Feds to clarify HIPAA for mobile health developers

The U.S. Department of Health and Human Services' Office for Civil Rights is working with ACT - The App Association to provide clearer and more accessible regulatory guidance relating to the Health Insurance Portability and Accountability Act rules and address issues and concerns mHealth app developers are facing regarding federal oversight.

In a letter written to Rep. Peter DeFazio (D-Ore.) in November but made public last week, HHS Secretary Sylvia Mathews Burwell maps out three actions OCR is taking in response to a request by DeFazio and Rep. Tom Marino (R-Pa.) for clearer app guidance and online resources for complying with HIPAA regulations. DeFazio and Marino wrote to HHS on behalf of ACT last September, asking for help in getting substantial changes on outdated and confusing rules. The group believes old rules and poor guidance are big obstacles to mHealth app innovation.

OCR, which administers and enforces HIPAA rules, is working with the Office of the National Coordinator for Health IT to develop tools to educate stakeholders on safe and secure use of health information. The agency is also exploring several real time solutions to collect feedback from app makers on needed guidance materials, according to Burwell's letter.

Such outreach efforts, Burwell says, are "critical." OCR also is exploring a series of "listening sessions" where stakeholders can raise questions and concerns on privacy and security issues. Sessions are being planned for the first quarter of 2015, ACT Executive Director Morgan Reed tells FierceMobileHealthcare.

"We are encouraged by Secretary Burwell's response," Reed says. "Her letter to Congressmen Marino and DeFazio included a commitment to make the regulatory environment better for mobile health companies. We are pleased that Secretary Burwell pledged to work with The App Association to address these problems.

Reed, notes that his group is not asking for legislation or a rewrite of HIPAA. "Rather, we want explanations for how HIPAA applies in the mobile context. That's what we want OCR to provide in the near future," Reed says, adding ACT has met several times with OCR on the issues outlined in the group's initial letter.

"We believe OCR is keeping many views in mind as it updates compliance examples for mobile health companies," Reed says. "But as OCR approaches these updates, it's critical that the solutions balance the needs of innovators, and the ability for patients to access their health information."

For more information:
- read the letter (.pdf)

Read more on