ONC Reminds App Developers to Check Regulatory Requirements

The Office of the National Coordinator for Health Information Technology (ONC) has reminded developers of health apps not only to put more thought into data security, but also to build security controls into the core of their apps. Data security features should not simply be bolted as an afterthought. They are an essential part of the design of the apps and therefore must be incorporated during the initial design process.

The ONC points out that health apps are no longer just being developed by computer science graduates. Health apps have been developed by clinicians who have identified a need for an app and a gap in the market. Even patients have been working on health apps to log and record a wide variety of health data or to issue appointment and medication reminders.

No matter who conceives and develops a new health app, it is essential that the legal implications are considered and incorporated into the design. App developers must become familiar with the legislation covering health apps and the data they record.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement technological controls to ensure that protected health information (PHI) is secured and cannot be accessed by unauthorized individuals. Business associates of covered entities must similarly comply with HIPAA Rules. App developers may be considered, under certain circumstances, to be HIPAA business associates. Should that be the case they would also be required to comply with the HIPAA Security, Privacy, and Breach Notification Rules.

There has been some confusion within the app industry about the regulations that apply to health apps and the circumstances under which they apply. Not only do some app developers struggle to understand HIPAA Rules, they have also found it difficult to find answers to their questions. Many are unsure how to make their apps secure and compliant with HIPAA and other federal laws.

The ONC’s Senior Health Information Privacy Program Analyst Helen Caton-Peters and Chief Privacy Officer Lucia Savage reminded app developers that an online tool exists to help them determine what laws apply to health apps. The ONC developed the tool after collaborating with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the Department of Health & Human Services’ Office for Civil Rights (OCR). The ONC also provides other useful online resources to help health app developers get to grips with federal legislation.

The tool provides “a shapshot” of important laws and regulations from the OCR which enforces HIPAA, the FDA which enforces the Federal Food, Drug, and Cosmetic Act (FD&C Act), and the FTC which enforces the Federal Trade Commission Act (FTC Act) and the FTC’s Health Breach Notification Rule. The tool links to the appropriate agency websites where app developers can find out more about each set of laws and regulations if they apply to a particular app. The tool has already proved popular. Since its release in early April the tool has been used over 12,000 times.

Some app developers have complained about the difficulty in finding relevant information about federal laws, in particular HIPAA. In addition to the tool and the ONC’s resources, the OCR has developed resources specifically for health app developers. The OCR’s health app Developer Portal provides important information on HIPAA Rules, such as when health app developers are classed as HIPAA business associates. The OCR has also detailed a number of scenarios to explain how and when HIPAA Rules apply.

Health apps have tremendous potential to get patients more engaged in their own healthcare and improve patient health; however, without the required security and privacy controls, the potential of health apps will be extremely limited.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.