OCR Launches HIPAA Portal for Mobile Health Developers

On Monday, October 5, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an online platform for mobile health developers and others interested in the intersection of information technology and health information privacy and security. Interested parties can submit questions and comments on issues related to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The growth of digitized health information and advances in technology have resulted in a boom in downloadable healthcare applications (apps). Many fitness and health apps are offered solely to consumers, in which case they are not subject to HIPAA. However, where these apps are offered for use by healthcare providers and health plans, HIPAA may potentially apply.

HIPAA compliance by mobile health app developers has been an area of concern because much of the guidance under HIPAA predates the developers’ technology. Accordingly, Representatives Tom Marino (R-Pa.) and Peter DeFazio (D-Ore.) urged HHS Secretary Sylvia Burwell and OCR to provide clear and meaningful guidance to app makers about how HIPAA should be implemented in a mobile environment.

Specifically, in a September 2014 letter to HHS, Reps. Marino and DeFazio emphasized the exponential growth of mobile health technology, as underscored by the fact that “[m]obile apps have grown into a $68 billion industry in just six years,” and that the federal regulatory environment has not, in some cases, kept pace with this progress. For example, OCR’s documentation addressing technical compliance with HIPAA has not been updated since 2006, before the App Store and the modern mobile device existed.2 As such, the current regulatory guidance does not reflect modern technologies.

OCR’s new online platform attempts to address these concerns by providing an opportunity for users and stakeholders to submit questions regarding HIPAA compliance, offer comments on other submissions, present a use case and vote on the relevancy of posted topics. While anyone may browse the site, users who want to submit questions or offer comments will need to register using an email address. However, according to OCR, user identities and addresses will be anonymous to OCR, so those posting or commenting on a question will not need to fear subsequent enforcement action.

OCR will moderate the submissions for appropriateness and provide links to relevant guidance when it can. However, it will not vouch for the accuracy of user submissions or respond individually to questions. OCR’s intent is to use the information submitted by users and stakeholders to better understand what guidance and revisions are necessary to make the regulations under HIPAA more understandable and accessible to the mobile health technology sector.

The newly created platform is an innovative way for OCR to solicit concerns from mobile application developers for the purpose of informing future guidance. Assuming the response is robust, information collected through the platform should permit OCR to issue the type of targeted guidance developers are seeking. One would expect that even the questions and posts may be valuable to such developers, as the platform will provide visibility into the types of HIPAA issues that are problematic for their peers.