Mobile Health Companies HIPAA Rules to be Clarified

The HHS has reacted to a letter sent by Representative Peter DeFazio (D-OR) asking for greater transparency on HIPAA Rules relating to the mobile health industry, and has confirmed that the OCR will be working more closely with the industry to ensure HIPAA Rules are being adhered to.

Last fall, Representatives DeFazio and Tom Marino (R-PA) contacted HHS Secretary, Sylvia Burwell, asking for updates to HHS guidance on HIPAA. In the letter it was stated that the technical compliance guidelines had not been refreshed in the past eight years, yet the pace of technological change over the same time period has been rapid, with the past 6 years having seen the market for mobile apps – including mobile health apps – explode into a $68 million industry.

Burwell replied to the correspondence a month later in November, although her response has only just been released. She confirmed that the HHS is aware of the rapid growth in the use of technology and that it realizes there are a number of issues with HIPAA Privacy and Security Rule compliance and that the assistance it has previously issued does not address some of problems currently being faced by app developers.

According to Burwell, the HHS is taking steps to address these problems and “[The OCR] has already met with ACT | The App Association, which represents over 5,000 app companies and information technology companies, to discuss the needs of companies and to ensure that OCR can supply technical assistance and guidance in useful ways.”

Mobile technology is being progressed at a rapid pace, but in order for healthcare providers to take full advantage they must be happy that mHealth apps and cloud services are HIPAA compliant, and offer the necessary security measures to ensure patient data is properly secured.

One proposal made by the two representatives is for a voluntary badge system to be introduced. It is thought that this would encourage mHealth developers to adhere with HIPAA, and also let them prove that this was the case. Burwell did not specifically respond to this request. She also did not give an exact answer on how the HHS plans to help cloud developers and cloud storage companies adhere with HIPAA regulations, only that the HHS “recognizes the benefit of providing more guidance” and that it is recognized that HIPAA compliance is a critical issue.

Meanwhile the Federal Trade Commission (FTC) has issued a report on the Internet of Things and has lead calls for the industry to adopt new best practice methods to ensure the privacy and security of consumers is safe. The report was issued due to the rapid growth in the use of new technology such as health monitors. Wearable devices are capable of recording and broadcasting highly sensitive data and the FTC believes new standards should be set to lessen the risk of privacy violations. It suggests a number of policies, such as configuring the devices to hold data for a finite period of time rather than indefinitely.

The report was formulated after the FTC’s November Internet of Things workshop, which focused on the need for steps to be taken to improve consumer confidence in new technology. A lack of consumer trust has massive potential to hold the mobile industry back and Americans need to be sure that any data recorded is maintained in a totally secure fashion.

The HHS and many industry groups are working hard to keep pace with new technology and improve data privacy and security standards, with the OCR dedicated to working on “real time solutions” according to Burwell; however it is up to the industry to emphasize the most important mHealth issues that need to be addressed so that the OCR can make sure they take precedence.