Healthcare Information Security

Mobile News

ONC Urges Mobile Application Security, Regulatory Adherence

App developers need to be mindful of mobile application security issues and all necessary regulatory requirements as they create new health apps.

By Elizabeth Snell

The potential legal concerns and mobile application security should be key considerations as technologists, clinicians, or even patients work on developing healthcare applications, according to Office of the National Coordinator (ONC) leaders.

Healthcare mobile application security and regulatory adherence critical for developers

To further explain how healthcare mobile apps can be designed in a secure way, the ONC has also collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR), to create an informative online tool.

Developers can use the website to ensure that they are properly adhering to federal requirements, according to ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN.

“This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users,” the duo explained in a blog post.

A common concern from developers was that it could be difficult to know where to find the right information on what regulations would apply to their particular app.

Whether HIPAA regulations applied, for example, was often something that mobile application developers tried to investigate.

“Federal laws and regulations originating with FTC, FDA and the OCR all could influence the development of a new health-related product,” Savage and Caton-Peters wrote. “And while these may not be the only applicable federal laws and regulations, they are often important requirements to consider when developing a health-related app.”

The online tool was first introduced in April 2016, and has already received over 12,000 views, the duo added.

Along with guidance on how HIPAA regulations would potentially apply to mobile applications, the tool also highlights the FTC Act, the FTC’s Health Breach Notification Rule, and the Federal Food, Drug and Cosmetics Act (FD&C Act).

“As the number of mobile health products available today continues to rise, it’s important to clarify for developers how FDA and other agencies’ regulations would apply to their app,” Bakul Patel, associate director for digital health in the FDA’s Center for Devices and Radiological Health, said in a statement. “This effort is part of the FDA’s continued commitment to protecting patient safety while encouraging innovation in digital health.”

The guidance is maintained on the FTC website, but links directly to each agency’s information about applicable laws.

The tool also features an interactive quiz, where developers answer questions about their application to determine which laws would potentially apply. For example, if a mobile health application creates, receives, maintains, or transmits identifiable health information, then HIPAA regulations might apply.

The developer would then be moved to another question that would be more specific in how HIPAA rules would potentially come into play for that particular application.

As more mobile healthcare applications are being created, agencies are taking note that mobile application security needs to stay a top priority.

The OCR also created its own mHealth Developer Portal earlier this year, designed to provide information on mHealth privacy and security issues.

The portal also includes a scenario list to help developers understand how HIPAA applies to patient-generated health data through the use of an mHealth app, and also when they would need to comply with HIPAA regulations.

“Only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA. If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules,” according to OCR.

As healthcare mobile application developers continue to create new designs, privacy and security issues cannot be overlooked. Taking advantage of available tools and guidelines can ensure that various federal regulations are properly adhered to and that sensitive data remains secure.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks