growing, the regulatory barriers can sometimes thwart innovation that can revolutionize the sector. The web-based tool notes, “It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.” Mobile health developers should seek out legal advice regarding the complete regulatory landscape early on. By carefully addressing compliance issues before bringing a product to market, developers can ensure that legal issues do not hamper the product’s launch or distract from its real mission: to help patients, providers, and payors be better and do better.

© 2020 Foley & Lardner LLPNational Law Review, Volume VI, Number 109
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

M. Leeann Habte, Foley Lardner, Health Care Lawyer, Los Angeles
Senior Counsel

Leeann Habte is senior counsel and a health care business lawyer with Foley & Lardner LLP. A former director at UCLA and the Minnesota Department of Health, she has practical experience in developing and implementing health care data privacy and security policies and procedures, managing IT resources, and human subjects protection compliance. Ms. Habte is a member of the Health Care and Life Sciences Industry Teams and Privacy, Security & Information Management Practice. She is also a Certified Information Privacy Professional.

213.972.4679
Kush Das, Foley Lardner, Health Care Industry Lawyer, Government Enforcement Attorney
Associate

Kush Das is an associate and health care lawyer with Foley & Lardner LLP and a member of the Health Care Industry Team.

Before joining Foley, Mr. Das worked as a law clerk for a Washington, D.C. law firm focusing on government enforcement investigations and health care litigation. He was also a student-attorney for the Georgetown Law Criminal Justice Clinic, where he tried two cases to verdict in D.C. Superior Court and negotiated Deferred Prosecution Agreements and Deferred Sentencing Agreements on behalf of indigent clients. He was a...

617.502.3275
Advertisement
Advertisement