HIPAA Rules Covering mHealth Apps Require Clarification

A bipartisan group of congressmen has written to Sylvia Matthews Burwell, the Secretary of Health and Human Services (HHS), criticizing the HHS for failing to clarify HIPAA Rules covering mHealh apps. While the HHS has taken some steps to help mHealth app developers comply with HIPAA Rules, the efforts made so far have not been sufficient and many app developers are still none the wiser about how and when HIPAA Rules apply.

In November 2014, the HHS made firm commitments to issue guidance for technology companies on the HIPAA Privacy and Security Rules regarding mobile health apps and connected devices. In the 15 months since those commitments were made, the HHS has produced one document for mHealth app developers, which was not issued until February, 2016.

The group says the efforts made by the HHS have been sluggish and display “a worrisome lack of urgency.” Mobile health apps have the potential to make a huge impact on the health industry and improve patient outcomes. Technology is being developed at a rapid pace, yet development is being held back by a lack of understanding of HIPAA regulations.

To emphasize the point, the letter states that in the past decade more than five and a half billion smartphones have been sold. Those devices have been updated some 24,000 times. Yet during that period, the Department of Health and Human Services had failed to issue any guidance on how HIPAA applies to those devices. The slow pace of progress is standing in the way of life-changing technology being used to improve patients’ health.

Back in 2014, the HHS agreed to identify implementation standards that could be used by technology companies to ensure their devices and apps comply with HIPAA Rules. The HHS also said it would provide more clarity on the HIPAA obligations for companies that store data in the cloud or provide cloud services. Thirdly, the HHS said it would engage with technology companies regularly and would provide ongoing compliance assistance.

In the letter the congressmen said the HHS has failed to accomplish the first two commitments, and the third commitment, to the knowledge of the congressmen, has similarly not been accomplished. In the 15 months since the commitments were made, Members of Congress have not been updated or consulted on any efforts made to improve understanding of HIPAA Rules.

The Congressmen have requested a Member briefing to review the progress that has been made so far and to identify ways that real progress can be made.

The letter was signed by Peter A. DeFazio, Tom Marina, Earl Blumenauer, Renee L. Ellmers, Blake Farenthold, Suzanne Bonamici, Ted Lieu, and Will Hurd.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news