Even as cries for simplification and clarification of health-data rules grow louder, one Federal Trade commissioner remains deeply concerned about the privacy and security implications of apps and devices that collect info directly from consumers.

“I’m a big believer in the potential for data from mobile and wearable devices to help consumers lead healthier lives and improve public health, but appropriate privacy and security protections are critical to achieving this potential,” FTC commissioner Julie Brill said in an email to VentureBeat today.

Brill is leading the FTC’s efforts to review security and privacy rules around consumer health data. This has traditionally been the province of the Department of Health and Human Services and the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is written to regulate only healthcare providers, payors, and health tech companies that have “business associate” relationships with either.

But the FTC is likely to eventually take action to protect the privacy of data being collected in the cloud servers of new health app and device makers operating outside the realm of the health care system. This could be triggered if the commission feels that consumer health app developers are not being clear with consumers about what kinds of data they’re collecting and how they’re using it.

Brill continues: “It’s encouraging to see app developers and companies like Apple recognize that, if they’re going to collect and use health data from consumers, they need to institute strong protections for this sensitive data,” Brill said. (Some have speculated that the delay of Apple’s HealthKit health data platform this week arose from problems with protecting the security and privacy of consumer health data that would be managed by the platform.)

“In addition, I think Congress has an important role to play in encouraging innovations based on user-generated health data by enacting both data security legislation and baseline privacy legislation that address sensitive health information,” Brill said. “And even before Congress acts, industry and other stakeholders should set out strong health data privacy and security best practices, to protect consumers and encourage the development of new products and services focused on consumer health.”

Her comments came one day after two House members, Reps. Tom Marino (R-Penn.) and Peter DeFazio (D-Ore), sent a letter to Health and Human Services Secretary Sylvia Mathews Burwell asking that the government work more closely with app developers to stay within health data privacy laws.

The call for more clarity on the subject originally came from The App Association, which represents some 5,000 software developers. Earlier this week, the group sent a letter to Congress asking it to push for more clarity around health privacy rules.

But, as App Association executive director Morgan Reed told me earlier this week, software companies are very excited about developing consumer health apps now. The approach Brill suggests, where the public and private sectors would work together to develop “best practices,” might take a long time.

And there’s a danger in getting too specific about best practices and then codifying them in law. “Best practices have to evolve,” Reed told VentureBeat Friday. “Something that’s true this year may not be true next year, and over time there’s a danger that they could create barriers to innovation. So we need to be very cautious.”

Yet Brill and Reed aren’t too far apart on the big-picture stuff. “In a sense we are singing from the same song book,” Reed says. “What Commissioner Brill is saying is really not very far afield from what industry also wants, which is a high level of protection for consumer health data.”

And Brill has toned down her concerns a little bit over the past couple of months. She said July 23 that she considers collection and use of data to be one and the same — and she thinks there should be heavy restrictions, which would have a major impact on the future of mobile health.

If Brill’s fellow commissioners were to agree with that statement, and act on it, a FTC clampdown on health data collection could happen. And that could put a serious crimp in the plans in a legion of digital health startups that are already collecting data, not to mention the cooling effect it would have on developers considering entrance into the market.