Digital health companies often complain their work is choked by federal privacy and security rules that were developed for a different age. HHS' Office for Civil Rights signaled in a letter this week that it wants to help companies understand the law better—and is willing to be flexible to foster innovation.
The letter, sent to Rep. Peter DeFazio (D-Ore.), responds to concerns enumerated in an earlier request from a trade group called the App Association and digital health companies such as AirStrip regarding enforcement of the Health Insurance Portability and Accountability Act. Specifically, it promises updated additional guidance on HIPAA rules pertaining to cloud storage of personal health information, and reaching out to technology companies regarding ways to assist with rule compliance.
HHS is contemplating additional steps, such as “real-time solutions to hear from mobile application and other technology developers” and a “listening tour” to hear concerns and issues regarding the law. (Other divisions of HHS have used the “listening tour” model—for example, the Food and Drug Administration held several meetings at college campuses to explain its mobile medical app guidance in early 2014.)
Morgan Reed, executive director of the App Association, said he was very excited about the letter and Congress' efforts to bring the issue to the forefront of HHS' attention.
Reed said more clarity would be needed on cloud storage rules. “I think we'll continue to have questions about how cloud works in the healthcare setting. That's the 800-pound gorilla in healthcare discussions,” he said.
Deven McGraw, a lawyer at Manatt, Phelps & Phillips and an expert in privacy policy, agreed that the letter would be helpful—particularly in educating companies about who is, and isn't, covered by the law. “In many cases these companies wrongly assume that because they are collecting health information from or on behalf of consumers, they are covered entities (or business associates) and they are not. HIPAA has limited coverage,” she said.
Follow Darius Tahir on Twitter: @dariustahir