App developers ask Congress, HHS for HIPAA clarity on cloud, more

By Brian Dolan
Share

Reed Morgan ACT App AssociationThis morning ACT -- The App Association and a number of its mobile health company members sent a letter to Rep. Tom Marino (R-PA) to encourage Congress to push HHS to make HIPAA regulations clearer for mobile app developers.

"We see a huge chunk of our membership engaged on both fitness and the more health-specific side," ACT's Executive Director Morgan Reed told MobiHealthNews in an interview. "I would estimate about a third of developers today are looking to be a part of this [trend]. I would hazard a guess that close to 30 percent of our members are either actively pursuing this or already engaged in it."

Reed argues that the language of the HIPAA rules is not easy for software developers to parse in terms of how it relates to their apps. The app association also writes in the letter that publishing information about HIPAA and other relevant health IT policies in the Federal Register is not the best way to disseminate this information to developers. HHS should seek other channels to publish this information, ACT argues, and it should also proactively seek out developers instead of expecting them to come to them. Given their general unfamiliarity with HIPAA privacy regulations, app developers are avoiding healthcare, Reed said.

"We see a resistance from some developers who are doing amazing apps to get involved with anything that even smells of HIPAA," Reed said. Before she departed as the ONC's chief privacy officer, Joy Pritts had discussed these issues with him and his group on a number of occasions.

"I was often bringing up issues with her where our members had found problems with healthcare providers who would say 'no' to an app and raise HIPAA as an issue. Ms. Pritts would dutifully note that the issue raised [by the care provider] wasn't actually a HIPAA problem at all. The issue our members face, though, is that if care systems don't understand the intersection of HIPAA and mobile, and their reaction is to say 'no', then apps that improve outcomes don't make it through the front door."

Reed said that patients, care providers, and health app developers all need to be better informed about HIPAA, especially on how it relates to health apps that make use of cloud services.

An illustrative setup is "information encrypted end-to-end and transiting from your device to a cloud storage provider and then to a care provider who is actually a covered entity," Reed explained. "We see that as a vital function for making mobile apps work better. If all of those end up having to be business associates and to go through that, then it makes it very hard for new entrants into the cloud space to look at that as something worth pursuing. Let's face it, that's onerous. If you have no access to the information -- you're not looking at it, not manipulating or changing it -- you are merely transiting it, it's really hard to argue that you are a business associate."

Since the government is the largest payor in US healthcare, Reed believes it should not only take its requisite lead as regulator, but also lead the market as its biggest customer. Its actions as a payor and provider could help others to better understand how to safely adopt mobile health apps while ensuring HIPAA compliance. In other words, it could lead by example.

"Ultimately, the government is the largest purchaser of healthcare services in the country. They have an enormous stake in the industry. They have a particularly loud voice," Reed said. "The government has a very clear role to clarify the regulations as they currently exist, put a spotlight on new technologies that improve patient outcomes, and finally act as the largest consumer of healthcare services in the country [and] highlight those healthcare services that they believe could be improved by better and more accurate following of HIPAA."

Read on for an excerpt from the ACT's letter to Rep. Marino, including its three suggestions to Congress regarding mobile health apps and mobile: 

1. Make existing regulation more accessible for tech companies

Information on HIPAA is still mired in a Washington, DC, mindset that revolves around reading the Federal Register, or hiring expert consultants to “explain” what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.

Further, the Office of the National Coordinator (ONC) has taken efforts to provide information on how to protect and secure health information on mobile devices for medical professionals and to a lesser extent, the public. But there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers – not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.

Other government websites and information repositories have scant information on how HIPAA can be implemented in the new mobile environment. There are no “developers” tabs; no appendices with examples for what can and cannot be done; no technical documentation or searchable database that gives context to the various requirements. Other government agencies draft FAQs to provide direct answers to the questions faced by the developer community.

HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.

2. Improve and update guidance from OCR on acceptable implementations

The current technical safeguards documentation available on the hhs.gov website is significantly out of date. In fact, the document covering “Remote Use” was last updated December of 2006. For comparison, the very first iPhone did not become publicly available until June 29, 2007. Without new documentation that speaks to more modern uses, it will be difficult for developers to understand how to implement HIPAA in an effective way for patients.

Given that HIPAA is a federal statute that mandates several requirements, the Office of Civil Rights (OCR) should provide implementation standards — or examples of standard implementations that would not trigger an enforcement action — instead of leaving app makers to learn about these through an audit.

For example, cloud storage is essential for success in the new mobile, always-on world. However, we lack clarity when it comes to data in the cloud that is encrypted, and where the cloud provider has no access to the encryption key. Most technologists (and some at HHS) see that kind of storage as different and one that should not trigger HIPAA obligations. But lack of clarity prevents new, and beneficial technologies from helping patients.

HHS and OCR must update the “Security Rule Guidance Material” and provide better guidance with regards to mobile implementations and standards.

3. Improve outreach to new entrants in the healthcare space

The most exciting new products in the mobile health space have been coming from companies outside the traditional healthcare marketplace. Yet a review of most HHS speeches and outreach reveals a persistent attachment to these traditional communities, and not enough expansion into newly-forming health technology communities. To effectively reach out to mobile health app makers, HHS should increase its participation in existing developer-focused events. These often occur in locations far from Washington, but the agency must be focused on directly connecting with this audience so it can learn more about the evolving marketplace. This cannot be a passive exercise in which the agency waits for industry engagement. HHS must be participatory.

In order to ensure the expansion of innovative new technologies, it is essential that HHS, OCR and others expand their outreach to the communities with whom they must engage.