The mobile medical application marketplace has developed into a $68 billion industry; however, the U.S. Department of Health and Human Services (HHS) has not yet updated guidance regarding the Health Insurance Portability and Accountability Act’s (HIPAA) application to app developers that collect and use sensitive personal data. In response to a request by a group of mobile app developers asking for clarification, Tom Marino, R-Pa, and Peter DeFazio, D-Ore., wrote a letter to HHS Secretary Sylvia Mathews Burwell outlining four steps that regulators should take to clarify how HIPAA applies to mobile medial apps.
These four steps are:
1. Updates: HHS should provide up-to-date, clear information on what is expected of mobile health vendors with regard to HIPAA, including updates on new technologies (such as mobile medical apps) and new types of information storage (such as cloud services).
2. Implementation Standards: Clear implementation standards should be identified to avoid enforcement actions.
3. Cloud Clarity: HHS should provide clarity for companies and services that store data on the cloud.
4. Compliance Assistance: HHS should make it easier for compliance with its regulations. This should include assigning HHS employees with technical knowledge to work with emerging companies and to considering a voluntary “badge program” for developers.
As the lawmakers explained, “[i]n order to ensure that innovative health companies do not inadvertently run afoul of the law, regulatory guidance should be routinely updated to reflect modern technologies being used in the health field.” Technical guidance for compliance with HIPAA has not been updated since 2006, years before mobile medical technologies existed. Mobile medical app developers want to comply with HIPAA but are in need of further clear guidance in order to do so.