MHealth App Developers and Cloud Services Providers New Resources made Available by OCR

New resources for mobile health app developers have been made available by the Department of Health and Human Services’ Office for Civil Rights (OCR).

This comes with a planned update and rebranding of its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – supplies information for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they are relevant for mobile health apps and application programming interfaces (APIs).

The portal has a guidance document on Health App Use Scenarios and HIPAA, which outlines when mHealth applications must adhere with the HIPAA Rules and if an app developer will be classified as a business associate.

OCR said: “Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”

The portal gives access to the Mobile Health Apps Interactive Tool created by the Federal Trade Commission (FTC) along with the HHS’ Office of the National Coordinator for Health IT (ONC) and the Food and Drug Administration (FDA). The Tool can be deployed by the developers of health-related apps to determine what federal rules could apply to their apps. By answering questions related to the aim of the apps, developers will be able to ascertain which federal rules apply and will be directed to resources providing more detailed information about every federal regulation.

The portal also incorporates information on patient access rights under HIPAA, how they apply to the data harvested, stored, processed, or shared using mobile health apps, and how the HIPAA Rules apply to application programming interfaces (APIs).

The update to the portal not long after the ONC’s final rule that obligates health IT developers to set up a safe, standards-based API that providers could use to support patient access to the data stored in their electronic health records. While it is important for patients to be have access to their health data to allow them to check for mistakes, make amendments, and share their health data for research reasons, there is some worry that sharing data to third-party applications, which may not be covered by HIPAA, is a privacy danger.

OCR has previously said that that once healthcare providers have transmitted a patients’ health data with a third-party app, as requested by the patient, the data will no longer be covered by HIPAA if the app developer is not a business associate of the healthcare supplier. Healthcare suppliers will not be liable for any further use or sharing of any electronic protected health information shared with the app creator.

A FAQ is also can also be viewed on the portal that outline how HIPAA applies to Health IT and a guidance document that details how HIPAA applies to cloud computing to help cloud services providers (CSPs) comprehend their duties under HIPAA rules.

Author: Maria Perez