This morning ACT — The App Association and a number of its mobile health company members sent a letter to Rep. Tom Marino (R-PA) to encourage Congress to push HHS to make HIPAA regulations clearer for mobile app developers.
“We see a huge chunk of our membership engaged on both fitness and the more health-specific side,” ACT’s Executive Director Morgan Reed told MobiHealthNews in an interview. “I would estimate about a third of developers today are looking to be a part of this [trend]. I would hazard a guess that close to 30 percent of our members are either actively pursuing this or already engaged in it.”
Reed argues that the language of the HIPAA rules is not easy for software developers to parse in terms of how it relates to their apps. The app association also writes in the letter that publishing information about HIPAA and other relevant health IT policies in the Federal Register is not the best way to disseminate this information to developers. HHS should seek other channels to publish this information, ACT argues, and it should also proactively seek out developers instead of expecting them to come to them. Given their general unfamiliarity with HIPAA privacy regulations, app developers are avoiding healthcare, Reed said.
“We see a resistance from some developers who are doing amazing apps to get involved with anything that even smells of HIPAA,” Reed said. Before she departed as the ONC’s chief privacy officer, Joy Pritts had discussed these issues with him and his group on a number of occasions.
“I was often bringing up issues with her where our members had found problems with healthcare providers who would say ‘no’ to an app and raise HIPAA as an issue. Ms. Pritts would dutifully note that the issue raised [by the care provider] wasn’t actually a HIPAA problem at all. The issue our members face, though, is that if care systems don’t understand the intersection of HIPAA and mobile, and their reaction is to say ‘no’, then apps that improve outcomes don’t make it through the front door.”
Reed said that patients, care providers, and health app developers all need to be better informed about HIPAA, especially on how it relates to health apps that make use of cloud services.
An illustrative setup is “information encrypted end-to-end and transiting from your device to a cloud storage provider and then to a care provider who is actually a covered entity,” Reed explained. “We see that as a vital function for making mobile apps work better. If all of those end up having to be business associates and to go through that, then it makes it very hard for new entrants into the cloud space to look at that as something worth pursuing. Let’s face it, that’s onerous. If you have no access to the information — you’re not looking at it, not manipulating or changing it — you are merely transiting it, it’s really hard to argue that you are a business associate.”
Since the government is the largest payor in US healthcare, Reed believes it should not only take its requisite lead as regulator, but also lead the market as its biggest customer. Its actions as a payor and provider could help others to better understand how to safely adopt mobile health apps while ensuring HIPAA compliance. In other words, it could lead by example.
“Ultimately, the government is the largest purchaser of healthcare services in the country. They have an enormous stake in the industry. They have a particularly loud voice,” Reed said. “The government has a very clear role to clarify the regulations as they currently exist, put a spotlight on new technologies that improve patient outcomes, and finally act as the largest consumer of healthcare services in the country [and] highlight those healthcare services that they believe could be improved by better and more accurate following of HIPAA.”
Read on for an excerpt from the ACT’s letter to Rep. Marino, including its three suggestions to Congress regarding mobile health apps and mobile: Keep reading>>