Legal complexities, uncertainties face mHealth app developers

Mobile health applications are affected by a patchwork of policies related to medical licensure, privacy and security protection, as well as malpractice liability--all of which must be taken under consideration by app developers, according to an article in this month's Health Affairs.

In the article, the authors examine the legal issues related to the oversight of health apps, discuss current federal regulations and suggest strategies to improve the oversight of these apps.

"The developers of private health apps will generally not be subject to medical malpractice claims, since malpractice concerns the physician-patient relationship," the article authors write. "However, developers could face their own types of liability. In addition to potential liability for violating the FDA's medical device regulations, developers of private apps are likely subject to available product liability claims including design defect, breach of warranty and failure to warn."

Malpractice claims require proof that a physician owed a duty of care to a patient and deviated from it, with the patient being injured as a result. However, according to a separate article by Zachary Landman, M.D., chief medical officer for mobile health developer Doctorbase, mHealth is a solution to the medical malpractice epidemic in this country. 

Landman believes that mHealth can reduce the "suffocating" costs of malpractice that plague our healthcare and legal systems. He makes the case that mHealth can create an environment in which "true dialogue" can occur allowing physicians and patients to connect and with improved dialogue, empowered patients and lower malpractice rates. 

Nevertheless, one area of particular importance for the use of health apps is patients' monitoring of their own health, note the Health Affairs authors. "The demand for such apps has grown substantially in recent years, particularly for chronic conditions including high blood pressure and diabetes," they point out. "The traditional physician-patient relationship--the prerequisite for malpractice liability--has been based on direct contact and care. Thus, there is no agreement as to what a doctor's liability would be if he or she injured a patient as the result of faulty or inaccurate information supplied by the patient."

In September 2013, the FDA issued its final guidance on mobile medical apps based on a risk-based regulatory framework that focuses on a "small subset" of the app market--only those apps that present the greatest risk to patients. The FDA's "tailored approach" to mobile medical apps is meant to support innovation while protecting consumer safety.

"With its recent guidance, the FDA has positioned itself well to meet future challenges related to the ongoing mHealth expansion," the authors argue. "The agency has given developers a clear idea of when their products may receive increased scrutiny, while maintaining regulatory flexibility and allowing developers to continue meeting the rising demand for health-related mobile apps."

At the end of the article, the authors recommend that the FTC "should aggressively declare and protect its own authority to oversee data security."

In a recent case, the FTC ruled that HIPAA is not a barrier to security enforcement and that entities covered under HIPAA also may be subject to security enforcement by the regulatory agency. An Atlanta-based testing laboratory that mishandled patient information filed a claim that the FTC was overstepping its statutory authority because the company was a covered entity under HIPAA. The FTC, however, disagreed, voting unanimously on Jan. 16 to reject the company's motion, stating that nothing in HIPAA or in the U.S. Department of Health and Human Services' rules negates the Commission's authority to enforce the FTC Act.

"Developers of private health apps do not have the same privacy liability incentives as healthcare providers do. However, developers have an incentive to avoid triggering scrutiny under the FTC rules, which extend to both data privacy and security safeguards," concludes the article.

Among the recommendations made by the article's authors: Apps should be password-protected for both personal use and use in the clinical setting, to ensure health information cannot be accessed merely by stealing the device on which the app has been installed, users should receive notice about the sensitivity of the data when they install the app and users should receive information about how to contact the appropriate regulatory agencies with questions or concerns.

To learn more:
- read the article in Health Affairs (full article requires subscription)