Healthcare Information Security

Congress Seeks Clarification of HIPAA Rules for mHealth Apps

According to a letter from members of Congress, HHS has not done enough to clarify HIPAA rules with regard to mHealth app development.

The Department of Health and Human Services (HHS) is not making a distinct enough effort to clarify HIPAA security regulations for mHealth app use and development, according to a letter from members of Congress.

department of health and human services logo

In November 2014, HHS committed to release clearer HIPAA guidelines with regard to mHealth apps. A bipartisan coalition led by Congressman Tom Marino and Congressman Peter DeFazio say that the department has yet to follow through on that commitment.

“The sluggish pace of work since has been very disappointing,” the signatories wrote. “At this stage, a detailed plan with concrete deadlines is required.”

Specifically, HHS’s 2014 commitment included:

  • Provide up to date and clear information about what is expected of technology companies for compliance with HIPAA Rules, and identify the implementation standards that can help technology companies conform to the regulations.
  • Provide more clarity on HIPAA obligations for companies and services that store data in the cloud.
  • Engage regularly with technology companies to provide compliance assistance.

The lawmakers explained that HHS had clearly failed to accomplish the first two of the three commitments, and that they were unaware of any attempts to adhere to the third.

Marino, DeFazio, and the rest of the signatories explained that adhering to those commitments and creating explicit regulations for mHealth app use and development is vital in helping the healthcare industry move forward alongside technology.

mHealth apps hold potential to enhance healthcare, but with ambiguous security regulations most providers do not feel comfortable incorporating them into practice. Furthermore, the slow output of regulation is reportedly showing that HHS cannot keep up with the fast pace of technological innovation.

“We have serious concerns about the consequences of HHS inaction,” the lawmakers wrote in the letter. “Advances in mobile health technology have the potential to dramatically improve patient outcomes and the accessibility of health care. This innovation is coming at a rapid pace, but your agency has done little to demonstrate it can manage the significance.”

“We have already seen incredible results from early investment in connected health innovation, and the slow pace of government should not stand in the way of patient access to the benefits of this life-changing technology,” they noted.

Last month, HHS, in partnership with the Office of Civil Rights, did release one document touching upon HIPAA relations for mHealth apps. In the document, the agency explained instances when developers are and are not bound to HIPAA compliance.

Generally speaking, developers are HIPAA covered entities when they are working as a business associate for a healthcare organization, an insurer, or a clearinghouse.

“So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates,” OCR said. “For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.”

However, Congress explained that this one singular publication was not enough to meet their needs and the needs of the healthcare community. Specifically, the document only applied to specific mHealth developers, and “in some areas, this effort has led to more questions than answers.”

Going forward, the signatories ask HHS to attend a meeting of industry stakeholders including Congress, HHS representatives, and others to develop the called-for regulations and to create a system and set of expectations that work best for all parties.