North End Law
Back to Deep Dives
Deep Dive

Health Apps (Mobile)

Mobile health apps operate in a complex regulatory landscape where HIPAA often doesn't apply, but numerous other frameworks do. Consumer health apps face FTC enforcement, state laws, and evolving federal requirements.

Key Considerations

  • Determine HIPAA applicability correctly
  • Comply with FTC Health Breach Rule
  • Address state health privacy laws
  • Implement proper security measures

HIPAA applicability limits

Contrary to common belief, HIPAA only applies to covered entities (healthcare providers, plans, clearinghouses) and their business associates. Most consumer health apps—fitness trackers, meditation apps, symptom checkers—don't fall under HIPAA because they're not provided by or on behalf of covered entities. However, this doesn't mean health data is unprotected.

FTC Health Breach Notification Rule

Non-HIPAA health apps may trigger the FTC's Health Breach Notification Rule, which requires notification of breaches involving personal health records. The FTC has explicitly clarified this rule applies to health apps. Violations carry civil penalties. Implement breach detection and notification procedures even if HIPAA doesn't apply.

State health privacy laws

Washington's My Health My Data Act and similar state laws create new obligations for consumer health data: consent requirements before collection, limitations on sale of health data, data minimization requirements, and access and deletion rights. These laws often define 'health data' broadly—mood tracking, fitness metrics, and dietary information may qualify.

FDA medical device considerations

Health apps may trigger FDA medical device regulations if they diagnose, treat, or prevent disease. The FDA uses risk-based enforcement discretion—high-risk apps face greater scrutiny. Clinical decision support, diagnostic algorithms, and therapeutic apps are more likely to be regulated. Conduct a proper regulatory classification before launch.

Need help with health apps (mobile)?

Our attorneys have deep experience with emerging technologies and complex regulatory landscapes. Schedule a discovery call to discuss your specific situation.

Book a Discovery Call