Overview of Federal Role in Mobile Health
The Federal Communications Commission (FCC) regulates interstate and international communications by radio, television, wire, satellite and cable. The FCC's jurisdiction extends to non-Federal users of spectrum in the 50 states, the District of Columbia and U.S. possessions. The FCC manages radiofrequency (RF) communications to ensure that RF devices operate efficiently and without interference. For example, it decides which frequency bands are to be used by different services; it establishes technical rules for the operation of RF devices; it authorizes RF equipment as compliant with its rules; and it authorizes users including individuals or network service providers, as appropriate. In the health care area, the FCC authorizes a wide variety of RF-based medical devices including both implanted devices (e.g., heart pacemakers) and patient monitoring devices (e.g., wireless telemetry). It also authorizes carriers whose networks are used by a wide variety of mobile devices (e.g., smartphones) to access, store or transmit health information, and it establishes technical rules used by WiFi and other similar networks.
The Food and Drug Administration (FDA) encourages further development of mobile medical applications (“apps”) that improve health care and provide consumers and health care professionals with valuable health information very quickly. The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications that present a potential risk to patients if they do not work as intended. In order to balance patient safety with innovation, it is important for the FDA to provide manufacturers and developers of mobile medical applications with a clear and predictable outlines of our expectations.
Through draft guidance the FDA defined a small subset of mobile medical apps that may impact on the performance or functionality of currently regulated medical devices and as such, will require FDA oversight. The FDA held a public Workshop on Mobile Medical Applications Draft Guidance. The FDA on July 19, 2011 announced it is seeking input on its oversight approach for certain mobile applications specific to medicine or health care called mobile medical applications (“apps”) that are designed for use on smartphones and other mobile computing devices.
For more information about the FDA's role as it relates to medical devices, please visit: http://www.fda.gov/MedicalDevices/default.htm.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to give consumers the information they need to spot, stop, and report them. The FTC has long been at the forefront of consumer privacy and data security, including issues arising in the mobile and health areas. The FTC has brought more than 100 law enforcement actions challenging the privacy and data security practices of some of the world's largest companies, crafted far-reaching policy initiatives, reached out to educate consumers about protecting their privacy, and engaged industry members to inform them of their compliance obligations. For example, the FTC enforces a rule requiring certain entities to notify consumers when there has been a breach involving their electronic health information. FTC staff also recently released a report showing that according to a staff survey, neither app stores nor app developers give parents the information they need to determine what data is collected from their children, how it's being shared, or who will have access to it. For more information about consumer privacy and data security, visit the FTC's privacy page. Companies can find more about complying with the law on the Privacy & Security portal of the FTC's Business Center.
Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks. The Computer Security Division, one of six divisions within NIST’s Information Technology Laboratory, is responsible for developing standards, guidelines, tests and metrics for the protection of non-national security Federal information and information systems. The CSD standards, guidelines, tests and metrics have also become leading resources for information security in the private sector.
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) is responsible for implementing and enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule provides individuals with specific rights with respect to their identifiable health information (called “protected health information”) when maintained by a health plan, a health care provider that engages in certain electronic transactions, and certain other entities (collectively “covered entities”). Among the individual rights provided by the HIPAA Privacy Rule are the rights to notice of the covered entity's privacy practices and to access and amend medical and billing records maintained by covered entities. The HIPAA Privacy Rule also limits how a covered entity may use or disclose the protected health information, but is balanced to allow disclosures for essential information flows, such as for treatment and payment purposes. The HIPAA Security Rule provides a framework to ensure the privacy, integrity, and availability of electronic protected health information through standards for administrative, physical, and technical safeguards. OCR enforces the HIPAA Privacy and Security Rule standards through investigation of complaints and reports of breaches and may impose civil money penalties for HIPAA violations of up to $50,000 per violation, with an annual cap of $1.5 million for multiple violations of the same standard.