Please enable JavaScript to view this website.

A Bitter Pill to Swallow: Regulatory Challenges Faced by Mobile Health Startups

Mobile health apps is a growing market globally, with projection of its revenue in North America to reach over $5 billion by 2018.1


Despite this promising future, regulatory issues remain a concern for startups and investors hoping to get into this space.2  In the United States, for example, mobile health apps are regulated by the Health Insurance Portability and Accountability Act (HIPAA); the Federal Food, Drug, and Cosmetic Act (FD&C Act); the Federal Trade Commission Act (FTC Act), and the FTC’s Health Breach Notification Rule.3



HIPAA’s main goal is to “protect the privacy and security of… health information” by specifying a “series of administrative, physical, and technical safeguards for covered entities and their business associates,” and by requiring “certain entities to provide notifications of health information breaches.”4


HIPPA does not apply to all mobile companies, however, as it only applies if the company collects identifiable health information from consumers and if the company is:

  • a health care provider or health plan; or
  • developing an app on behalf of a HIPAA entity (such as hospital, doctor’s office, health insurer, or health plan’s wellness program)5


Identifiable health information covers any information that would allow the company to identify a consumer’s physical or mental health condition, future payment for provision of health care to the consumer, and can include demographic information as well as geolocation information (e.g., IP address).6


The “omnibus final rule,” which strengthened HIPAA, and went into effect on March 26, 2013, extended HIPAA compliance to “business associates,” which includes companies along the supply chain of covered entities, even if “they do not have contracts with the covered entity, and also imposes liability for actions of their subcontractors.”7  Due to the all-encompassing nature of this rule, HIPAA would likely affect the vast majority of mobile health startups hoping to get into the patient care and management space.


FD&C Act

Another regulation that mobile health startups should be concerned about is the FD&C Act, which “regulates the safety and effectiveness of medical devices, including certain mobile medical apps.”8  The FDA has clarified that it will not enforce action on all mobile health apps; rather, it will “focus its regulatory oversight on a small subset of health apps that pose a higher risk if they don’t work as intended.”9


These apps are must fit the definition of “mobile medical app,” and are intended for any of the following:

  • be used as an accessory to a regulated medical device;
  • transform a mobile platform into a regulated medical device;
  • perform a sophisticated analysis or interpret data from another medical device.10



FTC Act applies mainly to for-profit organizations, and prohibits companies from making “deceptive or misleading claims to consumers about things important to them,”11 and further prohibits “acts or practices that cause… substantial injury to consumers that they cannot avoid.”12


Further, if the company, through an app, offers health records directly to consumers, or interacts with an office that does so, but is not developing the app on behalf of a HIPAA covered entity, then the FTC’s Health Breach Notification Rule would also apply to the company.13  This rule adds an additional burden to companies by requiring them to “notify the affected consumers, the FTC, and in some cases the media following breach of unsecured personal health information.”14



Even though regulatory compliance with laws such as HIPAA is very costly especially for small companies,15 industry experts cautioned that for companies operating in the digital health space, “[compliance] has to be taken seriously and [companies] need to factor working with regulators into [their] resource plans and [their] timeline.”16  The Accenture report mentioned above also pointed out that “manag[ing] a mass of customer data that is increasing in volume by the minute” poses higher stakes for companies entering digital health space, but “if handled properly, this treasure trove of data can be a tool for creating tailored services and building consumer trust.”17  It is therefore important for startups to treat this risk as an opportunity, and have a solid privacy policy as well as procedures to address compliance issues in place, in order to secure their position as new entrants to this expanding industry.


Government agencies, perhaps recognizing the potential of mobile health, have rolled out several interactive tools for companies to navigate this complex regulatory regime.18  Hopefully, with more transparency and awareness, the cost of compliance and risk of entry will be lowered, allowing more players to enter the healthcare ecosystem and work together to deliver better healthcare to consumers.



  1. Things are Looking App, The Economist (Mar 12, 2016),  Accenture, in their 2016 digital health trend forecast, has emphasized the role that mobile platforms will play in the digital health space, especially in collecting patient data and integrating hospitals and patients with the healthcare ecosystem. ((Digital Health Technology Vision 2016, Accenture, (last visited Oct 12, 2016). 

  2. See Samuel Waxman, Behnam Dayanim, Brooke Schachner, Legal Health Isn’t Easy for Digital Health Companies, TechCrunch (Apr. 13, 2016),; Laura Entis, How Do You Regulate the Digital Health Revolution?, Fortune (July 18, 2016),; The Economist, supra note 1. 

  3. Mobile Health Apps Interactive Tool, Fed. Trade Comm’n, (last visited Oct. 12, 2016). 

  4. Id. 


  6. Id

  7. Gregory J. Millman, HIPAA Compliance Grows with New Rule, The Wall Street Journal (Apr. 11, 2013 4:35pm), 

  8. Fed. Trade Comm’n, supra note 4. 

  9. Id. 


  11. Id. 

  12. Id. 

  13. Id. 

  14. Id. 

  15. Millman, supra note 8. 

  16. Entis, supra note 3. 

  17. Accenture, supra note 2. 

  18. See Health Apps and HIPAA: OCR Publishes New Guidance for Health App Developers, Morgan Lewis (Mar. 2, 2016),; Fed. Trade Comm’n, supra note 4; Mobile Medical Applications, U.S. Food & Drug Ass’n (Feb. 9, 2015),