HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Web Portal for Mobile Health App Developers Launched

The Department of Health and Human Services’ Office for Civil Rights has launched a new web portal for mobile health app developers. The portal will allow application developers to get answers to the burning questions they have about HIPAA Rules and compliance requirements.

The new portal is intended to encourage application developers, in particular mobile app developers, to submit comments and questions regarding HIPAA. In a recent email bulletin following the launch, the OCR explained the sort of questions it hopes will be asked. “We are asking stakeholders to provide input on the following issues: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible?

The information gathered via the portal will also help the OCR develop future guidance covering mobile health apps.

New mHealth Guidance has been a Long Time Coming


The Health Insurance Portability and Accountability Act was first introduced in 1996, many years before the first Smartphones were developed, let alone the apps that now accompany them. Guidelines were issued for the mHealth industry a decade later in 2006, and now another 10 years on, an update on compliance with HIPAA Rules is viewed by many in the industry to be long overdue.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The App Association, Act, responded to news of the launch and said the new portal is certainly a step in the right direction, and could be useful for health app developers to get answers to questions about HIPAA. A spokesperson for the organization said, “The introduction of smartphones has changed how the world communicates, but HIPAA reference materials on “Remote Use” date from before the iPhone even existed.” He went on to say that “the statute was originally enacted to help patients access their own health data, but it has evolved into a barrier making that information even harder to get.”

That barrier has proved problematic for many mobile app developers. According to Peter DeFazio (D-Ore.), “In some cases small technology companies have reported having to hire large legal teams just to determine, with some level of certainty that their product is in compliance.”

Many app developers are unaware of what is required altogether and there is considerable confusion – and many fears – about HIPAA regulations. Some mobile app developers have been put off developing health apps entirely due to the extensive restrictions covering the healthcare industry.

Questions can be Asked without Fear of Enforcement Actions


OCR is the main enforcer of HIPAA Rules, and as such, the department investigates data breaches and potential HIPAA violations, issuing financial penalties and action plans to organizations that fall afoul of HIPAA Regulations. However, OCR is also tasked with taking proactive steps to prevent privacy and security breaches. This is achieved, in part, by developing guidance for covered entities and (potential covered entities) to assist them comply with HIPAA Rules.

In order to submit questions or comments, users will be required to sign in to the portal; although according to OCR senior adviser, Linda Sanches, all information submitted via the new portal will be anonymized. She also pointed out that information submitted will not be used for enforcement purposes. The aim is to help covered entities with compliance issues, not to punish them for asking questions when they are unsure. “We’re not going to track anyone down. At this point, we’re very interested in seeing what kinds of information requests we get.” she said.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.