With mHealth devices straining the boundaries of privacy and security in healthcare, the Office of Civil Rights has launched a website designed to help app makers maneuver through the HIPAA landscape.
An organization representing some 5,000 app developers hailed the new website as a step in the right direction - while pointedly noting the guidelines haven't been updated since 2006, well before the industry had even heard of an app.
The website invites health app developers – whether they're small startups, established companies or providers developing their own products – to ask questions about HIPAA health information privacy, security and breach notification rules and talk to OCR representatives about app design and development.
"We are pleased that OCR is following through on (Health and Human Services Secretary Sylvia Burwell's) commitment last year to make HIPAA clear for mobile health companies," ACT | The App Association Executive Director Morgan Reed said in a release. "Innovation in smartphones and tablets has made it possible for patients to monitor their own health and share critical data with physicians and loved ones. Mobile connectivity is poised to revolutionize healthcare by giving individuals greater access to their own health information and improving patient outcomes."
"Unfortunately, a major obstacle to realizing the benefits of mobile health technology has been uncertainty around HIPAA," Reed continued. "The introduction of smartphones has changed how the world communicates, but HIPAA dates from before the iPhone even existed. The statute was originally enacted to help patients access their own health data, but it has evolved into a barrier making that information even harder to get. Today's OCR announcement is a step in the right direction, but there is a lot of ground to cover. What's most important at this stage is to provide clear and meaningful guidance to app makers about how HIPAA will be implemented in a mobile environment."
"Many companies creating mobile health apps have told us that they want to fully comply with HIPAA regulations, but have difficulty confirming that they have done so because current regulatory guidance does not cover technologies that they are using," Marino and DeFazio said. "In some cases small technology companies have reported having to hire large legal teams just to determine, with some level of certainty, that their product is in compliance."
In her Nov. 21 response, Burwell said her office "is moving forward in a number of ways" to close the gap between the mHealth industry and health information privacy and security rules, including working with the ACT. Aside from the new website, she said officials are looking at how HIPAA can be applied to cloud storage providers and related services, and they're considering scheduling a series of "listening sessions" with stakeholders.