The growth of digitized health information and advances in technology have resulted in a boom in downloadable healthcare applications (apps). Many fitness and health apps are offered solely to consumers, in which case they are not subject to HIPAA. However, where these apps are offered for use by healthcare providers and health plans, HIPAA may potentially apply.
HIPAA compliance by mobile health app developers has been an area of concern because much of the guidance under HIPAA predates the developers’ technology. Accordingly, Representatives Tom Marino (R-Pa.) and Peter DeFazio (D-Ore.) urged HHS Secretary Sylvia Burwell and OCR to provide clear and meaningful guidance to app makers about how HIPAA should be implemented in a mobile environment.
Specifically, in a September 2014 letter to HHS, Reps. Marino and DeFazio emphasized the exponential growth of mobile health technology, as underscored by the fact that “[m]obile apps have grown into a $68 billion industry in just six years,”1 and that the federal regulatory environment has not, in some cases, kept pace with this progress. For example, OCR’s documentation addressing technical compliance with HIPAA has not been updated since 2006, before the App Store and the modern mobile device existed.2 As such, the current regulatory guidance does not reflect modern technologies.
OCR’s new online platform attempts to address these concerns by providing an opportunity for users and stakeholders to submit questions regarding HIPAA compliance, offer comments on other submissions, present a use case and vote on the relevancy of posted topics. While anyone may browse the site, users who want to submit questions or offer comments will need to register using an email address. However, according to OCR, user identities and addresses will be anonymous to OCR, so those posting or commenting on a question will not need to fear subsequent enforcement action.
OCR will moderate the submissions for appropriateness and provide links to relevant guidance when it can. However, it will not vouch for the accuracy of user submissions or respond individually to questions. OCR’s intent is to use the information submitted by users and stakeholders to better understand what guidance and revisions are necessary to make the regulations under HIPAA more understandable and accessible to the mobile health technology sector.
The newly created platform is an innovative way for OCR to solicit concerns from mobile application developers for the purpose of informing future guidance. Assuming the response is robust, information collected through the platform should permit OCR to issue the type of targeted guidance developers are seeking. One would expect that even the questions and posts may be valuable to such developers, as the platform will provide visibility into the types of HIPAA issues that are problematic for their peers.
1 Letter from Reps. Marino and DeFazio to HHS Secretary Burwell (Sept. 18, 2014), available here.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
Anna L. Spencer
Privacy, Data Security & Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.