Mobile health tools, developers need better data protection guidance, attorney Jennifer Geetter says

In April, three government agencies came together to create an online tool that helps developers navigate all the federal regulations that could impact the devices and apps they create.

The tool--created by the Federal Trade Commission, the U.S. Food and Drug Administration and the Office of the National Coordinator for Health IT--queries developers about the functionality of their apps and what information their devices will collect. It then funnels information based on relevant rules from the three agencies, FierceMobileHealthcare previously reported.

To learn more about the need for such mHealth development tools, FierceMobileHealthcare spoke with Jennifer Geetter, a health attorney at McDermott Will & Emery. To fulfill the promise of digital health, Geetter says, "the public needs to have confidence that entrepreneurs take data privacy and security seriously." 

The agencies' tool is useful for developers in that it helps them to get a sense of the particular federal privacy and security laws that will govern their products, she says. However, she adds that a more formal legal analysis will be needed by any company before it finalizes how to market their products. By doing so, developers can make sure to incorporate specific required features and functionalities into the lifecycle of the app or device.

Meeting the legal privacy and security requirements applicable to a product is the start of the process, not the end, Geetter says. Successful digital health companies want to build public trust that the data entrusted to them is being used responsibly, transparently and in ways that are consistent with public expectations and achieving important goals.

In addition to the tool, Geetter discusses the role of government agencies in mHealth security oversight, tips for providers when it comes to the tools and HIPAA's role.

FierceMobileHealthcare: Do mHealth data security and user privacy issues require attention from both federal agencies and the private sector?

Geetter: This will have to be an iterative partnership between government, the private sector, advocates, researchers and other stakeholders.

It also cannot be a conversation about privacy and security alone. Privacy and security must be evaluated side by side with the important work that can be achieved by data sharing and the public demand for data-driven tools. An exclusive focus on privacy and security doesn't account for the fact that safeguards can, understandably, restrict data sharing.

We must think about data stewardship--balancing privacy, security and use and disclosure--to come up with a comprehensive and balanced approach to our digital age.   

FMH: Any tips for providers developing mobile health apps?

Geetter: Know your needs. Digital health tools can be instrumental in engaging with patients, developing electronic data warehouses and other data repositories. Mobile health tools should be implemented consistently with the overall health IT framework and with the ultimate user in mind to ensure that a particular solution can be used effectively. In addition, developing a comprehensive future use strategy for collected data can help institutional providers participate in the secondary data economy.

Institutional providers should also consider whether a particular digital health solution will be HIPAA regulated to assign responsibility for particular privacy and security safeguards.

Purchasers should look for digital health tools that are "respectfully disruptive." Being disruptive can be constructive when digital health tools break down traditional modes of doing things that are inefficient, inconsistent with a patient/consumer-centered approach, or inadequate to respond to the cost-control and quality-improvement imperatives. But, when a company offers a disruptive innovation, it can do so with respect for long-standing healthcare ethical norms and consistent with existing legal requirements. Solutions that innovate but do so in ways that avoid presenting institutional providers with questionable regulatory choices bring immediate value.

FMH: Where does HIPAA factor in right now with mHealth apps?

Geetter: At the poles, the analysis of when a tool is HIPAA-regulated will be straightforward. But many digital health tools are deployed through innovative commercial channels with consumer- and provider-facing dimensions. An assessment of whether HIPAA governs these types of solutions will require a more nuanced analysis.

Even when HIPAA does not control, the FTC's privacy and security requirements may attach and the FTC is serious about privacy/security as a consumer protection issue.   

FMH: Do healthcare organizations truly understand the security landscape?

Geetter: The digital health marketplace is expanding and dynamic. Some digital health companies are long-standing health/life science stakeholders with a more developed understanding of the relevant legal requirements and stakeholder expectations. Other companies bring their considerable engineering, programming and data-related expertise, but are newer to health and may be surprised at first about the many particular privacy/security requirements for health data.

For example, under a number of laws, an individual is a "human subject" in a research study if his/her identifiable data is used in that study, even absent interaction with the individual. Research can encompass the development of new products to confirm that the products are safe or effective or to develop the evidence necessary to substantiate commercial claims by a company.

These are rules that are very learnable, and with a little bit of effort, companies can develop more routine processes to effectively marry healthcare regulatory requirements with innovation.

Editor's Note: This interview has been edited for clarity and length.