OCR to Clarify Mobile Health HIPAA Rules

The Department of Health and Human Services has accepted that mobile health HIPAA rules need to be clarified and has confirmed that the OCR understands there are issues that need to be addressed and is taking action.

OCR is Aware Mobile Health HIPAA Rules Need Clarification

HIPAA Privacy and Security Rules place restrictions on the use of technology in healthcare and if devices or systems record, access or are capable of touching Protected Health Information, they must include the appropriate safeguards to ensure information cannot be inappropriately accessed.

HIPAA regulations pose many challenges for the mobile health industry. Users want health monitoring apps and devices, yet legislation prevents these companies from providing them to the healthcare industry without stringent safeguards being incorporated.

Mobile health developers need to have their products certified as HIPAA-compliant in order for them to be adopted, regardless of the benefits they offer patients. Many developers are struggling with HIPAA compliance. Mobile health HIPAA Rules need to be explained, and quickly. The lack of understanding is holding back development.

One of the main issues is not the development of HIPAA-compliant products, but determining what HIPAA actually demands. The technical compliance guidance guidelines were written 8 years ago and have not been updated since.  Last year, Representatives DeFazio and Tom Marino (R-PA) wrote a letter to the HHS to advise it of the problems being faced by the mobile app industry.

The letter pointed out that the industry has developed substantially since the guidelines were first written and in the last 6 years, dramatically so. The mobile app market is now estimated to be a $68 million industry and given the outdated guidelines and problems currently faced by the industry, the representatives felt compelled to call for change.

HHS Secretary, Sylvia Matthews Burwell, responded to the letter in November last year, although it has taken until now for the details to be made public. In the letter she confirms that the OCR intends to work more closely with the mHealth industry to ensure mobile health HIPAA Rules are being followed.

Mobile Health HIPAA Rules Not Well Understood by Cloud Developers

The HSS understands that technology has advanced considerably since the guidelines were written, and as such there are naturally some issues which need to be addressed. Burwell agreed that app developers need more assistance with HIPAA Privacy and Security Rule compliance.

Burwell confirmed that the Office for Civil Rights is aware of some of the issues faced by the industry and has already met with the App Association in this regard to gather more information. The App Association is the voice of over 5,000 mobile app and information technology companies, and the OCR is keen to hear about the specific problems faced by the industry. This will allow it to “provide technical assistance and guidance in useful ways,” according to Burwell.

The representatives suggested some ways in which the industry could be assisted, but Burwell did not want to be drawn on specifics. Instead she said that she “recognizes the benefit of providing more guidance” and that “HIPAA compliance is a critical issue.”

Cloud developers and cloud storage companies are to be given more assistance with regard to producing compliant platforms for the healthcare industry and Burwell said that the OCR is “committed to working on real time solutions”. She believes that it is essential to win back the trust of patients and one of the best ways to do that is to ensure their data is treated as strictly private and confidential, with the appropriate safeguards put in place to prevent unauthorized access.

Burwell also said that it is “up to the industry to highlight the most important mHealth issues that need to be addressed so that the OCR can ensure they take precedence.”

Federal Trade Commission Issues IoT Report

A Federal Trade Commission report has just been released on the importance of data privacy and security for the Internet of Things. The report was prompted by the growing number of devices which can be used to track and monitor users’ health. Mobile devices for tracking glucose levels and other wearable health monitors have considerable potential to violate consumer privacy. The report calls for new standards to be introduced to reduce the risk of any data being recorded or transmitted and used inappropriately.

The FTC believes that in order for mobile health devices – and mobile technology – to reach its full potential, consumers must be certain that they their privacy is assured and any data stored are properly secured. Clarification of the mobile health HIPAA rules should help developers to incorporate the appropriate safeguards and technical controls to protect all stored stored on their devices.

While attention is currently focused on stored PHI; healthcare providers and other HIPAA-covered entities must also make sure that data is protected in transit. When data is on the move, either physically via portable storage devices or when transmitted via email or text message, there is a high risk of exposure of that data. The technology currently exists to protect data in transit, with many systems having been developed specifically for the healthcare industry. Secure messaging solutions for hospital SMS messages and data encryption services for healthcare emails are two good examples of how data in transit can be properly safeguarded to ensure risk of data theft is properly mitigated.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news