New HIPAA Guidance for Mobile Apps in the Works … Maybe
Is new HIPAA guidance being developed specifically for mobile apps that handle patient data? Well … maybe.
In recent months, we’ve seen the U.S. Food and Drug Administration distance itself from the regulation of health and wellness apps for basic consumer needs and delineate its focus on medical devices.
As common mobile functionality has leapfrogged what was science fiction only a few years ago, government regulators have struggled to keep up. Many have had to address questions, requests and concerns about how they’ll help manage this new frontier.
Of course, government involvement isn’t always the answer. A simple food-tracking app shouldn’t be regulated by the FDA for the same reasons a food log written in a paper notebook shouldn’t be. Many other areas are greyer and can be confusing, though.
Take, for instance, the issue of patient data. Most healthcare consumers are familiar with the acronym HIPAA — the Health Insurance Portability and Accountability Act — which we often confront when asked to sign privacy releases at the doctor’s office.
Earlier this year, the U.S. Department of Health and Human Services and House representatives Tom Marino (R-Pa.) and Peter DeFazio (D-Ore.) had a public conversation about how HIPAA privacy laws affected health apps. The congressmen sent HHS a letter asking that the department improve its guidance to help developers ensure apps with patient data follow HIPAA guidelines.
Given Intouch Solutions’ experience and interest in the development of patient apps, we contacted the representatives to learn more. Arlen Weiner of Rep. DeFazio’s office explained that their constituencies include app developers who are concerned about properly handling sensitive patient information. They didn’t feel they had the necessary guidance and believed that HIPAA guidelines hadn’t kept pace with technology. And so, the congressmen, on behalf of these groups, asked what HHS was doing to modernize guidance and offered suggestions on some of the points requiring clarity.
HHS agreed, acknowledging that the guidelines needed detail, clarity and updating and committing to that. HHS Secretary Sylvia Mathews Burwell said, “The Department should strive to provide the best compliance guidance possible to the industry.” You can read Secretary Burwell’s full response here: http://actonline.org/wp-content/uploads/2015/01/HHS-Response-Letter-to-Defazio.pdf
HHS’s Office for Civil Rights, which enforces HIPAA, will be working with ACT | The App Association to develop the new guidance.
DeFazio’s office reported that there had not yet been a great deal of progress, but that they intend to continue to follow up with HHS. And if the office is unable to do anything administratively, the senators may investigate to see what can be done legislatively. (ACT and Rep. Marino’s office did not respond to our inquiries.)
At Intouch, we get questions from clients about HIPAA often. In many cases, it’s an issue of due diligence, and HIPAA compliance may or may not actually be necessary given the functionality and data flow of the project. Intouch deploys industry-standard best practices when transmitting secure data, and we have worked hard to hone our own best-in-class SOPs for ensuring data privacy and security. Certainly, we understand the lines can become grey when data is transmitted to or from healthcare providers, insurance companies or other covered entities, and we welcome additional clarity on HIPAA requirements as they apply to mobile apps in our modern era.
Learn more about the Congressmen’s request to HHS here: