New York AG Takes Enforcement Action Against Heart Monitoring Apps: Murmurs of Concern are Heard in mHealth App World
In a move sure to cause murmurs in the large and growing mobile health application industry, the Office of New York Attorney General Eric Schneiderman (OAG) has used state trade laws to extract concessions and monetary penalties from mHealth app developers, including the developer of a supposed fetal heart monitoring smartphone app.
Designed by Israel-based Matis Ltd., the app, originally marketed as “My Baby’s Beat—Baby Heart Monitor App,” is designed to register fetal heartbeat sounds using only the smartphone microphone, and to isolate and amplify those sounds. The OAG’s investigation revealed that Matis claimed that its app transformed a smartphone into a fetal heart monitor and therefore could be used to play an unborn baby’s heart rate, even though the app was not an FDA-approved fetal heart monitor.
The OAG emphasized that Matis made claims that its app functioned as a fetal stethoscope without providing sufficient evidence substantiating that the app actually plays the sound of the fetal heartbeat (as opposed to, for example, the heartbeat of the mother.) In the OAG’s opinion, the developer had used in-app and promotional imagery, text, and categorization to characterize its app as comparable to a medical device, without making clear enough whether the developers had adequate evidence to support claims of medical reliability.
Matis had taken some precautions against false advertising liability; for instance, “My Baby’s Beat—Baby Heart Monitor App” incorporated various disclaimers and a warning to seek professional help with any medical questions or concerns. Even so, the OAG determined that the developer had “[m]arket[ed] a Health Measurement App without substantiation of its accuracy and that it measures what it purports to measure,” which would “constitute [a] deceptive business practice in violation of” New York consumer protection statutes. Under the settlement, Matis agreed to remove all references to the app’s functionality as a medical device as well as display the following disclaimer: “This app is NOT a medical device, has not been reviewed by the FDA, and is NOT intended as a replacement for medical advice of any kind. For any medical questions or concerns regarding your pregnancy and your baby’s health, please consult with your doctor/midwife.”
Notably, the FDA has adopted a comprehensive strategy for evaluating whether certain mobile health apps meet the Food, Drug, and Cosmetic Act’s (FDCA) definition of a “device” and are therefore, subject to enforcement. Whether the federal agency would agree with OAG in this particular case, that smartphone fetal pulse detector apps “transform a mobile platform into a medical device” and merit intervention is uncertain; however, the OAG’s actions demonstrate that states are willing to impose their own interpretations, separate and apart from the FDA, thereby subjecting those entering the healthcare market to multiple enforcement schemes that may not always align. An active role for states in this realm raises the question whether states will agree with the FDA when it comes to which apps pose less risk and deserve “enforcement discretion” under the federal FDCA.
OAG’s enforcement action also highlights the potential for gaps between state and federal requirements regarding app user privacy protections. The Federal Trade Commission (FTC) has actively pursued entities under its Section 5 authority for “unfair and deceptive” practices in the form of inadequate and/or misleading privacy policies, and has warned about what practices it views as unacceptable. While the FTC has released guidance with respect to privacy and security practices and policies, there are no authoritative regulations dictating what standards are required. Overlapping enforcement by federal agencies (FTC and, for HIPAA-covered entities, the HHS-Office for Civil Rights) and state Attorneys General offices dramatically increases the likelihood of a conflict, and subjects mobile health app developers to uncertainty with respect to the sufficiency of their policies and practices.
State enforcement actions, such as New York’s, demonstrate that digital health companies are subject to a number of regulatory schemes and developers must be cognizant of both the federal requirements as well as independent state consumer protection laws that could potentially be implicated by their products. Health app developers should review their privacy and security policies as well as their marketing claims to ensure that they are compliant with applicable laws and regulations.
 See Assurance of Discontinuance 2, 5, In the Matter of Matis Ltd., No. 16-101 (Feb. 13, 2017), https://ag.ny.gov/sites/default/files/matis_aod_executed.pdf.
 Id. at 3.
 Id. at 7.
 Id. at 7.
 Id. at 4–7.
 Id. at 7.
 Id. at 6 n.7.
 Id. at 12.
 Id. at 13-14.
 Id. at 10.
 Id. at 10.
 Id. at 10–11.
 Id. at 15.
 See id. at 13–14.
 Id. at 11.
 “Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff” (Feb. 9, 2015), https://www.fda.gov/downloads/UCM263366.pdf.
 See id. at 15.
 See, e.g., FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015).