Mobile Health (mHealth) Applications in Telehealth

Mobile health (mHealth) applications represent a distinct and rapidly expanding category within the broader telehealth ecosystem, defined by the use of mobile devices — smartphones, tablets, and wearables — to deliver or support health services and information. This page covers the regulatory classification, technical mechanisms, clinical use cases, and classification boundaries that distinguish mHealth apps from other digital health tools. Understanding where mHealth fits within the telehealth regulatory framework in the United States is essential for clinicians, health system administrators, and policymakers navigating compliance obligations.

Definition and Scope

The U.S. Food and Drug Administration (FDA) defines mobile medical applications (MMAs) as software programs that run on mobile platforms and either meet the definition of a medical device under Section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), or are accessories to a regulated medical device (FDA Mobile Medical Applications Guidance, 2015, updated 2019). This regulatory definition is narrower than colloquial use of "mHealth app," which encompasses a broader landscape including wellness tools, appointment scheduling software, and patient education platforms that fall outside FDA device jurisdiction.

The World Health Organization classifies mHealth as a component of electronic health (eHealth), identifying 12 categories of mHealth services in its mHealth: New Horizons for Health Through Mobile Technologies report, ranging from health call centers to mobile telemedicine. For US regulatory purposes, the critical classification axis runs between:

• FDA-regulated software as a medical device (SaMD): Apps that diagnose, treat, cure, mitigate, or prevent disease — subject to premarket review requirements.
• Non-device health IT: Apps providing general wellness, administrative functions, or Electronic Health Record (EHR) access — generally outside FDA device oversight under the 21st Century Cures Act (Pub. L. 114-255).

The Federal Trade Commission (FTC) holds jurisdiction over privacy and data security practices for consumer-facing mHealth apps that fall outside HIPAA-covered entity relationships, as articulated in the FTC Health Breach Notification Rule (16 CFR Part 318).

How It Works

mHealth applications operate across three functional layers that determine their regulatory and clinical positioning:

1. Data acquisition layer: The app collects health data either through device sensors (accelerometer, GPS, camera, microphone), Bluetooth-connected peripherals (pulse oximeters, glucometers, blood pressure cuffs), or direct patient input through structured forms and symptom trackers.

2. Data processing and transmission layer: Collected data is processed locally on the device, transmitted to a cloud server, or pushed directly to an EHR via HL7 FHIR APIs. The 21st Century Cures Act mandates that certified health IT support FHIR-based application programming interfaces to enable patient data access, administered through the Office of the National Coordinator for Health Information Technology (ONC).

3. Clinical or consumer action layer: Processed data surfaces as alerts, recommendations, visualizations, or structured reports accessible to patients, caregivers, or clinicians. When this layer triggers clinical decision logic, FDA SaMD classification thresholds may apply depending on the severity of the target condition and the app's role in the care pathway.

Apps integrated into remote patient monitoring (RPM) workflows, described further in remote patient monitoring overview, transmit physiologic data to supervising clinicians under billing codes such as CPT 99453, 99454, 99457, and 99458 (CMS Medicare Physician Fee Schedule).

HIPAA obligations attach when a covered entity or business associate deploys the app or handles the resulting protected health information (PHI). The telehealth HIPAA compliance requirements framework governs data handling in those contexts.

Common Scenarios

mHealth applications appear across four primary clinical deployment patterns:

Chronic disease self-management: Patients with diabetes use FDA-cleared continuous glucose monitor (CGM) apps — such as those receiving De Novo or 510(k) clearance — to track glucose trends and share data with endocrinologists. This intersects directly with telehealth diabetes management workflows. Similarly, cardiac arrhythmia detection apps cleared under FDA's 510(k) pathway feed into telehealth cardiology and remote monitoring programs.

Behavioral health support: Mental health apps range from unregulated mood-tracking tools to FDA-regulated prescription digital therapeutics (PDTs). The first FDA-authorized PDT for substance use disorder, authorized in 2017, established a category now governed under the De Novo classification pathway. These tools intersect with telehealth mental health and behavioral services delivery.

Acute symptom triage: Consumer-facing symptom checkers and on-demand video visit launchers support telehealth urgent care services. These are generally non-device health IT unless the triage algorithm meets diagnostic thresholds.

Store-and-forward image capture: Dermatology apps capture skin lesion images for asynchronous review, a workflow detailed in store-and-forward telehealth. Image quality and metadata standards affect diagnostic validity in these pathways.

Decision Boundaries

Distinguishing regulated from non-regulated mHealth tools requires applying the FDA's risk-based framework alongside four classification questions:

1. Intended use: Does the app claim to diagnose, treat, or mitigate a specific disease or condition? Affirmative claims trigger SaMD review thresholds.
2. Significance of information: Does the app's output directly drive clinical management decisions? Higher-significance outputs face stricter scrutiny under the FDA's Digital Health Center of Excellence review criteria.
3. State of the patient: Apps used for serious or life-threatening conditions face higher regulatory scrutiny than those supporting non-serious conditions.
4. User population: Prescription-only Digital Therapeutics (PDTs) carry different access pathways than direct-to-consumer wellness apps.

A contrast with wearable devices and telehealth is instructive: a wearable hardware device generating ECG data and the companion app processing that data may each require separate FDA evaluations under distinct device classifications — the hardware as a physical device, the app as SaMD.

State law adds another classification layer. Forty-two states have enacted telehealth parity laws as of the most recent National Conference of State Legislatures tracking (NCSL Telehealth Policy), but parity provisions vary in whether they apply to asynchronous mHealth-mediated encounters versus synchronous video visits. State telehealth laws and policies provides jurisdiction-specific detail on coverage applicability.

Apps facilitating prescribing must comply with federal and state prescribing restrictions. Controlled substance prescribing via telehealth-connected apps remains subject to DEA registration requirements and the Ryan Haight Online Pharmacy Consumer Protection Act, addressed in DEA telemedicine prescribing regulations.

References

• FDA Mobile Medical Applications Guidance (2019) — U.S. Food and Drug Administration
• FDA Digital Health Center of Excellence — U.S. Food and Drug Administration
• FTC Health Breach Notification Rule, 16 CFR Part 318 — Federal Trade Commission
• ONC 21st Century Cures Act Final Rule — Interoperability and Information Blocking — Office of the National Coordinator for Health Information Technology
• CMS Medicare Physician Fee Schedule — Remote Patient Monitoring Codes — Centers for Medicare & Medicaid Services
• WHO mHealth: New Horizons for Health Through Mobile Technologies (2011) — World Health Organization
• NCSL Telehealth Policy Tracking — National Conference of State Legislatures
• 21st Century Cures Act, Pub. L. 114-255 — U.S. Congress