Governance & Risk Management , Healthcare , HIPAA/HITECH
Feds Clarify Mobile Health App Privacy, Security Reg Issues
FTC, HHS Issues Updated Guidance for App, Health IT DevelopersU.S. federal regulators beefed up online guidance for developers creating apps that process health data by emphasizing that a multitude of potential regulations could apply to their handiwork.
See Also: Using the Netskope HIPAA Mapping Guide
A refreshed interactive tool from the Federal Trade Commission developed with input from the Department of Health and Human Services walks developers through a series of 15 questions probing the nature of the information to be processed by the app and its intended audience.
The potential for a regulatory nexus between software developers coding for the healthcare and wellness markets and the federal government has steadily increased with developments including the FTC's expanded interpretation of its health breach notification rule.
The FTC says the updated interactive tool applies to apps that process traditionally defined healthcare data covered by HIPAA and also to a wider expanse of apps that track data such as fitness, diet, mood, sleep, menstruation or fertility, smoking or alcohol consumption, or medications.
HHS' Office of the National Coordinator for Health Information Technology in a blog issued Monday about the guidance reminds developers that if they choose to have a health IT product, such as an app, certified through its Health IT Certification Program, the app also needs to meet specific criteria for privacy and security technical capabilities.
For most commercial mobile app providers, ONC's prohibition on information blocking stemming from the 21st Century Cures Act of 2016 is unlikely to apply, unless they are also certified vendors of health IT.
"The recent proliferation of health information in mobile applications of all types likely encouraged HHS and the FTC to push forward to publication of the guidance and to include recent developments such as HHS information blocking requirements," says privacy attorney Iliana Peters of the law firm Polsinelli.
Regulatory attorney Helen Oscislawski of the law firm Attorneys at Oscislawski says the updated guidance appears to coincide with ONC's Dec. 31 deadline for certified health IT developers to adhere to new requirements pertaining to API technology.
Among other things, the new requirements will allow patients to use mobile health apps of their choice to connect to their provider's EHR, Oscislawski says.
"Understandably, this has triggered concerns over privacy and security, and both individual and institutional providers are seeking guidance as we move toward a new era of how patient data can be accessed without the same 'hands-on' controls that the healthcare sectors has been accustomed to historically."