New HIPAA Guidance For Mobile Apps, Health Info ExchangeHHS Outlines Scenarios Where Regulations Kick In
Federal regulators have issued new guidance, including material to clarify for healthcare entities and software developers various scenarios where HIPAA regulations might apply to mobile health applications, including situations when patients use smartphones to collect or transmit personal health data.
Some privacy and security experts say the new mobile application guidance material from the Department of Health and Human Services' Office for Civil Rights addresses a topic that is not only a current source of confusion for many covered entities and business associates, but also is likely to become increasingly complex as more consumers use smartphones and other devices to help manage chronic illnesses and other health issues.
"This guidance is important since some developers still aren't clear about whether they fall under HIPAA or not - that is, whether or not they are HIPAA-defined business associates," says Kate Borten, founder of privacy and security consulting firm The Marblehead Group.
"That leaves the door open to improper use and disclosure of confidential patient and [health] plan member information," she says. "Although all apps using personal information should include privacy and security protections, situations that are governed by HIPAA - as described in this guidance - must include specific protections dictated by the security and privacy rules, as well as by business associate contracts with covered entities."
The new installment of mobile guidance material is offered through an application developers portal OCR unveiled last fall to serve as a privacy and security resource for software vendors and others about how HIPAA regulations apply to new technologies, including mobile applications.
In addition to the new mobile guidance, HHS on Feb. 12 released a series of new "fact sheets" to help bolster understanding of various permitted disclosures and uses of patients' PHI under HIPAA.
"Although the regulations have been in effect for quite some time, healthcare providers frequently still question whether the sharing of health information, even for routine purposes like treatment or care coordination, is permissible under HIPAA," HHS says in a statement about why OCR and its sister HHS unit - the Office of the National Coordinator for Health IT - issued the new fact sheets. "Confusion about the rules has been cited by many as a potential obstacle to interoperability of digital health information."
Mobile Health App Guidance
OCR's newly released mobile guidance offers examples of common and sometimes complicated situations where patients use their smartphones or other mobile devices for healthcare-related purposes, and highlights whether the software developer is considered a business associate that must comply with HIPAA regulations for safeguarding the protected health information.
The answers could change depending upon different circumstances, such as whether the smartphone app allows the patients to transmit PHI to a healthcare provider for incorporation into an electronic health record or other system.
"The scenarios produced by OCR successfully translate the complex standards of the HIPAA rules to an audience that is hungry for information about how their technologies are impacted by these standards," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"There is a lot of confusion in the marketplace. The imagination and ingenuity of technology innovators are continuing to challenge our notions of what is a 'healthcare app' and what is a 'medical device,'" Holtzman says. "It is broader than the smartphone or the mobile pad, but includes the myriad of medical devices in the wearable, implantable, digestible categories as well as Internet of Things applications that handle the data from these technologies.
Also, it's not only external or third-party software vendors that are creating new mobile health applications that sometimes fall into the gray area of HIPAA compliance, he notes.
"There is this myth that the majority of healthcare apps for smartphones or wearables are coming from technology startups," Holtzman says. "Innovative technologies are developed or produced by healthcare organizations or physician practices to bring real-time medical monitoring and patient engagement to any patient with a smartphone. The new guidance with its accompanying scenarios will be helpful to those who are developing or employing healthcare apps that collect or transmit health information."
Other HIPAA Guidance
Meanwhile, the new HHS fact sheets, which outline various HIPAA-permitted uses and disclosures of PHI for healthcare treatment, payment or business operations, also spotlight some longstanding areas of confusion about HIPAA. That uncertainty can potentially become more problematic as the healthcare sector strives for interoperable, nationwide secure health information exchange, some privacy and security experts note.
"The [HIPAA] Privacy Rule provisions permitting these disclosures have been unchanged since the publication of the final rule in 2002," Holtzman notes. However, "what is helpful is OCR providing use cases to demonstrate how and when these disclosures can be made through health information exchange."
While the new guidance on permitted uses and disclosures cover regulations that have been on the books for many years, the material is directed at organizations that are still uncertain about how to comply.
"I think OCR sees that the industry is still not getting it, unfortunately," which puts PHI at potential risk for breaches, Borten notes. "So, these documents help clarify in plain English."
The newly released guidance on mobile health apps and permitted uses and disclosures of PHI comes on the heels of OCR earlier this month kicking off a new "cyber-awareness initiative" that offers advice on how healthcare providers and their business associates can avoid becoming victims of ransomware attacks and phony tech support scams (see OCR Cyber Awareness Effort: Will it Have an Impact?).
OCR officials have also stated they plan to issue in 2016 new HIPAA privacy and security guidance related to cloud computing.