HHS' Office of Civil Rights, which oversees the administration of HIPAA, will begin working closely with mobile health companies to make sure HIPAA rules are clear and unambiguous, according to a letter HHS sent to Representatives Peter DeFazio (D-OR) and Tom Marino (R-PA) in November.
The letter, signed by HHS Secretary Sylvia Burwell, was sent in response to a request Marino and DeFazio sent in September at the behest of ACT — The App Association, a DC-based group that lobbies on behalf of app-based companies, including mobile health companies.
"I think the letter ... is absolutely critical," Morgan Reed, executive director of ACT, told MobiHealthNews. "I think the fact that HHS, right there in the bottom part of that first page writes 'we acknowledge', ... with regard to HIPAA guidance not being up to date with current technology, I think was a wonderful statement by OCR to demonstrate the fact that, hey, they are really working to make sure that HIPAA isn’t getting in the way of improved patient care."
In the letter, Burwell discusses OCR's plans to meet with The App Association and others to address three points specifically: current areas where there's a lack of clarity about how HIPAA will be enforced, areas specifically pertaining to cloud technology, and creating a system of wider feedback that OCR can continue to use as technology advances and new questions emerge.
"That’s one of the reasons we’ve pushed the listening aspect of this," Reed said. "Simply having them do some updated examples, that’s great. But I don’t believe that’s the end of it. It has to be an ongoing process of engagement of OCR, and the investor and inventor community reaching out to OCR to keep them aware of where this technology is headed."
As Burwell indicates in her letter, OCR does already make a good deal of information about HIPAA requirements, even as they pertain to mobile apps, available. But there are still edge-cases that lack clarity and, more importantly, developers and investors are still confused about how to comply with HIPAA, even if the answers are out there, Reed said. He said most stakeholders would benefit from concrete examples in addition to general guidance language.
"There are all of these questions about what happens when the patient generates the data and then hands it to the physician," Reed said. "Now, in truth, we think a lot of them have been answered. But those are the level of questions that still are plaguing our industry. Basic, fundamental stuff, like 'How do I engage between physicians and patients?'"
Particular areas of confusion include patients texting with physicians, patients emailing with physicians, and patients transmitting data from health wearables to their physicians via an app. Questions about which parties need to be business associates under HIPAA are holding back innovation for many developers, Reed argues.
While HHS answered the representatives letter within two months of receipt, Reed said the letter took an another three months to become public because it took time to get permission from the congressmen.
"The reality of Congress is sometimes it takes a little while for a letter sent to a member of Congress to be released to the public," he said. "As you know, there was an election prior to that, there were a lot of things going on, so between the two offices that were involved, Marino and DeFazio, just to get it out there took a little while. We decided it was an important letter to have out there and we needed to move it."