mHealth Laws and Regulations

Mobile health, or mHealth, is a rapidly evolving aspect of technology-enabled health care. 

Smart phones and portable monitoring sensors that transmit information to providers, as well as dedicated application software (apps) which are downloaded onto devices, are used in mHealth. Given its recent emergence into the telehealth field, policies governing the use of this technology are continually being shaped.

The Food and Drug Administration (FDA), the Federal Trade Commission (FTC), and the Federal Communication Commission (FCC) all share jurisdiction over some part of the federal regulation of mHealth.


The Federal Drug Administration (FDA) has the responsibility of regulating equipment or software intended for use in the diagnosis or treatment of a disease or other condition. With passage of the Food and Drug Administration Safety and Innovation Act in 2012, the FDA was given approval to go forward with its regulatory work on medical apps.

If a device is classified as a medical device, FDA requires registration and listing, premarket notification and/or approval, good manufacturing practices, and post-market surveillance. FDA also regulates the software used in telehealth systems. The FDA does make a distinction and provides guidance on distinguishing what is considered a medical device and what is not.

In September 2013, the FDA released guidance for the industry and FDA staff on mobile medical applications, stating that it intends to apply its oversight to those medical apps that are medical devices, and whose functionality could pose a risk to the patient’s safety if the mobile app did not function as intended.

In June 2014, the FDA released additional guidance on medical device data systems (MDDS), medical image storage devices and medical image communications devices.  This guidance stated that the FDA did not intend to enforce compliance with the regulatory controls that apply to software of the aforementioned systems and devices because they did not pose a risk to patients and due to the importance they play to advancing digital health.  While the June 2014 draft guidance is seen as “relaxing” some of the rules around devices related to mHealth, the document is only guidance provided by the FDA and does not have the force of law nor is it binding on the agency.


The Federal Trade Commission (FTC) protects consumers from unfair or deceptive acts or practices as well as false or misleading claims. Where mHealth is concerned, it has focused on the claims companies have made about the effectiveness of their devices or apps. The FTC also has jurisdiction over health data breaches when the entities involved are not HIPAA-covered entities. The FTC has already been active, taking enforcement action against several mobile health app marketers that have not met the requirements of the FTC. The FTC collaborates closely with both the FDA and FCC on areas where there is jurisdictional overlap.


The Federal Communications Commission (FCC) regulates devices that utilize electromagnetic spectrum, or broadcast devices. FCC regulates the device as a communications device, not as a medical device. With potential overlapping jurisdictions, the FCC and FDA entered into a Memorandum of Understanding, where they would collaborate with each other within the areas of their respective agencies.

In 2012, the FCC approved its mobile body area network (MBAN), which allocates an electromagnetic spectrum for personal medical devices. The allocated spectrum would be used to form a personal wireless network, within which data from numerous body sensors could be aggregated and transmitted in real time. This dedicated spectrum would allow for faster and more reliable transmission of information from patient monitoring devices to practitioner.

The rapid pace of development of this field and the wide range of applications available on the market today have also been the source of a number of legal and ethical questions regarding their use.  Questions are being raised regarding privacy protection. With the vast amount of individual health data being generated by remote monitoring and mhealth devices, determining what are actionable health data, who monitors the data, and where it gets stored are challenges that we will need to address as the field evolves. For an interesting discussion on the subject, read Ethical Issues in mHealth: What is Good Enough? on the South Central Telehealth Resource Center Website.