MHWG Consumer Mobile Health Application Functional Framework,
Project Co-Leads: Nathan Botts and David Tao
This project (Consumer Mobile Health Application Functional Framework, (a.k.a. cMHAFF) will define security, privacy and data standards and guidelines for mobile health applications (apps), as well as other aspects of transparency and consumer protection through the life cycle of such apps (from purchase, download, installation, use, and deletion). The intent is to provide industry guidance and common methods to enable the development of mobile health apps targeted to consumers/citizens that use protected health information (PHI) and personally identifiable information (PII). These standards will not address the clinical content of such apps (e.g., "Does it give good advice?"), but will provide a framework for security, privacy and the integration of data generated from apps into Personal Health Record (PHR) and Electronic Health Record (EHR) systems as well as into other types of data repositories (e.g., personal data stores, population care systems). "Mobile Health Apps" include apps running typically on smartphones, but also on other consumer devices such as watches and tablets.
cMHAFF may reuse conformance criteria already available within the HL7 PHR-S and EHR-S Functional Models, augmenting with new conformance criteria specific to mobile platforms (e.g., use of geolocation services, accelerometers, cameras, microphones, contacts). It will also use existing HL7 principles for security and privacy risk assessment. It will not attempt to replicate standards, regulations, and guidelines defined elsewhere, but will reference them where possible.
In particular, cMHAFF will address the following areas:
- Transparency of information about the app, its purpose, intended use, target audience, authors, sources, evidence, etc.
- User, device, and cross-system authentication
- Authorization to content and features
- Proxy designations
- Use of location services, camera, accelerometers and other smartphone services
- Security of data at rest (local and cloud)
- Security of data in transit (wired and wireless)
- Minimum data standards for device generated and device transmitted information
- Record system reliability; record authenticity (it is what it represents to be)
- Data provenance
- Discontinuation of use of an app
The cMHAFF project went through an HL7 Comment-Only Ballot in January 2016; comments were reconciled as of September 2016; a revised cMHAFF document is being developed for STU ballot in Jan 2018.
Project Scope Statement
Standing meetings are every Thursday at 3 PM Eastern. Watch for weekly announcement and agenda.
Phone: +1 770-657-9270 Participant Passcode: 465623
2017 Working Documents
File:CMHAFF STU Ballot Draft.docx Copy of cMHAFF as it evolves toward January 2018 STU ballot. Updated October 4, 2017.
File:CMHAFF Update 2017-Sept-WGM 16x9.pptx cMHAFF presentation for September 2017 HL7 Working Group Meeting.
File:CMHAFF-HAS Comparison.docx Side-by-side comparison of cMHAFF vs French HAS Good Practice Guidelines categories
File:MHAFF CONS MHAFF R1 O1 2016JAN Consolidated WG TRACK FOR 2017 BALLOT.xlsx -- Ballot Reconciliation spreadsheet, edited to show work in progress toward next ballot
File:HL7 cMHAFF Informative Ballot Draft.docx DEPRECATED. Kept as archive of cMHAFF as updated after ballot reconciliation, in progress toward next ballot. Updated June 3, 2017. Superseded by HL7_cMHAFF_STU_Ballot_Draft.docx.
Reference Resources (including European Guidelines and Good Practices)
- File:French good practice guidelines on mHealth apps.pdf -- FRENCH "Good Practice Guidelines on Health Apps and Smart Devices" to compare to cMHAFF. Reviewed by Frank Pfloeg, Adamu Haruna, David Tao, and cMHAFF team
- File:Charismha abr v.01.1e-20160606 (003) ENG SHORT VERSION.pdf -- GERMAN Chances and Risks of Mobile Health Apps" to compare to cMHAFF. Reviewed by cMHAFF team
- GERMAN Assessment Criteria for health-related apps These are mostly intended for developers to use in self-assessment, but the assessments also contain reviews by a third party.
- File:Draft guidelines mhealth apps not for publication DTao Comments.docx -- Draft mHealth Guidelines from a project not completed in EU (unpublished, not for distribution), with a mandate "to develop guidelines for assessing the validity and reliability of the data that health apps collect and process." While the project was never completed, there was a report on the work. Reviewed by David Tao.
- File:ReportofmHealthWorkingGroup-June2017cleanpdf.pdf of which page 6 summarizes 13 categories for assessment that were discussed, of which six had a higher degree of consensus than others.
- File:Assessment Questionnaire.xlsx -- Assessment Questionnaire from a project not completed in EU (unpublished, not for distribution)
- File:PAS 277 (2015).pdf -- U.K. Health and wellness apps – Quality criteria across the life cycle – Code of practice. Includes quality criteria, app project life cycle, risk management, fitness for purpose, etc. Reviewed by Adamu Haruna
- U.K. Guidance primarily for medical device stand-alone software, but also including apps, from UK Medicines and Healthcare Products Regulatory Agency (MHRA)
- ANDALUSIAN Complete list of recommendations on design, use and assessment of health Apps -- This has four categories: 1. Design and Appropriateness; 2. Quality and Safety; 3. Provision of Services; 4. Confidentiality and Privacy. Reviewed by David Tao
- File:National authorisation criteria of Finnish PHR v2.2 Nokia Translation.xlsx -- FINNISH National Authorisation (Certification) Criteria for PHR (unofficial translation into English) Contains approximately 80 criteria in 6 categories. Reviewed by Nathan Botts
- File:EU Privacy CodeofConductfinaldraft.pdf EU voluntary but authoritative guidelines, to compare to cMHAFF. See Privacy Code of Conduct on mobile health apps for an overview.
- Commission Staff Working Document on the existing EU legal framework applicable to lifestyle and wellbeing apps This is a non-exhaustive description of EU legislation, applicable to lifestyle and wellbeing apps. The aim of this document is to provide guidance for example to app developers.
- File:Draft White Paper PGHD Policy Framework HL7 MH Comments.pdf Draft whitepaper on PGHD, written by Accenture for ONC.
The following are old, but are included for historical purposes
File:MHAFF CONS MHAFF R1 O1 2016JAN.pdf -- Original cMHAFF as balloted in January 2016
- cMHAFF call, Thursday, Oct 12
- cMHAFF call, Thursday, Oct 5
- cMHAFF call, Thursday, Sept 21
- cMHAFF call, Thursday, Sept 7
- cMHAFF call, Thursday, August 31
- cMHAFF call, Thursday, August 24
- cMHAFF call, Thursday, August 17
- cMHAFF call, Thursday, August 10
- cMHAFF call, Thursday, August 3
- cMHAFF call, THURSDAY, July 20
- cMHAFF call, Tuesday July 11
- cMHAFF call, Tuesday June 27
- cMHAFF call, Tuesday June 20
- cMHAFF call, Tuesday June 13
- cMHAFF call, Tuesday June 6
- cMHAFF call, Monday, May 22
- cMHAFF calls Monday, April 24, May 1 and 8 -- CANCELLED (travel, Madrid). May 15 cancelled (lack of attendance and technical problems)
- cMHAFF call, Monday, April 17
- cMHAFF call, Monday, April 10
- cMHAFF call, Monday, March 27
- cMHAFF call, Monday, March 13
- cMHAFF call, Monday, March 6
- cMHAFF call, Monday, February 20
- cMHAFF call, Monday, February 6
- cMHAFF joint with Security/CBCC, Tuesday, January 31
- Joint with Security/CBCC at San Antonio WGM, January 17, 2017
2016 and Earlier Meetings
Most meetings in 2016 were dedicated to ballot reconciliation, and the results were reflected in the Ballot Reconciliation Spreadsheet (see link under 2017 Workng Documents above).