Mobile Health Apps and Legal Uncertainty


By: Hannah Newman,

There’s an app for that. The influx of mobile apps has changed the way people do banking, connect over social media, and even buy groceries. They have changed industries; they have altered the way businesses advertise to customers and how they provide their services. The healthcare industry is no different.

Constant technological innovations combined with a health-conscious population has created an explosion of mobile health (mHealth) apps.[1] In 2015, more than 3 billion mHealth apps were downloaded from major app stores, according to “The 2015 mHealth App Developer Economics Study.”[2] Some apps help individuals count calories or track exercise, while others play a more substantial role in medical treatment.[3] Through laws like Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, the federal government has incentivized the healthcare industry to promote patient engagement and the access to personal health data.[4] These apps are designed for sophisticated diagnostic use and aim to facilitate physician and patient interaction and decision-making.[5] Some of the more advanced apps also “collect, store, analyze, and transfer individual health information and data previously available only through face-to-face consultations with a health care professional.”[6]

Patients and the overall health care system have benefited from the adoption of mHealth apps. These apps have provided convenient and fun ways to focus on dietary habits and fitness goals, and in return have created a more health-conscious population overall.[7] Mobile health apps improve patient engagement with their physician by promoting shared health management and chronic condition monitoring. They assist patients and caretakers in adhering to post-treatment care instructions that are essential to a successful recovery. They also allow patients to connect with support communities online that can aid in the emotional aspect of treatment and recovery. [8]

However, the health care industry has not seen widespread usage of mHealth apps due to some significant issues that concern governing regulations and privacy and security uncertainties.

Governing Regulations:

There is no single federal agency or law that governs the vast realm of mHealth apps.[9] There are two types of health apps, and this distinction affects how they are regulated. The first type is used by health care providers and is integrated with existing medical technologies.[10] They are used to assist in the delivery of care, for example to monitor and store lab or test results. The second type is used outside of the health care facility and is referred to as private apps. These include fitness apps, weight loss apps, and chronic condition monitoring apps.[11]

The FDA regulates medical devices through section 201(h) of the Food, Drug, and Cosmetic Act of 1938 and the Medical Device Amendments of 1976 to that act.[12] However, the FDA regulates only mHealth apps “whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended.”[13] Therefore, the FDA regulation covers all of the first type of apps used by health care providers and also private apps that are intended for use in “diagnosis of diseases or other conditions in the cure, mitigation, treatment, or prevention of disease.”[14] This leaves a vast majority of health care apps that are not regulated by the FDA, thus creating valid concerns among providers.[15]

Privacy and Security:

Protection of health information has been a primary concern with the adoption of mHealth apps. Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) governs health care privacy laws.[16] HIPAA governs the transmission of electronic health records and applies to all “covered entities,” such as health care providers, health insurers, health care clearinghouses, and the business associates of such entities.[17] The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) extends HIPAA protections to those who “create, receive, or transmit” health information.[18] Therefore, health apps that are used within a hospital, or by another covered entity, are protected under HIPAA.[19] The private apps that are used by an individual consumer are not subject to HIPAA, thus leaving an immense amount of health care information unprotected.[20]

As many of these apps are unregulated or unprotected, patients and providers may be subject to serious security threats. Forbes discovered through a recent study that 84% of all cyber attacks occurred at the application level.[21] The health care industry is no different. In the past two years, 81% of health care organizations have been breached.[22] A study conducted by security vendor Arxan found that of 19 FDA approved mobile health apps tested for security, 84% of them did not address at least two of the top ten security risks—application code tampering and reverse engineering.[23] Open Web Application Security Project (OWASP) identifies the top ten most critical security risks facing organizations.[24] The security issues that can result from such risks are “theft of personal health data and tampering with data.”[25] Through reverse engineering, an app can be reprogrammed to seriously alter treatment directions or dosage.[26] Information accessed through a security breach can include sensitive health information, but also other identifiable user information. Developers often sell this material to data aggregation companies, who then sell it to other third party parties such as credit card companies and life insurance companies.[27]

In order to prevent such privacy and security issues—and ultimate liability—the governing system of laws and regulations must stay current with the quickly developing world of mobile health apps.



[1] Kevin M. Henley, Tracking the Likelihood of Liability From Health Apps, Law360 (Mar. 11, 2015, 2:58 PM),

[2] Patrick Kehoe, 2016 State of Application Security: Top Health Care Apps in Critical Condition, Security Intelligence (Jan. 12, 2016),

[3] See supra note 1.

[4] See Sandeep S. Mangalmurti et. al., Medical Malpractice Liability in the Age of Health Records, New Eng. J. Med., 2060, 2060 (Nov. 18, 2010)

[5] Id.

[6] Supra note 1.

[7] Id.

[8] David L. Scher, The Big Problem with Mobile Health Apps, Medscape (Mar. 4, 2015),

[9] David Pittman, 5 Problems with Mobile Health App Security, Medpage Today (Feb. 5, 2014),

[10] Y. Tony Yang & Ross D. Silverman, Mobile Health Applications: The Patchwork of Legal and Liability Issues Suggests Strategies to Improve Oversight, Health Affairs, 222, 222 (2014),

[11] Id.

[12] Id. at 223.

[13] Id.

[14] Id.

[15] See supra note 8.

[16] See supra note 9.

[17] Jordan Cohen & Joanne Hawana, Mobile Health Apps Continue to Make Headlines, Mintz Levin (Mar. 16, 2016),

[18] Supra note 9.

[19] See supra note 10, at 224.

[20] Id.

[21] See supra note 2.

[22] Id.

[23] Judy Mottl, Report: FDA-Approved Mobile Health Apps Pose Security Risks, FierceHealthcare (Jan. 10, 2016, 4:27 PM),

[24] See supra note 2.

[25] Supra note 23.

[26] Id.

[27] See supra note 17.

Photo Source:

Comments are closed