HIPAA Clarity for the Mobile Health Industry

On September 18, Congressmen Tom Marino (R-PA) and Peter DeFazio (D-OR) sent a letter to the Secretary of the Department of Health and Human Services (HHS) asking HHS to clarify and update the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, (collectively, HIPAA) guidance for mobile app companies. The September 18 letter was sent shortly after the Congressmen’s receipt of a letter from The App Association, urging Congress to adopt more sensible implementation of health privacy laws to ensure that the implementation better fits today’s mobile world.

The September 18 letter to HHS pointed out that the federal regulatory environment has failed to keep up with the pace of the mobile health sector. For example, the letter highlighted the fact that HHS guidance on its website with respect to technical compliance with HIPAA has not been updated since 2006, which is after the first iPhone was made publicly available. The Congressmen noted that many app developers are small technology companies that do not have the financial resources to hire legal teams to interpret the regulatory guidance to determine its applicability to them and if they do, ensure their products comply with HIPAA. Thus, the Congressmen recommended several steps HHS should take to facilitate the innovation taking place in the health care space, including:

  • Provide updated technical guidance for technology companies, including, mobile app companies, for compliance with HIPAA. Specifically, the updated guidance should address new types of information storage (e.g., cloud storage).
  • Publish routine updates to regulatory guidance should be performed to keep pace with advances in technology.
  • Identify implementation standards to help companies conform to the regulations in advance rather than as a result of an audit to avoid enforcement actions.
  • Provide clarity on the applicability of HIPAA to storage providers who store encrypted health information in “clouds,” but do not have any access or the ability to access such data (i.e., do not have an encryption key).
  • Provide compliance assistance for companies and individuals operating in good faith in compliance with HIPAA. Specifically, the Congressmen recommend that HHS assign employees with technological expertise to regularly engage companies in the healthcare technology space to work with the app developers and others to make sure that the newly developed products incorporate HIPAA protections. The letter suggests that, if possible, HHS should provide a “voluntary badge program” for such companies to show compliance with HHS rules and regulations.

The letters not only highlight the rapid growth of the health technology industry, but the need for regulations to keep up with this rapid pace.

Access the Sept. 15, 2014 The App Association letter.

Access the Sept. 18, 2014 letter to HHS.

Copyright 2014, American Health Lawyers Association, Washington, DC. Reprint permission granted.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their