Health Tech Compliance

Healthcare regulations for organizations serving vulnerable populations—visualized for quick reference

🏛️

FDA Medical Device

Determines if your app is a regulated medical device

✓ DO

• Frame as educational resources and health literacy tools

• Provide culturally responsive health information

• Connect users to community health resources and providers

• Include disclaimer: "Not intended to diagnose, treat, cure, or prevent disease"

• Direct users to free/low-cost clinics and healthcare access programs

✗ DON'T

• Diagnose reproductive or gynecological conditions

• Make claims about fertility, pregnancy outcomes, or contraception effectiveness

• Provide specific medical treatment recommendations

• Replace clinical care or professional medical consultation

• Use language that could create fear or shame around women's health

💡 Example Language

✗ Wrong

"Your symptoms indicate PCOS. Follow our treatment plan to regulate your cycle and improve fertility."

✓ Right

"Some people with irregular cycles find it helpful to track patterns. We can help you understand what's normal for you and when you might want to discuss your cycle with a healthcare provider."

🔒

HIPAA

Health data privacy and security requirements

✓ DO

• Encrypt all health data with extra security for vulnerable populations

• Provide anonymous/pseudonymous usage options for safety

• Create multilingual privacy policies and consent forms

• Allow users to delete data completely with no questions asked

• Never share data with immigration authorities or law enforcement

✗ DON'T

• Require real names, addresses, or documentation

• Share data with third parties without explicit, informed consent

• Store location data that could compromise user safety

• Use complex legal language that non-native speakers can't understand

• Retain data longer than necessary (consider 30-90 day auto-delete)

💡 Design Implications

→ Offer app usage without account creation (guest mode)

→ Clear "This data never leaves your phone" messaging

→ One-tap emergency data deletion ("Panic button")

🔬

CLIA

Clinical testing standards (if offering testing services)

✓ DO

• Partner only with CLIA-certified laboratories

• Display lab's CLIA certification number clearly

• Keep lab results separate from your app's insights

• Clearly label what comes from certified lab vs. your analysis

• Allow users to download official lab reports

✗ DON'T

• Provide clinical interpretations without proper credentials

• Suggest you're performing lab analysis yourself

• Mix clinical lab data with non-validated insights without distinction

• Alter or modify official lab reports

💡 Implementation Tips

→ Create separate sections: "Lab Results" vs "Your Health Insights"

→ Use visual design to distinguish clinical data from wellness tracking

→ Footer: "Testing performed by [Lab], CLIA #[Number]"

🛡️

FTC Health Breach

Breach notification for health apps

✓ DO

• Maintain reasonable security practices

• Have a documented breach response plan

• Notify affected users within 60 days of breach

• Notify FTC if breach affects 500+ individuals

• Conduct regular security assessments

✗ DON'T

• Delay breach notifications beyond timeframes

• Minimize or hide data breaches from users

• Fail to investigate security incidents

• Ignore security vulnerabilities once discovered

🗺️

State Privacy Laws

CCPA, CPRA, Virginia CDPA, etc.

✓ DO

• Provide clear privacy notices at collection

• Honor user rights to access, delete, and correct data

• Get explicit consent for sensitive health information

• Respond to privacy requests within 45 days

• Implement "privacy by default" settings

✗ DON'T

• Sell health data without explicit consent

• Make privacy settings hard to find

• Discriminate against users exercising privacy rights

• Use dark patterns to trick users into sharing data

💊

Dietary Supplements

Nutrition recommendations & supplement claims

✓ DO

• Frame recommendations as educational information

• Include FDA disclaimer about supplements

• Suggest users consult healthcare providers

• Cite peer-reviewed research for nutritional suggestions

• Disclose affiliate relationships transparently

✗ DON'T

• Make disease treatment claims about supplements

• Recommend specific supplement dosages like prescriptions

• Suggest supplements can replace medical treatment

• Hide affiliate relationships or financial incentives

• Recommend stopping prescribed medications

💡 Required Disclaimer

"These statements have not been evaluated by the FDA. This product is not intended to diagnose, treat, cure, or prevent any disease."

⚕️

Medical Practice

Avoiding unlicensed medical practice

✓ DO

• Provide general educational information

• Empower users to track their own patterns

• Suggest bringing findings to healthcare provider

• Create tools that support informed decision-making

• Acknowledge limitations of your app

✗ DON'T

• Provide personalized medical advice

• Create doctor-patient relationships through app

• Prescribe treatments or protocols

• Diagnose conditions

• Suggest medication changes

💡 Where's the Line?

✓ Acceptable

"Heavy periods can be common, but if you're soaking through pads/tampons every hour, this might be something to discuss with a doctor. We can help you find free clinics near you."

✗ Not Acceptable

"Your heavy bleeding indicates anemia. Take iron supplements and schedule surgery consultation."

🧠

Mental Health

Special considerations for mental health features

✓ DO

• Include multilingual crisis resources (988, domestic violence hotlines)

• Acknowledge trauma-informed care principles

• Connect to culturally specific mental health resources

• Normalize mental health support across cultures

• Provide safety planning resources for domestic violence

✗ DON'T

• Claim to treat depression, anxiety, or mental health conditions

• Diagnose mental health conditions

• Suggest users stop psychiatric medications

• Use clinical assessment tools without licensing

• Replace mental health care with wellness tracking

💡 Safety Features to Include

→ Multilingual crisis resources accessible without login

→ National Domestic Violence Hotline (1-800-799-7233) prominently displayed

→ Local immigrant-serving organizations and legal aid contacts

🔬

IRB & Research Ethics

Institutional Review Board requirements for research activities

✓ DO

• Obtain IRB approval before collecting data for research purposes

• Clearly distinguish between service delivery and research activities

• Provide separate informed consent for research participation

• Document IRB approval numbers and renewal dates

• Report adverse events and protocol deviations to IRB

✗ DON'T

• Use service data for research without proper consent and IRB approval

• Coerce vulnerable populations into research participation

• Assume app usage automatically equals research consent

• Fail to provide opt-out options for research activities

• Share identifiable research data without proper de-identification

💡 Key IRB Considerations

→ Vulnerable population protections (pregnant women, children, prisoners, etc.)

→ Layered consent: Service use + Optional research participation

→ Data retention policies that comply with both IRB and HIPAA

🏛️

Tax-Exempt Status

501(c)(3) and charitable organization regulations

✓ DO

• Maintain 501(c)(3) status by serving charitable mission

• Document that services primarily benefit underserved populations

• Avoid political campaign activities or excessive lobbying

• Ensure no private inurement (profits to individuals)

• File Form 990 annually with detailed program descriptions

✗ DON'T

• Operate primarily for commercial purposes

• Provide excessive compensation to executives

• Engage in unrelated business income without paying UBIT

• Discriminate in service delivery (must be open to all who qualify)

• Sell user data for profit (violates charitable purpose)

💡 Tax-Exempt Specific Risks

→ Free vs. paid features (must maintain primary charitable mission)

→ Corporate partnerships (avoid quid pro quo arrangements)

→ Data monetization is generally prohibited for 501(c)(3) organizations

📊 Feature Risk Assessment

Low Risk Generally Safe Features

Health tracking & journaling

Symptom logging

Educational content library

Clinic/resource finder

Multilingual health glossary

Community forum (moderated)

Appointment reminders

Medium Risk Requires Careful Language

Health condition education & symptom guides

Wellness recommendations & lifestyle tips

Medication adherence reminders

Health metric tracking with insights

Provider matching or referral features

Peer support or community forums

High Risk Extra Caution Required

Research data collection without IRB approval

Experimental interventions or clinical trials

Data sharing with academic institutions for research

Predictive algorithms for health outcomes

Fertility/pregnancy outcome predictions

Medical procedure recommendations

Monetizing user data (prohibited for tax-exempt orgs)

🌍 Special Considerations for Vulnerable Populations

Language & Accessibility

Multi-language support (not just translation)

Low-literacy design (icons, images, audio)

Offline functionality for limited connectivity

No smartphone-only requirements

SMS/text-based alternatives

Safety & Privacy

No mandatory real name/ID requirements

Panic button for quick app exit/data deletion

Never store location data

Zero data sharing with government agencies

Disguised app icon/name option

No push notifications that reveal app purpose

Cultural Competency

Trauma-informed design principles

Respect for cultural health beliefs

Diverse representation in imagery

Avoid Western-centric assumptions

Partner with community organizations

Include traditional/complementary practices respectfully

Healthcare Access

Free/low-cost clinic finder

Sliding-scale provider directory

Community health worker connections

Insurance navigation support

Legal aid resources (healthcare rights)

No insurance required messaging

Grant Compliance & Reporting

Track metrics required by funders

Maintain audit trail for grant expenses

Document program outcomes and impact

Separate restricted vs. unrestricted funds

Annual reporting to foundation/government funders

Acknowledge funding sources appropriately

Community Accountability

Community advisory board input

User feedback mechanisms

Transparent data usage policies

Regular community impact reports

Participatory design with target population

Cultural humility and responsiveness

✅ Pre-Launch Compliance Checklist

□

Legal review by healthcare regulatory attorney

□

IRB approval obtained for any research activities

□

501(c)(3) status maintained and documented

□

Safety features tested with target community

□

All content reviewed for cultural sensitivity

□

Data security measures exceed HIPAA standards

□

Anonymous usage option available

□

Crisis resources in all supported languages

□

Partnership agreements with community organizations

□

Research consent separate from service consent (if applicable)

□

IRB protocol includes vulnerable population protections

□

Grant reporting metrics integrated into app analytics

□

Community advisory board established

□

Low-literacy design tested with community members

□

Offline functionality verified

□

No medical claims in app content

□

Free clinic finder database updated

□

Trauma-informed design review completed

□

Form 990 preparation includes digital health program details

□

No data monetization or selling to third parties

□

Board of directors trained on digital health compliance

□

Adverse event reporting process to IRB documented

□

No data sharing with immigration/law enforcement confirmed