Charging that the federal regulatory environment has not kept pace with the exploding mobile health sector, Reps. Tom Marino (R-Penn.) and Peter DeFazio (D-Ore.) have sent a letter to Health and Human Services Secretary Sylvia Mathews Burwell calling on HHS to clarify and update HIPAA guidance given new mHealth technologies.

The congressmen point out in their Sept. 18 letter that regulatory documentation on the HHS website outlining technical compliance with HIPAA “has not been updated since 2006, years before an app store existed, much less the modern mobile device.” The problem, they say, is that mHealth app vendors “want to fully comply with HIPAA regulations, but have difficulty confirming that they have done so because current regulatory guidance does not cover technologies that they are using.”

Earlier this week, the App Association—which represents more than 5,000 app companies and IT firms—sent a letter to Marino, who has been active on issues involving the mobile app industry, urging Congress to adopt a more sensible implementation of health privacy laws. The letter, co-authored by five vendors—AirStrip, AngelMD, Aptible, CareSync, and Ideomed—called on HHS to “take a fresh look” at the implementation of HIPAA to “ensure that it better fits today’s mobile world,” while highlighting several areas where federal agencies can adopt practices to eliminate uncertainty and simplify compliance with privacy regulations.

Adopting a similar tone, Marino/DeFazio’s letter to HHS just days later states: “In order to ensure that innovative health companies do not inadvertently run afoul of the law, regulatory guidance should be routinely updated to reflect modern technologies being used in the health field.”

Toward that end, the lawmakers make several recommendations to HHS to ensure that mobile app developers can easily determine if they are compliant with HIPAA, including:

* Implementation Standards:The Office for Civil Rights (OCR) housed at HHS should clearly identify implementation standards that can help companies conform to regulation and avoid enforcement action.

* Cloud Clarity:A growing number of mobile health companies store encrypted health data in remote storage centers. These storage providers do not have an encryption key and cannot access the data. Yet, questions remain about their HIPAA obligations for information they technologically cannot access. HHS should provide clarity about the HIPAA obligations for companies and services that store data on the cloud.

* Compliance Assistance:HHS should also strive to make it as easy and clear as possible for companies and individuals operating in good faith to comply with its regulations. We would like HHS to assign employees with technological expertise to regularly engage with companies in the emergent healthcare technology space. These employees should be prepared to work with app developers and others to make sure that products incorporate HIPAA protections beginning at the early stages of product development. HHS should also consider, if feasible, providing a voluntary badge program for companies seeking to prove compliance with HHS rules and regulations. This would allow American healthcare companies to be more competitive in foreign and domestic markets and would provide an economic incentive to follow important safeguards for the benefit of patients.

“We are committed to providing a safe and secure environment for our consumers with strong privacy protections. Unfortunately, we are working in a regulatory environment that has not kept pace with the rapid growth of technology,” said App Association Executive Director Morgan Reed in a written statement in response to the congressional letter to HHS. “The app industry has long looked to Congressmen Marino and DeFazio for their leadership on tech issues. We are grateful for their support to create a better regulatory environment that encourages innovation in this life-changing marketplace. HHS needs to know that they have champions both in Congress and industry that want to see HIPAA improved.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access