HIPAA Alert: Mobile Apps & Wearable Devices

October 1, 2014 David Holtzman

Mobile Health Application and Wearable Device Developers Lobbying Congress Concerning HIPAA Rules and Medical Device Regulation 

Over the past month, there has been a significant increase in activity in Washington, D.C. as developers and vendors of health related mobile applications and wearable technology are lobbying Congress seeking favorable treatment concerning medical device and health information privacy and security standards. For example, technology giants like Apple, Google and Intel are trying to stay one step ahead of federal regulators. As the market for devices like Fitbit, Google Glass and Apple Healthkit grows, the companies that make them are coming under increased scrutiny over privacy and security issues because of the type of data collected by these devices. Personal data, ranging from heartbeats to insulin deficiencies, is stored on the devices and on cloud computing platforms in some cases. Under HIPAA, it is not likely these personal health devices are covered because the data is being created by the individual, but some regulators and lawmakers believe that some of them should be regulated as medical devices or subject to the HIPAA Privacy regulations.

On September 18th, Congressmen Tom Marino (R-PA) and Peter DeFazio (D-OR) sent a letter to Secretary Syliva Mathews Burwell of the U.S. Department of Health and Human Services (HHS), asking that HHS clarifies how HIPAA relates to mobile app developers and vendors. The letter was sent shortly after the Congressmen received a letter from The App Association, asking for a “more-sensible implementation of health privacy laws to ensure that the implementation better fits today’s mobile world.”  The App Association is an industry trade association comprised of developers and vendors of software applications designed for use on mobile platforms (e.g. Android, Apple iOS) for a variety of health and non-health purposes.

The September 18th letter to HHS pointed out that the department has not issued guidance or developed regulations sought by the mobile health sector. For example, the letter pointed to the fact that HHS guidance on its website with respect to technical compliance with the HIPAA Security Rule has not been updated since smartphones became popular. In fact, the last time it was updated was in 2006, shortly after it went into effect. In the letter to HHS, the Congressmen echoed the sentiments of The App Association and noted that most of the companies developing mobile apps are rather small technology companies. Most do not have the budget to hire legal teams to decipher regulatory guidance and determine what is applicable to them. If HIPAA does apply, most also lack the resources to ensure that their products are in compliance with HIPAA requirements. The Congressmen recommended several steps HHS can take to help make guidance and regulations up to speed with the mobile world we live in.

Recommended Steps:

  • Update technical guidance for mobile app companies and other technology vendors such as wearable devices, and address the new types of information storage that these vendors use (e.g., cloud storage).
  • Make regular updates to guidance so that it stays relevant as technology advances and changes.
  • Develop implementation standards so vendors can proactively comply with regulations rather than complying after a random audit or enforcement action.
  • Clarify if HIPAA is applicable to storage providers that don’t have access to the encrypted data (e.g. data is stored in the cloud but they do not have an encryption key).
  • Provide assistance to vendors and individuals that are proactively working to be in compliance with HIPAA. Specifically, the letter suggests that HHS should assign technological savvy employees to regularly interact with companies in the health IT industry. It also suggested that those HHS employees should work closely with the vendors to ensure that new products are in compliance with HIPAA regulations.
  • If possible, HHS should provide a “voluntary badge program” for companies that are in compliance.

CynergisTek will continue to monitor developments in this area. We will share updates on important policy and regulatory developments as they divulge. Click here to email us if you have questions and click here to read the letter sent Congressmen wrote to HHS.

Previous Article
Are Your Business Associate Agreements in Compliance with the Omnibus Rule?
Are Your Business Associate Agreements in Compliance with the Omnibus Rule?

September 23rd Deadline Has Passed On September 23rd, all business associate agreements (BAA) that were act...

Next Article
Webinar: How to Survive a Meaningful Use Audit
Webinar: How to Survive a Meaningful Use Audit

Be Prepared for a Meaningful Use Audit CynergisTek invites you to attend our free webinar, “How to Prepare ...

×

Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Company
Thank You!
Error - something went wrong!