AirStrip, Humetrix and others advise Congress on FDA, FTC, HIPAA

Jonah Comstock | Mobi Health News | July 13, 2016

At a congressional hearing on mobile medical apps today, experts from different sectors of the industry weighed in on the ways they think federal regulation needs to change to create a robust digital health industry while still protecting the safety and wellbeing of patients. The conversation spanned various regulatory bodies and federal programs including HIPAA, the FDA, the FTC, and Medicare. “The regulatory framework for most of these apps is complicated and in some cases troubling,” Nicolas Terry, a law professor at Indiana University said in his prepared testimony. “Here, the oversimplified binary of regulation versus innovation is a poor frame. Rather, we have a current technological space that is subject to both over-regulation and under-regulation.”

Nicolas TerryTerry identified three areas as problematic in the law with regards to health apps. First, he said that the FDA’s decision to exercise enforcement discretion for certain apps doesn’t address the lack of clarity mobile innovators face. Instead, he said, it “frightens off responsible innovators while the FDA lacks the bandwidth to deal with the many industry minnows selling apps that cross the regulatory line.” Second, the FTC should make it clearer that while the FDA regulates safety, they regulate effectiveness and should crack down on apps that don’t work as promised, even if they aren’t directly harmful. Finally, Terry pressed for reforms to HIPAA that reflect the changing nature of health data.

“Let’s say I use an app to access my EHR,” he said during the Q&A. “The moment that that data leaves the EHR and enters the smartphone app, there is considerable confusion as to the legal state of it. If that app was provided by the hospital or a business associate, then the HIPAA shield would be all over it. If it was not, if it was an app the patient just purchased from the app store, it’s highly likely HIPAA would not apply. So now you have two sets of identical data, one bundle is subject to the most stringent privacy laws we have in this country, the other is essentially unregulated”...