On September 18, Congressmen Tom Marino (R-PA) and Peter DeFazio (D-OR) sent a letter to the Secretary of the Department of Health and Human Services (HHS) asking HHS to clarify and update the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, (collectively, HIPAA) guidance for mobile app companies. The September 18 letter was sent shortly after the Congressmen’s receipt of a letter from The App Association, urging Congress to adopt more sensible implementation of health privacy laws to ensure that the implementation better fits today’s mobile world.The September 18 letter to HHS pointed out that the federal regulatory environment has failed to keep up with the pace of the mobile health sector. For example, the letter highlighted the fact that HHS guidance on its website with respect to technical compliance with HIPAA has not been updated since 2006, which is after the first iPhone was made publicly available. The Congressmen noted that many app developers are small technology companies that do not have the financial resources to hire legal teams to interpret the regulatory guidance to determine its applicability to them and if they do, ensure their products comply with HIPAA. Thus, the Congressmen recommended several steps HHS should take to facilitate the innovation taking place in the health care space, including:
- Provide updated technical guidance for technology companies, including, mobile app companies, for compliance with HIPAA. Specifically, the updated guidance should address new types of information storage (e.g., cloud storage).
- Publish routine updates to regulatory guidance should be performed to keep pace with advances in technology.
- Identify implementation standards to help companies conform to the regulations in advance rather than as a result of an audit to avoid enforcement actions.
- Provide clarity on the applicability of HIPAA to storage providers who store encrypted health information in “clouds,” but do not have any access or the ability to access such data (i.e., do not have an encryption key).
- Provide compliance assistance for companies and individuals operating in good faith in compliance with HIPAA. Specifically, the Congressmen recommend that HHS assign employees with technological expertise to regularly engage companies in the healthcare technology space to work with the app developers and others to make sure that the newly developed products incorporate HIPAA protections. The letter suggests that, if possible, HHS should provide a “voluntary badge program” for such companies to show compliance with HHS rules and regulations.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.