The Top 5 Legal Concerns When Developing a Healthcare App

By: Steven Boyne

Today no one can live without a smart phone, and we interact with the rest of the world through a series of apps that reside on our handheld devices.  From the healthcare perspective many large healthcare institutions and private companies have developed a myriad of healthcare related apps that currently reside in Apple’s App Store and  Googles Play Store.  You can measure your heart rate, get clinical advice, view your records, check on your health insurance coverage, make appointments and virtually interact with many different types of healthcare providers.  But even in today’s hyper-electronic society it took COVID-19 to really cause an explosion in telehealth, so what does that tell us?  There is a lot more room for expanding electronic interactions with patients and clients through Apps.  So, here are the top five legal concerns should you address when you develop a Healthcare App:

1. HIPAA.It is very likely that no matter the type of healthcare app, HIPAA will be a concern.  Even such a benign act as capturing an email address to allow a person to set up an account could be covered under HIPAA.  There are many ways to mitigate or minimize your exposure to HIPAA, but don’t rely on your App developer to make sure you are safe.  The key is to understand the flow of data between the end user and your company and plan ahead.  It is much easier to build in the appropriate protections and design your app from the beginning with the necessary HIPAA security and disclosures, rather than wait until you realize you may have inadvertently breached some HIPAA rule or regulation.
2. State and Foreign Privacy Laws. Don’t forget Apps can be used from anywhere in the world and end-users will live or travel to many States and countries.  To minimize your financial, regulatory, and legal risks you need to examine the planned type of App, where your company is based, whether you have offices in multiple locations, States or countries, and the type and volume of data that you may be providing or gathering.  Other privacy concerns may come into play depending on what the user can do with the information on their screen, like forwarding, taking a picture, or posting something on a social media site.
3. Who is the End-User. At first blush it would seem a stupid question, the end-user is the person that owns the phone and has downloaded the App.  Not so.  What if the owner of the phone allows someone else to use their phone, and that person now has access to your patient’s private and personal health records?  Do you have liability?    To minimize these problems, you may need to think about upfront security before the user can access their own data; or you may need to draft appropriate disclosures that the end-user may have to agree to when they first download the app.
4. Sales Tax. If you are planning on marketing and selling healthcare related items, you should be thinking about Sales Tax. For example,  just because you may be based in State where medical equipment is not subject to sales tax, or has a lower tax rate, doesn’t mean that you are set.  The purchaser could live in a different state, and even ship the items to a third state, so you should understand, plan for, and capture the correct information so you can collect and remit the right dollars to the appropriate taxing authorities. 
5. Understand the Healthcare Regulatory Environment. Beyond State, Federal and International privacy laws there are many regulators that have authority over healthcare.  By developing an App you maybe interacting with people all around the world, and you should be aware that it is quite likely that the App may make you vulnerable to regulators that you have never had to deal with before.  Furthermore, even if you are regulated, the use of an App may expand that regulator’s power over you.  For example, if you are regulated by the FDA and you create an App to essentially move the same business to the internet, well now the you have to comply with a whole new set of FDA rules.  Some Apps may need to be certified by independent third-parties, and other types Apps may now cause your business to be subject to the Federal Trade Commission’s Rules and Regulations.  In short, plan for different types of regulators and regulations.

All of this may seem overwhelming at first, but identifying your risks, the flow of data, and early planning at the front end will save you lots of money and future heartache.  As Benjamin Franklin said: By failing to prepare, you are preparing to fail.