Last week, the New York Office of the Attorney General ("OAG") announced settlements with three mobile health application developers to resolve allegations that the companies made misleading claims and engaged in "irresponsible privacy practices." The three companies that entered into settlements are:

  • Cardiio, a U.S.-based company that sells Cardiio, an app that claims to measure heart rate;
  • Runtastic, an Austria-based company that sells Runtastic, an app that purports to measure heart rate and cardiovascular performance under stress (downloaded approximately 1 million times); and
  • Matis, an Israel-based company that sells My Baby's Beat, an app which Matis previously claimed could turn any smartphone into a fetal heart monitor, without FDA approval for such use.

With respect to Cardiio (settlement) and Runtastic (settlement), OAG alleged that both companies failed to test the accuracy of their apps under the conditions for which the apps were marketed (e.g., failed to test the product on subjects who had engaged in vigorous exercise, despite marketing the app for that purpose"). In addition, the OAG alleged that both companies' apps claimed to accurately measure heart rate after vigorous exercise while using only a smartphone camera and sensors. OAG also alleged that Cardiio's marketing practices included false endorsements. For example, Cardioo was charged with making claims that "misleadingly implied that the app was endorsed by MIT," when Cardiio's technology was based only on technology licensed from MIT and originally developed at the MIT Media Lab.

With respect to Matis (settlement), OAG alleged that the company deceived customers into using the My Baby's Beat instead of a fetal heart monitor or Doppler, even though the app was not FDA-approved for such use and the company had "never conducted ... a comparison to a fetal heart monitor, Doppler, or any other device that had been scientifically proven to amplify the sound of a fetal heartbeat."

In each settlement agreement, OAG cites various claims made by the companies on the App or Google Play Stores (including product reviews by consumers), company websites, and other promotional materials. The OAG asserted that the "net impression" conveyed to consumers about such apps by these claims were misleading and unsubstantiated. In addition, OAG alleged that each company failed to obtain FDA approval for their apps and noted in the settlements that FDA generally regulates cardiac monitors as Class II devices under 21 C.F.R. § 870.2300 and fetal cardiac monitors as Class II devices under 21 C.F.R. § 884.2600.

Under the settlements, Cardiio and Runtastic each paid $5,000 in civil penalties, and Matis paid $20,000. Further, each company is required to take the following corrective actions:

  1. Amend and correct the deceptive statements made about their apps to make them non-misleading;
  2. Provide additional information about the testing conducted on their apps (e.g. substantiation);
  3. Post clear and prominent disclaimers informing consumers that their apps are not medical devices, are not for medical use, and are not approved or cleared by the FDA; and
  4. Modify their privacy policies to better protect consumers

With respect to privacy, the companies must now require the affirmative consent to their privacy policies for these apps and disclose that they collect and share information that may be personally identifying. This includes users' GPS location, unique device identifier, and "de-identified" data that third parties may be able to use to re-identify specific users.

In addition, if the companies make any "material change" to their claims concerning the functionality of their apps, the companies must: (1) perform testing to substantiate any such claims; (2) conduct such testing using researchers qualified by training and experience to conduct such testing; and (3) secure and preserve all data, analyses, and documents regarding such testing, and make them available to the OAG upon request.

The OAG explained that the settlements follow a year-long investigation of mobile health applications, which include "more than 165,000 apps that provide general medical advice and education, allow consumers to track their fitness or symptoms based on self-reported data, and promote healthy behavior and wellness." Of these apps, the OAG appears to be focusing its enforcement on a "narrower subset of apps [that] claim to measure vital signs and other key health indicators using only a smartphone [camera and sensors, without any external device], which can be harmful to consumers if they provide inaccurate or misleading results."

Referred to as "Health Measurement Apps," the OAG expressed concern that such apps could "provide false reassurance that a consumer is healthy, which might cause [them] to forgo necessary medical treatment and thereby jeopardize [their] health." Conversely, Health Measurement Apps "can incorrectly indicate a medical issue, causing a consumer to unnecessarily seek medical treatment – sometimes from a hospital emergency room."

The OAG's risk-based approach appears to be consistent with FDA's risk-based approach for regulating general wellness products, which Congress expressly excluded from the definition of medical "device" in Section 3060 of the recently enacted 21st Century Cures Act ( read our Advisory here).

Ultimately, this settlement demonstrates that in addition to traditional regulators such as the FTC and FDA, which have taken a number of recent enforcement actions against mHealth app developers (as we've discussed here, here, and here), state consumer protection laws may also be implicated by such products. Accordingly, companies should continue to establish, implement, and execute robust quality or medical/clinical programs to support any research needed to substantiate claims made about mHealth products. And, more importantly, digital health companies should create strong promotional review committees that consistent of legal, medical, and regulatory professionals who can properly vet any advertising or promotional claims to mitigate potentially false, misleading, or deceptive claims that could trigger enforcement by regulatory agencies and prosecutors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.