Healthcare is in the midst of a mobile revolution, and it will only be a matter of time before mobile healthcare applications (“apps”) change how we deliver, consume, measure, and pay for healthcare. 1 The rapid pace of innovation and broad applicability of mobile healthcare applications have fueled this revolution. The healthcare mobile app market, currently estimated to be worth $4 billion, is expected to increase to $26 billion by 2017. 2

In doctors’ offices and hospitals, smartphones already are replacing stethoscopes and pagers as the most widely-used physician accessory. 3 Some federal agencies even have entire programs focused on the development and promotion of medical apps. 4 For example, the U.S. Department of Defense established a National Center for Telehealth and Technology evaluates mental health technologies for military personnel. 5 The program includes various smartphone apps, such as one that helps physicians diagnose and treat traumatic brain injuries and mental disorders by enabling users to track their emotional experiences over a certain period of time. 6

Ranging from the automation of simple tasks for healthcare providers to patient-specific analysis and diagnosis for consumers, mobile healthcare apps present numerous potential benefits and risks to consumers. 7 8

Potential benefits include the reduction of medical errors, improvement of quality care, and prevention of more serious episodes of illness. 9 Mobile healthcare apps may also benefit consumers by shifting the locus of effective care away from medical facilities and professionals and toward digitally-empowered patients. 10 However, potential risks may outweigh the benefits and are greater for the poor, uninsured, and underinsured who may use an app lacking in clinical evidence for self-diagnosis and treatment rather than pay for a doctor’s visit. The risks can range from relatively benign, such as an app claiming to relieve tooth pain that is actually clinically ineffective, to severe, such as an app storing personal health information that is hacked.

Today, a muddled assortment of different agencies—including the Food and Drug Administration (FDA), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC)—and regulations are involved in regulating the potential risks that mobile healthcare apps pose. 11 Unfortunately, most agencies “have adopted a posture of facilitating rather than regulating mobile health.” 12 For example, the FDA recently issued a non-binding guidance document delineating the types of apps that it will and will not regulate. 13 In the guidance document, the FDA clarifies that it will regulate those apps that meet the statutory definition of “device.” 14 The term “device” means “an instrument, apparatus, implement, machine, contrivance, implant…..which is….intended to affect the structure or any function of the body of man or other animals.” 15

While some apps clearly do or do not meet the definition of “device,” most apps lie in a “gray” area where FDA regulation is uncertain. 16 Apps like Apple’s Health App, which allows users to store and track all of their fitness and health data and even asks for information about sexual history and partners, fall into this “gray” area of unregulated apps.

Furthermore, despite the scores of federal agencies and regulations overseeing mobile healthcare apps, no current law or regulation clearly protects the health data that apps might collect, and there are few restrictions on app developers as to the type of data they can collect and how they can monetize the data collected. 17

For example, the FCC has the authority to enforce consumer information privacy provisions and establish regulations on consumer proprietary network information (“CPNI”) or “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.” 18 Although the CPNI regulations seem to protect location information and to prevent telecommunications companies from marketing user information, they to do not apply to third party app developers and “there are no clear rules for the disclosure of this data and often no way for consumers to control the data they reveal” when a consumer uses an app that is separate from the telecommunications carrier. 19

In addition to a lack of protective federal laws and regulations, many mobile healthcare apps lack transparent privacy policies, and it is unclear whether a consumer will be able to sue a developer for a privacy violation. 20

As of now, a malicious acquaintance or employer may be able to legally use and indefinitely store, without your consent, the personal health information stored in an app in your phone. 21 22 23

Smartphones are only becoming more and more commonplace, and the FDA estimates that 500 million smartphone users now use or will soon use at least one health care app. 24 The development of healthcare apps is progressing exponentially, but privacy regulations in this field have been left behind. A robust dialogue about privacy and mobile healthcare apps among universities, civic organizations, and citizens needs to begin. Additionally, federal interagency cooperation is necessary in order to provide consistent and meaningful regulatory oversight. Finally, at a minimum, app developers should be required to create accessible privacy policies, obtain informed consent to use consumers’ information, and inform users of holes and breaches in app cybersecurity.