Mobile Health Application and Wearable Device Developers Lobbying Congress Concerning HIPAA Rules and Medical Device Regulation 

Over the past month, there has been a significant increase in activity in Washington, D.C. as developers and vendors of health related mobile applications and wearable technology are lobbying Congress seeking favorable treatment concerning medical device and health information privacy and security standards. For example, technology giants like Apple, Google and Intel are trying to stay one step ahead of federal regulators. As the market for devices like Fitbit, Google Glass and Apple Healthkit grows, the companies that make them are coming under increased scrutiny over privacy and security issues because of the type of data collected by these devices. Personal data, ranging from heartbeats to insulin deficiencies, is stored on the devices and on cloud computing platforms in some cases. Under HIPAA, it is not likely these personal health devices are covered because the data is being created by the individual, but some regulators and lawmakers believe that some of them should be regulated as medical devices or subject to the HIPAA Privacy regulations.

On September 18th, Congressmen Tom Marino (R-PA) and Peter DeFazio (D-OR) sent a letter to Secretary Syliva Mathews Burwell of the U.S. Department of Health and Human Services (HHS), asking that HHS clarifies how HIPAA relates to mobile app developers and vendors. The letter was sent shortly after the Congressmen received a letter from The App Association, asking for a “more-sensible implementation of health privacy laws to ensure that the implementation better fits today’s mobile world.”  The App Association is an industry trade association comprised of developers and vendors of software applications designed for use on mobile platforms (e.g. Android, Apple iOS) for a variety of health and non-health purposes.

The September 18th letter to HHS pointed out that the department has not issued guidance or developed regulations sought by the mobile health sector. For example, the letter pointed to the fact that HHS guidance on its website with respect to technical compliance with the HIPAA Security Rule has not been updated since smartphones became popular. In fact, the last time it was updated was in 2006, shortly after it went into effect. In the letter to HHS, the Congressmen echoed the sentiments of The App Association and noted that most of the companies developing mobile apps are rather small technology companies. Most do not have the budget to hire legal teams to decipher regulatory guidance and determine what is applicable to them. If HIPAA does apply, most also lack the resources to ensure that their products are in compliance with HIPAA requirements. The Congressmen recommended several steps HHS can take to help make guidance and regulations up to speed with the mobile world we live in.

Recommended Steps:

CynergisTek will continue to monitor developments in this area. We will share updates on important policy and regulatory developments as they divulge. Click here to email us if you have questions and click here to read the letter sent Congressmen wrote to HHS.