Mobile App Developers’ HIPAA Questions to be Answered by OCR

The Department of Health and Human Services’ Office for Civil Rights is to answer mobile app developers’ HIPAA questions via a new web portal launched earlier this week.

HIPAA Rules can be confusing for entities covered by the legislation; however, many mobile app developers have found the Security, Privacy Rules impossible to fathom, and have struggled to come to terms with the complexities of the regulations. This has resulted in may app developers being put off developing mobile solutions for the healthcare industry. Those that have ventured into the heavily regulated healthcare sector have been forced to employ legal advisors to ensure they are not inadvertently violating HIPAA regulations.

The problem faced by mobile app developers looking to develop products and services for the healthcare industry has previously been highlighted by a number of industry leaders. ACT – The App Association – has been particularly vocal in this regard. Reps. Tom Marino (R-Pa.) and Peter DeFazio (D-Ore.) have also spoken out about HIPAA Rules, and have asked for more guidance specifically for the mHealth industry. They wrote to HHS Secretary Sylvia Mathews Burwell earlier this year asking for better guidance and further clarification on how HIPAA applies to mobile application developers.

The HHS has now responded and has launched a new web portal; through which it plans to answer mobile app developers’ HIPAA questions with a view to using the information gathered via the portal to develop new guidelines in the near future.

Some of the problems highlighted include HIPAA obligations for cloud stored data, a lack of offer implementation standards and a lack of information on exactly how vendors can comply with HIPAA Rules. Marino and DeFazio also requested that OCR recruit staff to work with startups to help them develop new HIPAA-compliant products and services for covered entities.

Part of the problem appears to be the OCR’s lack of understanding of what mobile app developers need. The new portal should help OCR find out where it needs to concentrate its resources. The agency has previously reached out to the industry and asked to be told about the issues currently causing the most problems for app developers. It is hoped that the new portal will provide the platform through which this information can be gathered.

The OCR has explained that mobile app developers can submit questions, comments and suggestions via the portal. The site has a voting system which will help to prevent duplication of questions and users of the site can add their vote to important issues raised. OCR can use this system to concentrate on the most important questions and issues that affect the highest number of individuals/organizations.

Not all questions will be answered – the OCR is short of staff and resources – but efforts will be made to answer as many as possible, and links will be posted which users can click to be directed to help resources that are already available.

Users should not be put off by the need to register on the website. This is important for a number of reasons, mostly to cut down on spam comments and alike. However, Senior OCR Adviser, Linda Sanches, did point out that any comments received, even those that hint of HIPAA violations, will not be used for enforcement purposes. The aim is to gather information, not to penalize individuals and covered entities.

Answers to the common mobile App developers’ HIPAA questions can be found here.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of