HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR to Clarify HIPAA Rules for Mobile Health Companies

The HHS has responded to a letter sent by Representative Peter DeFazio (D-OR) requesting clearer guidance on HIPAA Rules relating to the mobile health industry, and has confirmed that the OCR does intend to work more closely with the industry to ensure HIPAA Rules are being followed.

In September last year, Representatives DeFazio and Tom Marino (R-PA) wrote to HHS Secretary, Sylvia Burwell, requesting much needed updates to HHS guidance on HIPAA. In the letter it was pointed out that the technical compliance guidelines had not been updated in the past 8 years, yet the pace of technology over the same period has been considerable, with the past 6 years having seen the market for mobile apps – including mobile health apps – grow into a $68 million industry.

Burwell replied to the letter a month later in November, although her response has only just been made public. She confirmed that the HHS is aware of the rapid growth in the use of technology and that it understands there are a number of issues with HIPAA Privacy and Security Rule compliance and that the guidance it has previously issued fails to address some of problems currently being faced by app developers.

According to Burwell, the HHS is taking affirmative action to address these issues and “[The OCR] has already met with ACT | The App Association, which represents over 5,000 app companies and information technology firms, to discuss the needs of companies and to ensure that OCR can provide technical assistance and guidance in useful ways.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Mobile technology is being developed at a tremendous pace, but in order for healthcare providers to take full advantage they must be confident that mHealth apps and cloud services are HIPAA compliant, and offer the necessary protections to ensure patient data is properly secured.

One suggestion made by the two representatives is for a voluntary badge system to be introduced. It is believed that this would encourage mHealth developers to comply with HIPAA, and also let them prove that this was the case. Burwell did not specifically reply to this request. She also did not give a specific answer on how the HHS plans to help cloud developers and cloud storage companies comply with HIPAA regulations, only that the HHS “recognizes the benefit of providing more guidance” and that it is appreciated that HIPAA compliance is a critical issue.

Meanwhile the Federal Trade Commission (FTC) has released a report on the Internet of Things and has called for the industry to adopt new best practices to ensure the privacy and security of consumers is protected. The report was released due to the rapid growth in the use of new technology such as health monitors. Wearable devices are capable of recording and transmitting highly sensitive data and the FTC believes new standards should be set to reduce the risk of privacy violations. It suggests a number of strategies, such as configuring the devices to store data for a finite period of time rather than indefinitely.

The report was compiled following the FTC’s November Internet of Things workshop, which highlighted the need for steps to be taken to improve consumer confidence in new technology. A lack of consumer trust has considerable potential to hold the mobile industry back and Americans need to be sure that any data recorded is kept totally secure.

The HHS and many industry bodies are working hard to keep pace with new technology and improve data privacy and security standards, with the OCR committed to working on “real time solutions” according to Burwell; however it is up to the industry to highlight the most important mHealth issues that need to be addressed so that the OCR can ensure they take precedence.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.