Portal Offers HIPAA Insights for App DevelopersExperts Say Advice for Mobile Application Developers Is Overdue
The Department of Health and Human Services' Office for Civil Rights will use the portal, in part, to gauge what kind of guidance it should release to help application developers that are confused about how HIPAA pertains to their products.
Some privacy and security experts say OCR's portal plans are an overdue step in the right direction. "Historically, there have been limited opportunities to obtain guidance from OCR on how HIPAA applies to certain situations," says attorney Adam Greene of the law firm David Wright Tremaine. "I hope that the OCR portal will provide a much needed influx of OCR guidance and clarification regarding how HIPAA applies to mobile health app developers, other cloud-based entities and other business associates."
OCR, which oversees HIPAA enforcement, is primarily promoting the site as a place where developers of mobile health apps can direct their HIPAA-related questions. But the agency will also welcome questions from other types of companies, including those providing cloud services, Linda Sanches, OCR senior adviser, said during an Oct. 5 during a media briefing about the portal. "We're looking at mostly health IT apps, but this is open to any question," she said.
While OCR likely will not be able to respond to each individual question, it will attempt to at least post links to guidance in response to questions, Sanches says.
Not for Enforcement Purposes
While those who want to submit questions or offer comments on the site will need to sign in using email addresses, their identities and addresses will be anonymous to OCR, Sanches says. "All information requests are anonymized. Therefore, there is no issue about [the information being used for OCR] enforcement," she says. "We're not going to track anyone down. At this point, we're very interested in seeing what kinds of information requests we get."
Questions asked via the portal could pertain to topics that fall under the authority of other government agencies, such as the Food and Drug Administration for mobile medical devices that provide diagnostic capabilities, or the Federal Trade Commission, which also has enforcement authority related to some mobile health apps that collect personal information, Sanches noted.
OCR will monitor inquires to the site before it posts questions and comments. "We will see how the questions evolve," she says. "We will watch to see if there is guidance we need to develop." An OCR spokeswoman characterized the site as "a pilot effort."
The new portal could prove helpful because OCR's other available resources are generally geared toward covered entities, rather than small business associates, such as app developers, says Greene, the attorney.
"Mobile health developers may not understand which HIPAA provisions are applicable to them and which are not," he says. "Also, mobile health developers may face confusion and competing views on questions of HIPAA compliance, such as whether a business associate agreement is required with an infrastructure-as-a-service cloud provider that will maintain encrypted protected health information but will not have access to the encryption key."
Innovative technologies often are developed by small companies that do not have the resources to employ subject matter experts or hire outside consultants, notes privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
While the portal can potentially help these companies, "the challenge is that in the federal budget environment, OCR and the HHS overall is extremely starved of the technology and people it needs to provide resources that are being demanded by consumers and the healthcare industry it serves," he says. "My concern is that there will be many, many questions submitted by mobile health developers, but not enough people at OCR available to meet the needs they present."
A Call for More Action
Independent HIPAA attorney Susan Miller hopes the portal "not only allows the developers to ask questions, but that the answers are quickly available from OCR." She'd like to see OCR use these questions and answers to create FAQ documents. "I would like to see OCR develop some case studies to outline the type of HIPAA privacy and security they think incumbent on the vendors in the specific situation," she adds.
Mobile health app developers are often confused about whether their products need to comply with HIPAA regulations, she notes.
"If the mobile tool reads or stores health data or transmits it wirelessly to an employer wellness program, a healthcare provider or hospital, there is the need to include these tools in the covered entity's HIPAA Security Rule risk analysis, as the mobile tool is connected to the entity's networks or the provider's network," she says. "Unfortunately, many of the vendors of such mobile tools also collect the health data and use it for a number of reasons." When that's the case, vendors must inform the entity that purchases the mobile health tools, or the patient who has a device, she adds.
Holtzman stresses that developers need to keep in mind that safeguarding patient data involves far more than HIPAA compliance.
"An insecure medical device or app that drives treatment decisions is both a threat to patient safety and a risk to any enterprise information system that it connects with," he says. Malware and other types of Internet-based threats are off the chart. We need mHealth developers to invest in developing safeguards that ensure their technologies combat these threats and have the capacity to block potential attackers from accessing the data created or transmitted by the device or application."