Oct 142015

OCR Launches HIPAA Portal for Mobile Health Developers

Meenakshi Datta, Anna Spencer and Rina Mady
,

On Monday, October 5, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an online platform for mobile health developers and others interested in the intersection of information technology and health information privacy and security. Interested parties can submit questions and comments on issues related to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The growth of digitized health information and advances in technology have resulted in a boom in downloadable healthcare applications (apps). Many fitness and health apps are offered solely to consumers, in which case they are not subject to HIPAA. However, where these apps are offered for use by healthcare providers and health plans, HIPAA may potentially apply.

HIPAA compliance by mobile health app developers has been an area of concern because much of the guidance under HIPAA predates the developers’ technology. Accordingly, Representatives Tom Marino (R-Pa.) and Peter DeFazio (D-Ore.) urged HHS Secretary Sylvia Burwell and OCR to provide clear and meaningful guidance to app makers about how HIPAA should be implemented in a mobile environment.

Specifically, in a September 2014 letter to HHS, Reps. Marino and DeFazio emphasized the exponential growth of mobile health technology, as underscored by the fact that “[m]obile apps have grown into a $68 billion industry in just six years,” and that the federal regulatory environment has not, in some cases, kept pace with this progress. For example, OCR’s documentation addressing technical compliance with HIPAA has not been updated since 2006, before the App Store and the modern mobile device existed.2 As such, the current regulatory guidance does not reflect modern technologies.

OCR’s new online platform attempts to address these concerns by providing an opportunity for users and stakeholders to submit questions regarding HIPAA compliance, offer comments on other submissions, present a use case and vote on the relevancy of posted topics. While anyone may browse the site, users who want to submit questions or offer comments will need to register using an email address. However, according to OCR, user identities and addresses will be anonymous to OCR, so those posting or commenting on a question will not need to fear subsequent enforcement action.

OCR will moderate the submissions for appropriateness and provide links to relevant guidance when it can. However, it will not vouch for the accuracy of user submissions or respond individually to questions. OCR’s intent is to use the information submitted by users and stakeholders to better understand what guidance and revisions are necessary to make the regulations under HIPAA more understandable and accessible to the mobile health technology sector.

The newly created platform is an innovative way for OCR to solicit concerns from mobile application developers for the purpose of informing future guidance. Assuming the response is robust, information collected through the platform should permit OCR to issue the type of targeted guidance developers are seeking. One would expect that even the questions and posts may be valuable to such developers, as the platform will provide visibility into the types of HIPAA issues that are problematic for their peers.

Meenakshi Datta

Chicago

mdatta@sidley.com

Anna Spencer

aspencer@sidley.com

Rina Mady

Chicago

rmady@sidley.com

You might also like
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

New U.S. FDA Draft Guidance Outlines Path To Faster Modification of AI/ML-Enabled Devices

The U.S. Food and Drug Administration (FDA or Agency) has issued new draft guidance on “Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions”1 that discusses a “science-based approach to ensuring that AI/ML-enabled devices can be safely, effectively, and rapidly modified, updated, and improved in response to new data.”2 This approach should offer more certainty to industry as FDA’s stated goal is to allow AI/ML-enabled devices to be modified faster in accordance with FDA requirements while being “built to adapt to the data and needs of individual health care facilities” and “adapt to deliver treatments according to individual users’ particular characteristics and needs.”3 Those wishing to comment on the draft guidance should note that the comment period closes on July 3, 2023.