New Resources for MHealth App Developers and Cloud Services Providers Available at OCR Portal

The Department of Health and Human Services’ Office for Civil Rights has released more resources targeted for mobile health application developers and gave its Health App Developer Portal a new name after updating it.

The portal called Resources for Mobile Health Apps Developers gives mobile health application developers guidance on the HIPAA Privacy, Security, and Breach Notification regulations and their importance to mobile health applications and application programming interfaces (APIs).

The portal contains a Health App Use Scenarios and HIPAA guidance document, which talks about the need for mHealth applications to comply with the HIPAA Rules and whether an app developer is going to be considered as a business associate.

OCR explained that integrating privacy and security protections into technology solutions boosts their value by giving users some assurance that the data is safe and is going to be utilized and shared only as authorized or required. Federal and state laws sometimes require such protections, for instance, the HIPAA Security, Privacy, and Breach Notification Rules.

The Federal Trade Commission (FTC) together with the Food and Drug Administration (FDA) and the HHS’ Office of the National Coordinator for Health IT (ONC) developed the portal that gives access to the Mobile Health Apps Interactive Tool. Developers of health-related apps can use this Tool to know what federal regulations are likely applicable to their apps. By providing answers to questions with regards to the nature of the apps, developers will learn which federal regulations are applicable and will be given resources with more detailed information concerning each federal rule.

The portal likewise contains information regarding patient access rights as provided by HIPAA, how they affect the data obtained, stored, processed, or sent via mobile health applications, and how the HIPAA Rules impact APIs.

The portal was updated following the ONC’s final rule that required health IT developers to create a safe, standards-based API that providers can utilize to help patients access the information saved in their electronic health records. Although having quick access to health data is essential for patients so that they could check errors, request corrections, and share their health information for research uses, transmitting information to third-party apps, which HIPAA may not cover, may create a privacy risk.

OCR has earlier stated that the moment healthcare companies have provided a patients’ health information with a third-party application, as permitted by the patient, the data is not covered by HIPAA in case the app developer isn’t a healthcare provider’s business associate. Healthcare providers won’t be accountable for any resultant use or sharing of any electronic protected health information (ePHI) distributed to the app developer.

The portal also has an FAQ that makes clear how HIPAA is applicable to Health IT. There is also a guidance document detailing how HIPAA is applicable to cloud computing so cloud services providers (CSPs) can fully understand their accountabilities under HIPAA.