Mobile health poses regulatory challenges for data sharing

Much has changed in the healthcare industry since HIPAA was enacted in 1996, most notably the proliferation of now-ubiquitous mobile devices and smartphones.

However, this wave of technology adoption has created regulatory challenges for HIPAA, according to Jocelyn Samuels, director of the Department of Health and Human Services’ Office for Civil Rights.

“One of the limitations that we face is that HIPAA was passed in an era when I don’t think I even had an email account, much less confronted the profusion of technologies that are available for data sharing today,” said Samuels at last week’s ONC Annual Meeting in Washington, DC. “There is a significant amount of confusion about how it applies to new technologies.”

Jocelyn Samuels

To help clarify where mobile technology fits into the regulatory landscape, she said OCR in November 2015 launched a new mHealth Developer Portal that serves as a platform to enable app developers and others to gain a better understanding of how HIPAA regulations apply to the design and development of mobile healthcare technologies.

The portal is “intended to enable us to have a more interactive dialogue, particularly with app developers so that they can understand how HIPAA applies in this new world of Fitbits” and other wearable devices and sensors “that are consumer-oriented and may not intersect with the healthcare world in traditional ways,” according to Samuels.

At the same time, she acknowledged that “there are circumstances in which HIPAA just does not apply because the kinds of technologies that have developed over the course of the last two decades didn’t exist when HIPAA was passed.”

HIPAA doesn’t cover all health data, Samuels said, such as app developers who do not create, receive, maintain or transmit protected health information on behalf of a covered entity or business associate. OCR’s authority to regulate is limited to when data are collected, used and disclosed by covered entities and business associates. The problem is that much of the mobile health vendor community operates outside of those legal parameters.

Nonetheless, apps continue to collect personal and health information through consumer-facing products to which HIPAA protections do not apply. As a result, Samuels said consumers need to be aware of the privacy and security protections that these technologies offer.

“We need culture change to ensure that there is a willingness to share data when it’s appropriate and to protect data under the terms set by law or under the frameworks that are created where HIPAA doesn’t apply,” she said. “That’s something that will ultimately ensure that privacy and security protections are not simply a matter of legal requirement but of the way of doing business throughout the healthcare industry.”

The OCR chief made the case that HIPAA is both a tool to promote data sharing as well as to protect against improper disclosures of information. However, Samuels claims that there is a widespread misconception in healthcare that HIPAA is a “shield” to be used to bar the sharing of health data in circumstances in which it’s not only appropriate and permissible, but is critical to patient care.

“While strong privacy and security protections are a core component of building patient trust, it is also the case that HIPAA allows data sharing in numerous circumstances where it’s necessary for treatment, for payment, or for healthcare operations,” she said.

For reprint and licensing requests for this article, click here.