The Federal Trade Commission (FTC) is an US agency that aims to ensure compliance with competition law and consumer protection. This article explains the circumstances that require you (e.g., as a medical device manufacturer) to comply with the FTC requirements and the specifics of these requirements.
The case of Lumosity shows how radically the FTC may take action when it comes to manufacturers of medical apps.
Regulations of the FTC and other US authorities
The Federal Trade Commission (FTC) has issued a guidance document clarifying that as a mobile medical app manufacturer, your compliance requirements go beyond the FDA. The regulations include:
- Federal Trade Commission FTC Act
- FTC’s Health Breach Notification Rule
- Health Insurance Portability and Accountability HIPAA Act
- Food Drug & Cosmetic FD&C Act and FDA requirements such as 21 CFR part 820, guidance documents, etc.
To help you quickly identify which of these regulations are relevant to you, the Federal Trade Commission has published an interactive tool.
Requirements of the Federall Trade Commission
Legal framework
Similar to the healthcare sector, there is a statutory level (the “Acts”) and the level of agency regulations, which are published in the Code of Federal Regulations. In the case of the Federal Trade Commission, these are the FTC Act Title 15 (Commerce and Foreign Trade), and Title 16 (Commercial Practices).
The Federal Trade Commission’s regulations only apply for-profit organization – which most medical device manufacturers are likely to be.
Health Breach Notification Rule
Suppose you are a healthcare provider offering personal health records as a commercial vendor, and this is not taking place under the supervision of an organization already subject to HIPAA requirements. The FTC’s Health Breach Notification Rule must be followed in that case.
The FTC seeks to ensure consumer protection with this Health Breach Notification Rule. According to the agency, any breach of the confidentiality of health data must be reported.
In another article on the Health Breach Notification Rule, we describe:
- when you have to report
- what you have to report
- in what form do you have to report
- to whom you have to report
Best practices for medical app manufacturers
A guidance document from the Federal Trade Commission (FTC) recommends that medical app manufacturers follow best practices:
- Data minimization
- Collect as little data as possible
- Collect data in anonymized or pseudonymized form if possible
- Access restrictions
- Set minimal access rights
- Benefit from operating system options
- Select appropriate default values
- Authentication
- Ensure appropriate assignment of access data
- Use/require strong passwords
- Securely store passwords
- Ecosystem
- Do not place unnecessary trust in the platform
- Be careful with “3rd party providers”
- Be careful when using OTS
- Secure design
- Establish a safety-conscious organization
- Consider IT security at every step of an app’s life cycle (development, programming, marketing, etc.)
- Use strong encryption
- Stay up to date, e.g., on new forms of attack or newly discovered security problems
- Don’t reinvent the wheel
- Use sources on security issues
- Communicate with users
- Define how to communicate in the event of IT security and/or confidentiality breaches
- Publish information on privacy policy (in an understandable way)
- Inform about security-related features of the product
- Follow the rules
- The above
- Specific to the individual US states
- Follow the tips of the Federal Trade Commission on apps in general
