FTC-HHS Seek To Help Mobile Health App Developers Assess When Certain Federal Rules Apply

December 8, 2022

Developers of mobile applications for healthcare and fitness must identify and negotiate a diverse array of federal and state laws, regulations and rulings when designing and deploying their apps.

Since figuring out which federal rules apply often proves challenging, the Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) maintain and have just updated the Mobile Health App Interactive Tool intended to help developers of health-related mobile apps understand when and federal laws and regulations might apply.

While not covering all relevant legal risks, the guidance tool does highlight certain key regulatory concerns by asking developers a series of high-level questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on the developer’s answers to those questions, the guidance tool points the app developer toward detailed information about certain federal laws that might apply to the app. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act (FD&C Act), and the 21st Century Cures Act and ONC Information Blocking Regulations.

Using the tool can help to clarify the potential applicability of these rules to a proposed app and help focus the developer on issues to consider regarding these laws as they design in administer their apps. Running through the tool also could help reduce legal fees and other consulting anniversary costs by helping developers of these apps gather helpful information and be more prepared to participate in informed manner when working with the legal team on their compliance. Additionally documented use of the tool could prove helpful in the event of a compliance audit or investigation by capturing evidence helpful to establish a culture of compliance or mitigate other potential liability concerns.

Of course app developers using these tools need to keep in mind that they are not legal advice or a substitute for legal advice. The tools only are intended to provide guidance regarding the potential likely application of the rules covered by the tool. They do not cover broad range of other federal and state Laws, regulations, rulings, and contractual commitments that also can impact the use and design of these apps and their defensibility and a broad range of circumstances. Moreover developers also should keep in mind that the use of the tools and their discussion may uncover existing or past compliance concerns, which might best be conducted within the protection of attorney-client privilege. Consequently, developers and users should consult and closely worked with experienced, qualified legal counsel to address these and other legal risks and compliance.

For Help With Comments, Investigations Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as  a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE:   Terms. These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.


HHS’ Proposed Changes Broadening Substance Use Confidentiality Rules, Consistency With HIPAA Requirements Raise Compliance Concerns For Health Care, Insurance & Other Businesses

November 28, 2022

Mental health and other healthcare providers, health plans and issuers, employers, health care professional associations, consumer advocates, community organizations, state and local government entities, patients and caregivers and others concerned with mental health and substance abuse treatment and management should review and comment by January 30, 2023 on proposed changes to rules on unauthorized disclosures the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (“Part 2”) proposed by the U.S. Health and Human Services Department Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) in a Notice of Proposed Rulemaking (NPRM) made public November 28, 2022 here and scheduled for publication in the December 2, 2022 Federal Register. If adopted as proposed, mental health and substance abuse providers, as well as other health care providers and insurers should prepare to meet new responsibilities and manage new liabilities under the revised rules.

On November 28, 2022, OCR and SAMHSA issued the NPRM to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (“Part 2”), which seek to address concerns that concerns about discrimination or prosecution might deter people from entering treatment for SUD by protecting “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”(“SUD Records”).

Currently, the Part 2 protections of patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures differ from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules (“HIPAA”) rules.  These distinctions create barriers to information sharing by patients and among health care providers and create dual obligations and compliance challenges for regulated entities. To address this concern, Congress mandated in Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that HHS to bring Part 2 into greater alignment with certain aspects of the HIPAA Privacy rule.

The NPRM seeks to address the CARES Act mandate as Americans and their leaders struggle to continue to provide pathways for victims of substance abuse and other mental health challenges to pursue treatment and maximize their participation and enjoyment in our communities while addressing safety concerns about a growing series of rare but notorious acts of violence committed by certain inadequately diagnosed or managed victims of mental health or substance abuse.  See, e.g., Fact Sheet: President Biden To Announce Strategy To Address Our National Mental Health Crisis, As Part Of Unity Agenda In His First State Of The Union; President Biden Releases National Drug Control Strategy to Save Lives, Expand Treatment, and Disrupt Trafficking; Actions Taken by the Biden-⁠Harris Administration to Address Addiction and the Overdose Epidemic; Colorado Springs LGBT Nightclub Shooting Leaves Five Dead and 25 Injured; Virginia Walmart Shooting Gunman “Was Picking People Out,” Witness Says; Opinion: Leaders Blamed the Uvalde Shooting on a Mental Health Crisis. Gun Violence Is Making That Crisis Worse; Nancy Pelosi Husband Attack Suspect David Depape Pleads Not Guilty To Federal Charges.

Amid these challenges, the NPRM proposes to implement this CARES Act mandate through the following changes to Part 2 that HHS says will help safeguard the health and outcomes of individuals with SUD while creating greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act:

  • Permit Part 2 programs to use and disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations;
  • Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions;
  • Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient;
  • Create two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
    • Right to an accounting of disclosures; and
    • Right to request restrictions on disclosures for treatment, payment, and health care operations;
  • Require disclosures to the Secretary for enforcement;
  • Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations;
  • Require Part 2 programs to establish a process to receive complaints of Part 2 violations;
  • Prohibit Part 2 programs from taking adverse action against patients who file complaints;
  • Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services;
  • Apply the standards in the HITECH Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs;
  • Modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Notice of Privacy Practices;
  • Modify the HIPAA Notice of Privacy Practices requirements for covered entities who receive or maintain Part 2 records to include a provision limiting redisclosure of Part 2 records for legal proceedings according to the Part 2 standards; and
  • Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records while investigating or prosecuting a Part 2 program, when certain preconditions are met.

While the Department is undertaking this rulemaking, the current Part 2 regulations remain in effect.  However, once the comment period ends, the Biden Administration-led HHS is expected to finalize the proposed changes quickly.  Consequently, in addition to sharing any concerns or other input about the proposed changes during the comment period, health care providers, health plans, health care clearinghouses, employers, community agencies, state and local governments, patients and other caregivers and other concerned parties also should begin planning and preparing to respond to the anticipated changes in the requirements. 

Implications For Health Care Providers, Health Insurers & Other Businesses

The NPRM’s extension of HIPAA and HIPAA-like requirements to the Part 2 substance abuse confidentiality provides clarification by adding new obligations for health care providers and others involved in substance abuse treatment or recordkeeping. Health care providers, health insurance, and others involved with these activities will need to assess and plan to meet these new responsibilities and the steps they can be expected to take to fulfill them.

Beyond these more obvious burdens, mental health and substance abuse and other health care providers and businesses also should carefully assess the potential implications of the proposed changes on their worker and vendor credentialing and workplace safety practices as well as their health and other benefit programs. Assuming the changes are adopted in their current form, businesses sponsoring health benefit programs, and health care organizations and providers specifically should prepare to modify their HIPAA required notices of privacy practices and associated practices to comply with the proposed updates.

Businesses required to comply with Department of Transportation Drug Free Workplace or other alcohol and substance abuse requirements also should consider the potential implications of the proposed changes on their ability to secure relevant substance abuse treatment and related history. In assessing these implications, businesses also should be cognizant of a new proactivity on behalf of certain uses of drugs by workers in the workplace under the Americans With Disabilities Act (“ADA”). For instance, the EEOC recently has sued Eagle Marine Services Electrical & Refrigeration, LLC for allegedly violating the ADA by refusing to hire or accommodate a worker because he used medication prescribed by his doctor to treat attention deficit hyperactivity disorder (“ADHD”) without making any individual assessment of the worker’s medication use or whether it would affect his ability to safely perform the marine electrician position, and instead relied on general stereotypes about disability and medication use to justify its decision not to hire him. Businesses seeking to investigate or deny employment opportunities to workers based on the worker’s past or current medication use will want to use care to ensure that their practices are tailored to defend against similar challenges.

Health plan sponsors and insurers also should assure their mental health and substance abuse treatment coverage documents and practices are defensible under the latest mental health and substance abuse parity mandates of the Mental Health Parity and Addiction Equity Act (MHPAEA) and coverage requirements of the Patient Protection and Affordable Care Act (“ACA”). Along with a host of statutory changes since the original parity mandates took effect, implementing regulations and guidance about non-qualitative limitations and exclusions and heightened agency enforcement are ramping up enforcement and liability risks. In addition to exposing the health plan administrators and other fiduciaries to potential claims denial or fiduciary responsibility claims brought by participants or beneficiaries, the Department of Labor or both, administrative penalties by the EBSA, or both, the MHPAEA mental health and substance abuse parity rules are among 40 federal mandates that when violated can trigger the automatic $100 per violation per day employer excise tax penalty under Internal Revenue Code Section 6039D. Consequently, violations of the MHPAEA are particularly risky and potentially expensive for private employers, their health plans and the plan administrators and fiduciaries that administer it.

For Help With Comments, Investigations Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as  a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE:   Terms. These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.


%d bloggers like this: