OnPage News: HIPAA Guidance for Mobile Apps

OnPage Corporation is the Secure Messaging/Critical Alerts Leader: Learn More…CLICK HERE & Talk to Sales


New HIPAA Guidance For Mobile Apps, Health Info Exchange

HHS Outlines Scenarios Where Regulations Kick In
Gov Info Security Logo - Mobile Apps

Article Courtesy of:  GovInfo Security

Federal regulators have issued new guidance, including material to clarify for healthcare entities and software developers various scenarios where HIPAA regulations might apply to mobile health applications (mobile apps), including situations when patients use smartphones to collect or transmit personal health data.

Some privacy and security experts say the new mobile application guidance material from the Department of Health and Human Services’ Office for Civil Rights addresses a topic that is not only a current source of confusion for many covered entities and business associates, but also is likely to become increasingly complex as more consumers use smartphones and other devices to help manage chronic illnesses and other health issues.

“This guidance is important since some developers still aren’t clear about whether they fall under HIPAA or not – that is, whether or not they are HIPAA-defined business associates,” says Kate Borten, founder of privacy and security consulting firm The Marblehead Group.

“That leaves the door open to improper use and disclosure of confidential patient and [health] plan member information,” she says. “Although all apps using personal information should include privacy and security protections, situations that are governed by HIPAA – as described in this guidance – must include specific protections dictated by the security and privacy rules, as well as by business associate contracts with covered entities.”

The new installment of mobile guidance material is offered through an application developers portal OCR unveiled last fall to serve as a privacy and security resource for software vendors and others about how HIPAA regulations apply to new technologies, including mobile applications.

In addition to the new mobile guidance, HHS on Feb. 12 released a series of new “fact sheets” to help bolster understanding of various permitted disclosures and uses of patients’ PHI under HIPAA.

“Although the regulations have been in effect for quite some time, healthcare providers frequently still question whether the sharing of health information, even for routine purposes like treatment or care coordination, is permissible under HIPAA,” HHS says in a statement about why OCR and its sister HHS unit – the Office of the National Coordinator for Health IT – issued the new fact sheets. “Confusion about the rules has been cited by many as a potential obstacle to interoperability of digital health information.”

Mobile Health App Guidance

OCR’s newly released mobile guidance offers examples of common and sometimes complicated situations where patients use their smartphones or other mobile devices for healthcare-related purposes, and highlights whether the software developer is considered a business associate that must comply with HIPAA regulations for safeguarding the protected health information.

OnPage Mobile Security - OnPage - HIPAA Compliance 2015 - Health IT Security - Gov Info Security Logo - Mobile AppsThe answers could change depending upon different circumstances, such as whether the smartphone app allows the patients to transmit PHI to a healthcare provider for incorporation into an electronic health record or other system.

“The scenarios produced by OCR successfully translate the complex standards of the HIPAA rules to an audience that is hungry for information about how their technologies are impacted by these standards,” says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.

“There is a lot of confusion in the marketplace. The imagination and ingenuity of technology innovators are continuing to challenge our notions of what is a ‘healthcare app’ and what is a ‘medical device,'” Holtzman says. “It is broader than the smartphone or the mobile pad, but includes the myriad of medical devices in the wearable, implantable, digestible categories as well as Internet of Things applications that handle the data from these technologies.

Also, it’s not only external or third-party software vendors that are creating new mobile health applications that sometimes fall into the gray area of HIPAA compliance, he notes.

“There is this myth that the majority of healthcare apps for smartphones or wearables are coming from technology startups,” Holtzman says. “Innovative technologies are developed or produced by healthcare organizations or physician practices to bring real-time medical monitoring and patient engagement to any patient with a smartphone. The new guidance with its accompanying scenarios will be helpful to those who are developing or employing healthcare apps that collect or transmit health information.”

Other HIPAA Guidance…

Read the FULL STORY on GovInfo Security


OnPage is The World’s Most Advanced Enterprise Priority Messaging Solution.

OnPage No Risk - FREE TRIAL
Download Your Free Trial Today!


Please follow and like us: