Mobile Health Companies HIPAA Rules to be Clarified

by | Feb 1, 2015

The HHS has reacted to a letter sent by Representative Peter DeFazio (D-OR) asking for greater transparency on HIPAA Rules relating to the mobile health industry, and has confirmed that the OCR will be working more closely with the industry to ensure HIPAA Rules are being adhered to.

Last fall, Representatives DeFazio and Tom Marino (R-PA) contacted HHS Secretary, Sylvia Burwell, asking for updates to HHS guidance on HIPAA. In the letter it was stated that the technical compliance guidelines had not been refreshed in the past eight years, yet the pace of technological change over the same time period has been rapid, with the past 6 years having seen the market for mobile apps – including mobile health apps – explode into a $68 million industry.

Burwell replied to the correspondence a month later in November, although her response has only just been released. She confirmed that the HHS is aware of the rapid growth in the use of technology and that it realizes there are a number of issues with HIPAA Privacy and Security Rule compliance and that the assistance it has previously issued does not address some of problems currently being faced by app developers.

According to Burwell, the HHS is taking steps to address these problems and “[The OCR] has already met with ACT | The App Association, which represents over 5,000 app companies and information technology companies, to discuss the needs of companies and to ensure that OCR can supply technical assistance and guidance in useful ways.”

Mobile technology is being progressed at a rapid pace, but in order for healthcare providers to take full advantage they must be happy that mHealth apps and cloud services are HIPAA compliant, and offer the necessary security measures to ensure patient data is properly secured.

One proposal made by the two representatives is for a voluntary badge system to be introduced. It is thought that this would encourage mHealth developers to adhere with HIPAA, and also let them prove that this was the case. Burwell did not specifically respond to this request. She also did not give an exact answer on how the HHS plans to help cloud developers and cloud storage companies adhere with HIPAA regulations, only that the HHS “recognizes the benefit of providing more guidance” and that it is recognized that HIPAA compliance is a critical issue.

Meanwhile the Federal Trade Commission (FTC) has issued a report on the Internet of Things and has lead calls for the industry to adopt new best practice methods to ensure the privacy and security of consumers is safe. The report was issued due to the rapid growth in the use of new technology such as health monitors. Wearable devices are capable of recording and broadcasting highly sensitive data and the FTC believes new standards should be set to lessen the risk of privacy violations. It suggests a number of policies, such as configuring the devices to hold data for a finite period of time rather than indefinitely.

The report was formulated after the FTC’s November Internet of Things workshop, which focused on the need for steps to be taken to improve consumer confidence in new technology. A lack of consumer trust has massive potential to hold the mobile industry back and Americans need to be sure that any data recorded is maintained in a totally secure fashion.

The HHS and many industry groups are working hard to keep pace with new technology and improve data privacy and security standards, with the OCR dedicated to working on “real time solutions” according to Burwell; however it is up to the industry to emphasize the most important mHealth issues that need to be addressed so that the OCR can make sure they take precedence.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy