I found this HHS Interactive Tool on the FTC website here.

I used this tool thinking of a few pharma mHealth apps I have seen. To see the results of that exercise, click on “Read more”.

The questions and my answers:

1. Do you create, receive, maintain, or transmit identifiable health information?

YES – I have seen a few pharma mHealth apps that collect & transmit such information. See, for example: “An Analysis of Genentech’s 4HER Mobile Health App Privacy Policy

2. Are you a health care provider or health plan?


3. Do consumers need a prescription to access your app?

YES – I have seen one or two pharma mHealth apps that require a prescription before they can be used.

4. Are you developing this app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?


5. Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?

NO – Although I have come across a couple of pharma apps that meet this criterion. See, for example, “Janssen’s Psoriasis iPhone App.” Some Rx drug branded pharma apps are labeled “Treatment Guide.” See, for example, “A Rare Rx Drug Branded Mobile App for Patients.

If you answer YES to this question, the following federal laws may apply: The HIPAA Privacy Rule, The HIPAA Security Rule, The HIPAA Breach Notification Rule

6. Does your app pose “minimal risk” to a user? According to the FDA, “minimal risk” apps are those that are only intended for one or more of the following:

  • helping users self-manage their disease or condition without providing specific treatment suggestions;
  • providing users with simple tools to organize and track their health information;
  • providing easy access to information related to health conditions or treatments;
  • helping users document, show or communicate potential medical conditions to health care providers;
  • automating simple tasks for health care providers;
  • enabling users or providers to interact with Personal Health Records (PHR) or Electronic Health Record (EHR) systems; and
  • transferring, storing, converting format or displaying medical device data, as defined by the FDA’s Medical Device Data Systems regulations.

YES – I think most pharma mHealth apps pose a minimal risk to users.

7. Is your app a “mobile medical app?” A “mobile medical app” is one that is intended for any of the following:

  • use as an accessory to a regulated medical device (for example, an app that alters the function or settings of an infusion pump)
  • transforming a mobile platform into a regulated medical device (for example, an app that uses an attachment to the mobile platform to measure blood glucose levels)
  • performing sophisticated analysis or interpreting data from another medical device (for example, an app that uses consumer-specific parameters and creates a dosage plan for radiation therapy)

NO – Although there is some controversy how the FDA defines “mobile medical app.” See here.

8. Are you a nonprofit organization?

NO – The tools responds: “It’s likely that the FTC Act applies.” I’m not sure, but I assume this rule only applies for branded apps. Better call Saul!

9. Are you developing this app as or on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)?


10. Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?


If you have developed a pharma mHealth app, you might want to use this tool and check it against what your medical/legal department has advised.