HHS Effort to Address Confusion over Mobile Apps is Disappointing, Say Federal Legislators

Last month the Department of Health and Human Services issued new guidance to clear up confusion about HIPAA Regulations and how they apply to mobile health apps.

The four-page document explained how HIPAA Rules apply to health information that is created by patients and entered into health apps, and set out to explain when developers of health apps needed to comply with HIPAA Rules. The guidance covered six scenarios and explained how and when HIPAA Rules applied.

The guidance has helped to explain some of the obligations mobile health app developers have under HIPAA Rules, but according to one bipartisan group of congressmen, the guidance only covered a very narrow set of circumstances, and has “led to more questions than answers.”

Reps Tom Marino (R-Pa.), Peter DeFazio (D-Ore.), Earl Blumenauer (D-Ore.), Blake Farenthold (R-Texas), Ted Lieu (D-Calif.), Suzanne Bonamici (D-Ore.), Renee Ellmers (R-N.C.), and Rep. Will Hurd (R-Texas) signed a letter sent to HHS Secretary Sylvia Mathews Burwell earlier this month in which the efforts of the HHS to address the confusion over HIPAA and mHealth apps have been severely criticized. The bipartisan group says too little has been done by HHS to clarify how HIPAA applies to mHealth developers.

In November 2014, HHS committed to providing new guidance on HIPAA Rules and mHealth apps, yet according to Congressmen Tom Marino and Peter DeFazio, HHS has not followed through on its promise. They claim the current confusion over HIPAA is holding back innovation, and that the effort made so far by HHS to address current ambiguity over HIPAA and mHealth apps has been “sluggish” and “disappointing.”

HHS has been accused of exhibiting “a worrisome lack of urgency” to address confusion. Only one document has been issued to help mHealth app developers not fall afoul of HIPAA Rules, that that document tool 15 months to be issued.

Back in November 2014, HHS made the commitment to clarify and update compliance details and how they applied to technology companies and to identify implementation standards.  HHS promised to clarify how HIPAA Rules applied to companies that used the cloud to store data, and also to engage with technology companies to help them comply with HIPAA Rules.

In the 15 months since those commitments were made, the federal legislators claim that HHS has clearly failed to honor those commitments. The group says it is unaware of any efforts made by HHS to engage with technology companies.

Secretary Burwell has been asked to provide “a detailed plan with concrete deadlines” to clear up confusion and provide the necessary assistance to allow mHealth developers to bring new technologies to market. The group has also requested that HHS meet with industry stakeholders and members of Congress for a review of progress that has been made toward previous HHS commitments, and to develop a plan to work together “to achieve real progress.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.