As the frequency of cyberattacks against healthcare entities increases, multiple government regulatory and enforcement agencies are actively coordinating their privacy protection and data security guidance for health technology vendors and Health Insurance Portability and Accountability Act (HIPAA) covered entities. Most recently, the Federal Trade Commission (FTC) released a web-based tool targeting mobile app developers. According to its April 5, 2016 announcement, the FTC developed the tool in collaboration with the Department of Health and Human Services’ Office of National Coordinator (ONC), Office of Civil Rights (OCR) and Food and Drug Administration (FDA).
The apparent aim of the tool is to make it easier for mobile app developers to understand when they are a HIPAA business associate, when their app or companion devices exceed the FDA’s threshold for exercising enforcement discretion for mobile medical apps, and how the FTC will regulate mobile health apps when HIPAA or FDA regulations do not apply. The tool is structured as a series of survey questions that can be answered either “yes” or “no,” yielding answers supported by brief legal explanations explaining why FTC, OCR and/or FDA jurisdiction is implicated.