mHealth apps and Software as a Medical Device: Running at pace but beware the legal issues

By Alexandra Rose, Mihkel Wilding and Lydia Albright-Le Page
05 Aug 2021
Businesses should ensure that any disclosures and other statements to app users are clear, transparent and not misleading.

Technology is increasingly driving health and wellness initiatives. The rise of Software as a Medical Device (SaMD) and mobile health (mHealth) applications mean that these innovations are firmly entrenched in Australians’ everyday lives. Many such Apps live on our smartphones, watches, tablets and computers.

As more non-traditional market participants enter into the healthcare and wellness sector, those companies need to be keenly aware of the regulatory regimes that impact these highly regulated fields. Privacy, data, competition, consumer and therapeutic goods laws must all be navigated.

Consumer and competition issues associated with "mHealth"

The health and life sciences sector has long recognised the power of data. Set out below is a high-level survey of some of the consumer and competition issues which may arise as mHealth apps increasingly become more important collectors of data for health care companies, and the source of data for commercial insights.

How mHealth apps collect and use personal data

mHealth apps collect a range of clinical, behavioural and lifestyle-related personal sensitive data through a combination of user input within the app and device, tracking functions using features of the device (eg. heart rate or step count) or from integrating information across apps (eg. logging into an app using your Google or social media account).

The types of personal data collected by mHealth apps include age, sex, past and present medical conditions, family medical history, symptoms and medication details. Personal data may also include health related user data such as fitness levels, lifestyle activities (eg. drug usage, alcohol intake, smoking habits), stress levels, sleeping and eating patterns, sexual activity, relationships and mood tracking.

Some examples of mHealth apps already available in Australia include apps to assist individuals to take their prescribed medications; patient support programs for patients with chronic health conditions such as diabetes as well as fitness, meditation, period and fertility tracking apps.

Privacy isn't the only issue with mHealth apps

While the concept of mHealth apps is innovative and exciting, over the longer term the collection and use of information derived from these apps presents a range of legal and regulatory issues. Clearly, privacy and data protection issues in health arise whenever patient information is disclosed. User consents and terms and conditions need to ensure that consent it sought and disclosures made. But other, more subtle issues may also arise under consumer and competition laws.

In 2019 an Australian study found that 79% of Android mHealth apps shared private consumer (or patient) data outside of the app to parent or other group companies, software developers, third and even fourth parties. The study found that these kinds of loose and undefined data sharing arrangements were "routine" and "far from transparent", posing a risk that health care companies could be aggregating and using data in a manner which raises issues under Australian consumer and competition laws. Another 2021 Australian study found that the majority (55%) of mHealth apps failed to meet the user data standards that were set out in their privacy policies.

Global competition law developments on technology and data collection

To date, the consumer and competition law issues outlined above reflect themes that antitrust regulators worldwide have raised in the context of the collection and use of personal user information by the large digital platforms and online retailers.

Recent and notable examples of investigations and cases by antitrust regulators in this area include:

The Australian context

As a consumer product, mHealth apps must comply with the Australian Consumer Law (ACL) including the prohibitions against false or misleading conduct, unfair contracts and unconscionable conduct. They must also comply with the Part IV prohibitions against restrictive trade practices in the Competition and Consumer Act 2010 (Cth) (CCA), such as cartel conduct being strictly unlawful regardless of its effect on competition as well as the prohibitions against conduct and information exchange or concerted practices which have a purpose or likely effect of substantially lessening competition in a market.

Other products may cross the line from being mHealth Apps focused on wellness into the therapeutic goods space and therapeutic use claims where the Therapeutic Goods Administration (TGA) is active. An active program of consultation and regulatory reform (see for example the latest July 2021 guidance here) means that developers and companies who partner with or utilise technologies must be on top of the latest requirements for medical devices and especially SaMD.

Under consumer law, the collection and use of personal patient information raises often tricky issues in terms of:

  • how disclosures about the collection and use of a patient personal information are made (especially if that information is to be used for commercial insights), and
  • how any consents to provide that information to third parties, or to "bundle" it with other information for commercial insights, are procured to comply with false or misleading conduct laws.

How and with whom information from different sources is sourced, combined and then analysed may also raise issues under competition law – for example where data from rival health care companies is being aggregated in order to provide insights for commercial means.

As a mitigation for these issues, business should ensure that any disclosures and other statements to app users are clear, transparent and not misleading. In this exercise it is important that the specific representation and overall impression does is not false or misleading to a reasonable person. Health care companies wishing to use patient data – for example by aggregating it with data from multiple sources for future commercial purposes – should also consider whether that use could raise competition issues.

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.