- Creating effective mobile health policy requires the cooperation of several federal agencies, each of which has a measure of authority over the design, implementation, and use of mHealth devices and applications.
In alphabetical order, the first federal agency to have a say on mHealth policy is the Federal Communications Commission which regulators regulates interstate and international communications by radio, television, wire, satellite, and cable across the United States and its territories.
Specific to healthcare, the FCC relies on the Connect2HealthFCC task force created in 2014 to inform its role in the intersection of broadband, advanced technology, and health by identifying regulatory barriers and ways to incentivize telehealth, mobile applications, and other forms of telemedicine.
As recently as 2014, the federal agency issued regulation on Medical Body Area Network (MBAN) devices intended to give MBAN users additional flexibility for enabling the implementation of technical standards. Also in 2014, the FCC collaborated on a proposed strategy for a risk-based regulatory framework pertaining to health information technology with the Office of the National Coordinator for Health Information Technology and the Food and Drug Administration.
The FDA is second on the list of federal agencies having a share of mHealth policy-making. As a result of the Food and Drug Administration Safety and Innovation Act (FDASIA) of 2012, the FDA has authorities and increased abilities to safeguard and advance public health, which includes promoting innovation related to patent access to safe and effective mobile medical apps.
According to the federal agency, it has plans to apply the same risk-based approach it uses for medical devices to regulate mobile medical apps depending on the risk they post to consumers. These mHealth apps meet the FDA's definition of a device when they are used as an accessory to a regulated medical device or lead to a mobile platform becoming a regulated medical device.
The FDA has provided examples of low-risk mobile medial apps that do not require premarket review applications or registration, such as self-management of chronic diseases or the ability to interact with a personal health record (PHR) or electronic health record (EHR) system.
Next in line is the Federal Trade Commission (FTC) whose work includes safeguarding consumers against fraudulent, deceptive, or unfair business practices. An important focus of the FTC is data privacy and security, which is a particularly sensitive issue in healthcare.
The federal agency has a Health Breach Notification Rule that requires online businesses to notify consumers when their electronic health information is breached. Additionally, the FTC has provided guidance to mHealth app developers with an emphasis on "reasonable" data security.
Then there is the National Institute of Standards and Technology (NIST), the leading federal voice on technology standards. The Computer Security Division is tasked with developing standards, guidelines, tests and metrics for the protection of non-national security federal IT data and services.
In 2014, NIST published its initial version of the Framework for Improving Critical Infrastructure Cybersecurity "to promote the protection of critical infrastructure." Furthermore, the institute has identified several issues impacting the use of mobile devices demonstrating their vulnerability to unauthorized access.
Lastly, the Office for Civil Rights (OCR) has an important say in mHealth policy. Chief among its responsibilities in healthcare is enforcing the rules for privacy and security pertaining to the Health Insurance Portability and Accountability Act (HIPAA). These rules give patients specific rights over how their protected health information (PHI) is used by covered entities. Breaches of these rules can lead to sizeable fines and other kinds of enforcement by OCR up to $50,000 per violation with an annual cap of $1.5 million.