Rep. Tom Marino (R-PA) and Rep. Peter Defazio (D-OR) sent a letter to US Secretary of Health and Human Services (HHS) Sylvia Burwell asking her to help make HIPAA regulatory guidance clearer for app developers.
The congressmen wrote the letter a few days after ACT — The App Association and a number of its mobile health company members sent a letter to Marino encouraging him to do so.
In the letter to Marino, ACT’s Executive Director Morgan Reed argued that the language of HIPAA is not easy for software developers to parse in terms of how it relates to their apps. The app association also wrote in the letter that publishing information about HIPAA and other relevant health IT policies in the Federal Register is not the best way to disseminate this information to developers. Instead, HHS should seek other channels to publish this information, ACT argues, and it should also proactively seek out developers instead of expecting them to come to them.
The group offered three suggestions to Congress for clarifying the guidelines: Make existing regulation more accessible for tech companies, improve and update guidance from the Office of Civil Liberties (OCR) on acceptable implementations, and improve outreach to new entrants in the healthcare space.
In a statement discussing his letter to Burwell, Marino said that "HIPAA regulations and guidance have been a hindrance for this emerging economy".
“This is why Congressman DeFazio and I teamed up in a bipartisan letter to Secretary Burwell urging that she and her staff upgrade their operations to be more user-friendly for small and large healthcare companies," he continued. "I hope the Secretary will take our suggestions to heart and earnestly strive to update the HHS offices to continue to maintain patient privacy while allowing breakthrough mobile health developments to get to market more quickly.”
Marino explained, in his letter to Burwell, documentation on the HHS website that explains how to maintain technical compliance with HIPAA had not been updated since 2006.
"Many companies creating mobile health apps have told us that they want to fully comply with HIPAA regulations, but have difficulty confirming that they have done so because current regulatory guidance does not cover technologies that they are using," Marino and Defazio's letter stated. "In some cases small technology companies have reported having to hire large legal teams just to determine, with some level of certainty that their product is in compliance with HIPAA. In order to ensure that innovative health companies do not inadvertently run afoul of the law, regulatory guidance should be routinely updated to reflect modern technologies being used in the health field."
Then, Marino and Defazio outlined four steps that the HHS could take to help mobile app developers understand if they're being compliant with HIPAA.
The first is that HHS should provide updated information on what companies should do if they want to comply with HIPAA regulations. The updated information should address new technologies that have been released since 2006 including apps and cloud storage. Second, the letter suggests The Office of Civil Rights (OCR) should offer implementation standards for companies that need guidance on how to conform with regulations. Third, because a growing number of apps are using cloud storage for data, HHS should explain what HIPAA obligations exist for companies and services that chose to use cloud storage. Finally, HHS should recruit employees who have expertise and have them reach out to and work with digital health startups to ensure their products are HIPAA compliant.