Government to Help Mobile Health Developers Comply with HIPAA

Mobile health apps have great potential to improve efficiency in healthcare as well as patient outcomes; however developers of mobile health apps are struggling to attract interest from healthcare providers due to fears that their products would cause violations of the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA Privacy and Security Rules serve to protect patient privacy and keep health and personal data secure. Substantial financial penalties are being issued by both the Office for Civil Rights and Attorney General’s Offices for non-compliance, and understandably healthcare providers are being extremely cautious with any new technology or software that could potentially touch the Protected Health Information of their patients.

The App Association (ACT) – an advocacy and educational organization representing mobile app developers – wrote to the Office for Civil Rights requesting clarification on HIPAA privacy rules, and how they apply to mobile developers. Developers are keen to incorporate the required privacy controls to ensure HIPAA-compliance; however many are unclear about what controls are required.

Yesterday, the OCR responded by writing to Representative Peter DeFazio, and confirmed that it believes it’s goal should be to provide “the best possible compliance guidance in the industry” and that it is “moving forward in a number of ways” towards this goal.

DeFazio had requested greater clarity on HIPAA obligations for companies storing data in the cloud, wanted to find out what is expected of technology companies in order to comply with HIPAA rules and asked for the OCR to engage regularly with technology companies and provide compliance assistance.

In the letter, the OCR pointed out that it does provide information and compliance tools via its website and that the information has been compiled collaboratively with the Office for the National Coordinator for Health Information Technology. However, in a field that is growing at such a rapid rate it has not been able to address all of the issues raised.

The OCR confirmed that it has entered into discussions with ACT and is in the process of developing “real time solutions” to cover the issues which are most pressing, and will ensure that these problem areas are specifically covered in the guidance it issues. The OCR is also exploring the possibility of holding what it refers to as “listening sessions”, where stakeholders can air their views about privacy and security.

According to App Association Director, Morgan Reed, the privacy developer guidelines the OCR has provided so far are outdated, which is hindering development of mobile health apps. He also believes HIPAA is preventing many hospitals and clinics from using the new tools and services provided by mobile developers.

“Often we talk to developers who have got their first round of funding, they have a good idea that promotes good patient outcomes, but then they get into the development cycle and the sales just aren’t there. There’s a disconnect.”

Now that discussions have been opened, Reed has called for mobile developers to contact ACT with case studies and information about specific problems that have been experiences so it can communicate them to the OCR. Once the problems have been identified the OCR will be able to improve the guidance it provides to better serve the mobile industry.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.