HIPAA Alert: Mobile Apps & Wearable Devices

  • CynergisTek Logo 298x207

Mobile Health Application and Wearable Device Developers Lobbying Congress Concerning HIPAA Rules and Medical Device Regulation 

Over the past month, there has been a significant increase in activity in Washington, D.C. as developers and vendors of health related mobile applications and wearable technology are lobbying Congress seeking favorable treatment concerning medical device and health information privacy and security standards. For example, technology giants like Apple, Google and Intel are trying to stay one step ahead of federal regulators. As the market for devices like Fitbit, Google Glass and Apple Healthkit grows, the companies that make them are coming under increased scrutiny over privacy and security issues because of the type of data collected by these devices. Personal data, ranging from heartbeats to insulin deficiencies, is stored on the devices and on cloud computing platforms in some cases. Under HIPAA, it is not likely these personal health devices are covered because the data is being created by the individual, but some regulators and lawmakers believe that some of them should be regulated as medical devices or subject to the HIPAA Privacy regulations.

On September 18th, Congressmen Tom Marino (R-PA) and Peter DeFazio (D-OR) sent a letter to Secretary Syliva Mathews Burwell of the U.S. Department of Health and Human Services (HHS), asking that HHS clarifies how HIPAA relates to mobile app developers and vendors. The letter was sent shortly after the Congressmen received a letter from The App Association, asking for a “more-sensible implementation of health privacy laws to ensure that the implementation better fits today’s mobile world.”  The App Association is an industry trade association comprised of developers and vendors of software applications designed for use on mobile platforms (e.g. Android, Apple iOS) for a variety of health and non-health purposes.

The September 18th letter to HHS pointed out that the department has not issued guidance or developed regulations sought by the mobile health sector. For example, the letter pointed to the fact that HHS guidance on its website with respect to technical compliance with the HIPAA Security Rule has not been updated since smartphones became popular. In fact, the last time it was updated was in 2006, shortly after it went into effect. In the letter to HHS, the Congressmen echoed the sentiments of The App Association and noted that most of the companies developing mobile apps are rather small technology companies. Most do not have the budget to hire legal teams to decipher regulatory guidance and determine what is applicable to them. If HIPAA does apply, most also lack the resources to ensure that their products are in compliance with HIPAA requirements. The Congressmen recommended several steps HHS can take to help make guidance and regulations up to speed with the mobile world we live in.

Recommended Steps:

  • Update technical guidance for mobile app companies and other technology vendors such as wearable devices, and address the new types of information storage that these vendors use (e.g., cloud storage).
  • Make regular updates to guidance so that it stays relevant as technology advances and changes.
  • Develop implementation standards so vendors can proactively comply with regulations rather than complying after a random audit or enforcement action.
  • Clarify if HIPAA is applicable to storage providers that don’t have access to the encrypted data (e.g. data is stored in the cloud but they do not have an encryption key).
  • Provide assistance to vendors and individuals that are proactively working to be in compliance with HIPAA. Specifically, the letter suggests that HHS should assign technological savvy employees to regularly interact with companies in the health IT industry. It also suggested that those HHS employees should work closely with the vendors to ensure that new products are in compliance with HIPAA regulations.
  • If possible, HHS should provide a “voluntary badge program” for companies that are in compliance.

CynergisTek will continue to monitor developments in this area. We will share updates on important policy and regulatory developments as they divulge. Click here to email us if you have questions and click here to read the letter sent Congressmen wrote to HHS.

October 1st, 2014|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.