Doctor, Doctor, Give Me the News, I’ve Got a Bad Case of Medical App Blues: Mobile Medical Application Developers Settle with New York Attorney General

The New York Office of the Attorney General recently announced settlements with developers of three mobile health applications due to misleading claims and deficient privacy practices. As a result of these settlements, the developers and companies associated with each app were required to amend promotional claims, modify privacy policies to protect consumers, and pay civil penalties. Though the United States Food and Drug Administration has previously provided guidance on mobile medical applications, developers should take note that state law can also be a basis for enforcement action. In these cases, to our knowledge, FDA has not acted.



    • All three settlements noted that the majority of health-related apps “provide general medical reference and education or allow consumers to track their fitness or symptoms based on data they input themselves, and may promote health awareness.”


    • This description, notably, is similar to the criteria FDA provides for exercising enforcement discretion over mobile medical apps, provided in the agency’s 2015 Mobile Medical Applications Guidance.


  • Here, however, the apps at issue were part of a “narrower category of mobile applications” that “purport to measure vital signs or other indicators of health using only a smartphone’s camera and sensors, without any need for an external device and can be harmful to consumers if they provide inaccurate or misleading results.”


Advertising Claims


    • Each of these apps claimed to be able to measure heart rate through the camera and sensors of a smartphone.
        • Two of the apps suggested that they could measure a user’s heart rate during and after exercise, and another claimed that the app could measure a fetal heart rate.


      • FDA regulates medical devices that perform these functions as pulse oximeters, chest-strap heart rate monitors, and fetal cardiac monitors.


  • According to each of the three settlement agreements, none of these developers provided sufficient evidence to substantiate the claims made, and these apps had the potential to harm consumers.
      • For the exercise heart rate monitors, inaccurate results could cause a user to reach a dangerous heart rate during vigorous exercise after relying on the incorrect lower rate provided by the app.


    • The fetal heart rate monitor could provide women with false assurance that they were hearing a healthy fetal heartbeat, or to unnecessarily seek medical attention if they could not hear the fetal heartbeat.


Privacy Issues


    • The settlements pointed out a number of deficiencies in each app’s privacy practices, including:
        • Failure to require that users consent to the app’s privacy policy


        • Failure to inform users that the app had the right to collect personally identifiable information


        • A privacy policy that conferred virtually unlimited discretion on the app to disclose users’ personal information


        • Failure to disclose the risk that third parties could use “aggregated” data from the app to reidentify specific users


        • Failure to disclose to users that the personal health information collected, stored, and shared through the app may not be protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)


      • Allowing third parties to see a user’s route and data during sports activity without providing a way to deactivate this setting within the app itself (in violation of the app’s privacy policy)


  • As a result, the apps revised their privacy practices, both through updating policies and changing their handling of user information.


AGG Observations


    • Companies should be aware that state attorneys general and regulatory bodies have authority to take enforcement action against fraudulent or misleading claims about consumer products.


    • FDA is not the only regulatory body that enforces public health and consumer protection laws. The Federal Trade Commission (FTC) released an online tool in 2016 for mobile medical app developers to determine which federal laws could apply to their apps, and this tool was a cooperative effort by the Office of the National Coordinator for Health Information Technology and the Office of Civil Rights at the U.S. Department of Health & Human Services, FDA, and the FTC.


    • Even if a mobile health app is not required to comply with HIPAA, state privacy laws may apply to the way the app stores and shares data, as well as to the notice that must be given to users.


  • Including a disclosure about the limitations of a product does not prevent an app from being misleading. Disclosures should be clear, in consumer-friendly language, and prominently placed within the app interface.


To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: