There is no doubt that technology is the way of the future in the healthcare space. From calorie counting and fitness apps, to digital pharmacists and the ever popular EPIC electronic health record (EHR) software (read: MyChart), technology is moving away from analog and swiftly toward digital solutions. According to some figures, there are 165,000 health-related apps in the Apple App Store and Google Play Store and it’s estimated that by the end of 2017, those apps will have been downloaded 1.7 billion times, leading to a predicted $21.5 billion in revenue in 2018.

But moving toward an all-digital landscape of healthcare solutions (now called m-health) presents its own unique challenges – namely patient confidentiality, security and compliance in a day in age where hacking is commonplace and devices (not people) are doling out recommendations and diagnosis all too often.

At Oak City Labs, we work with clients in the healthcare space and know the importance of software compliance. Today, we’re providing an introduction to the two main types of compliance you should be aware of as you begin the process of building a mobile app or web app in the healthcare space.

FDA Compliance

First, is your mobile or web app considered a medical device? Just because your app relates to the health field doesn’t necessarily mean that it is considered a medical device. The FDA provides thorough documentation of what is considered a medical mobile app on their website.

If your app functions as a medical device, an accessory to a medical device or if it intends to diagnose, treat or prevent an ailment, then it will likely be regulated by the FDA. Earlier this year, the FDA announced sweeping changes to how mobile medical devices will be regulated. This article does a great job at outlining the details, but details are still unfolding.

There are three types or tiers of regulation on medical devices (including mobile medical apps) by the FDA: Class I, Class II and Class III. Beginning at the bottom, Class I medical devices are low risk and are considered non-invasive to patients. Class II devices pose a moderate risk to patients and/or are invasive in the short term. Class III devices pose a greater risk to patients and are inherently invasive. Class I and II devices require a 510(k) premarket notification. Class III medical devices must do the same, as well as undergo pre-market approval with the FDA before they see the light of day.  

One thing to keep in mind with the FDA — the review and approval process is incredibly long and drawn out (admittedly something the new regulations announced back in July are trying to address). In fact, when asked if the Apple Watch would make a bigger play in the health space, Tim Cook said he was leary of the Watch becoming a “regulated, health product” due to the long review and lead time required by the FDA and the ways it would hold Apple back from innovation.


If your mobile app collects, stores and transfers any type of personal patient information, read on, because it’s likely that HIPAA compliance is something you should be aware of. Even if your app isn’t considered a medical device, it still may need to follow HIPPA guidelines. For instance, EPIC, the prominent electronic health record (EHR) software, is not considered a medical device (and therefore not regulated by the FDA), but it is subject to HIPPA guidelines.

Introduced in 1996, HIPAA stands for Health Insurance Portability and Accountability Act and it covers protected health information (PHI) privacy and security.

The privacy portion sets forth what is considered PHI and therefore needs to be HIPAA compliant. PHI ranges from your name, address and social security, to billing information, biometric identifiers like fingerprints, family names, your tests results or scans and more. If your app stores or transmits any type of PHI, it could be subject to HIPPA compliance.

Under HIPAA, you’re considered either a “covered entity” (healthcare provider, health plan or healthcare clearinghouse) or a “business associate.” Both covered entities and business associates are liable to follow HIPPA and as such, both would be fined in the event of noncompliance. Ignorance is not an accepted excuse and the fines levied are hefty – ranging from $100-$50,000 for just a single violation.  

Now that we know what is covered under HIPAA compliance and who is liable for covering it, let’s talk about security. Security covers three areas: administrative safeguards (have a privacy officer, review policies and procedures, go through training and more), technical safeguards (automatic logoff, authentication, encryption and more) and physical safeguards (facility security, workstation security, access control and validation and more).

It’s important to think through these details from all aspects of your app – push notifications, emails, lock screens and what to do in the event that a device (such as a phone) is lost.

The above details on FDA and HIPAA compliance are just a small glimpse into both worlds. If you are thinking about creating a mobile medical app or entering the digital health space, be sure to thoroughly research compliance requirements before you begin building out your product. Not sure where to start? Oak City Labs would love to help! Drop us a note.