Last month, two Members of Congress wrote to Secretary Burwell of the U.S. Department of Health and Human Services, urging the agency to adopt new guidance on HIPAA compliance for mobile devices.
In their letter, Representatives Tom Marino (R-PA) and Peter DeFazio (D-OR) note that much of HHS’s current guidance predates the proliferation of mobile device apps, and that this guidance does not easily relate to the unique issues presented by this technology. Thus, companies that develop mobile device technology are uncertain about whether their products comply with HIPAA, and if not, how to bring them into compliance. The letter also notes that companies often must retain large legal teams to help navigate these complex issues.
Specifically, Congressman Marino and DeFazio ask that the Office for Civil Rights (OCR), the agency at HHS charged with enforcing HIPAA, take several steps including (1) update existing guidance to keep pace with advances in technology, (2) identify implementation standards to help companies come into compliance, (3) provide clarity on storage of encrypted health data on the cloud, and (4) provide compliance assistance, including by making available HHS employees with technological expertise to interface with companies developing mobile technologies.
It remains to be seen whether HHS will respond to the Members’ requests, and if so, how timely. Updating guidance and regulations that were written before the current mobile technology and internet landscape has been a consistent concern for entrepreneurs and companies creating emergent technologies. Nevertheless, given that HHS is expected to step up HIPAA enforcement, compliance with federal health privacy law will become even more important.