On October 5, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services launched a new platform to enable developers of mobile health technology, as well as others “interested in the intersection of health information technology and HIPAA privacy protection.” OCR notes that there is currently “an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes.” The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications.
The platform invites mobile health developers to submit questions and topics for future guidance. The portal asks:
What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? Use this page to submit your questions about HIPAA. Or present a use case. Look at what your peers are discussing, comment on it and vote on which topics or use cases would be the most helpful or important to your work.
As of now, the platform features questions (though no answers yet) regarding:
- what entities are covered by HIPAA;
- the application of HIPAA to cloud computing;
- what aspects of the application (environment) must be HIPAA compliant;
- the content of business associate agreements;
- the flow of patient-generated data; and
- the use of audit logging by developers.
Anyone can browse the site, but users who wish to submit questions must register. Registered users may also offer comments on other submissions or vote on the relevance of a topic. The portal represents that the entities and email addresses associated with posts by registered users will be anonymous to OCR. OCR also states that posting or commenting on a question on the portal will not subject anyone to enforcement action. While OCR will moderate comments posted by users, it will not vouch for the accuracy of these comments. Thus, users must pay close attention as to whether guidance appearing on by the portal is endorsed by OCR before taking action in reliance on this guidance.
The release of the portal comes at a time of particular uncertainty for medical application developers. HHS has acknowledged that existing HIPAA guidance has not addressed all of the questions raised by emerging technologies and has said that it plans to seek guidance from mobile application developers themselves. Depending on the timeliness of, and level of detail contained in, OCR’s responses to questions, the portal could prove a useful resource to a quickly evolving industry.