The HHS Office for Civil Rights (OCR) has launched an online portal designed to solicit questions from mHealth developers regarding compliance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements. The portal is designed to demystify HIPAA for app developers while providing guidance to regulators about which aspects of HIPAA may require clarification.
OCR emphasized that the site will not be used to inform or identify potential enforcement actions. Instead, OCR hopes that the site will be a cooperative platform, allowing app developers to guide OCR’s selection and focus of future guidance topics. OCR senior adviser Linda Sanches has stressed that app developers should be candid and forthcoming with their questions, which will be anonymous to OCR and moderated for appropriateness.
In addition to highlighting potentially ambiguous HIPAA provisions, OCR recommends that developers use the site as a platform for sharing difficult use cases and best practices for designing strong privacy and security protections into mobile apps. The questions submitted to date demonstrate a desire for clear guidance on topics ranging from the determination of whether an organization is a covered entity to the applicability of HIPAA to cloud storage.
Users may comment on any question on the site as well as vote on its relevance. Although OCR does not intend to provide targeted responses to individual questions, the agency has pledged to use submissions to inform future guidance releases and to provide links to existing resources where possible.
Both OCR and the FTC are likely to devote significant attention in coming years to the privacy and security risks presented by mobile health apps. Further details are expected at the upcoming mHealth Summit, which will take place November 8-11 in Washington, D.C. And internationally, European regulators are evaluating concerns regarding the collection, processing, and use of customer data by mHealth apps.