HHS Seeking Public Comment on mHealth Privacy Concerns from Developers

App developers need to ensure mHealth apps are HIPAA-compliant by design.

App developers need to ensure mHealth apps are HIPAA-compliant by design.

The Department of Health and Human Services (HHS) Office for Civil Rights recently launched a platform through which developers of mobile health technology (mHealth) and others interested in the intricacies of US Health Insurance Portability and Accountability Act (HIPAA) privacy protection standards may submit and review questions.

The platform specifically seeks questions and answers relating to:

  • What entities are covered by HIPAA
  • The application of HIPAA to cloud computing
  • What aspects of the application (environment) must be HIPAA-compliant
  • The content of business associate agreements
  • The flow of patient-generated data
  • The use of audit logging by developers

The agency recognizes that physicians, health care providers, and other health care professionals have fully integrated the use of smartphones, laptops, and tablets into their practices. It is therefore important that app developers have ample opportunity to ensure their mHealth apps are HIPAA-compliant by design.

One of the intended purposes of HHS’s platform is to gather information to better inform future agency guidance. Developers have expressed a need for more comprehensive guidance around patient-generated health data because HIPAA focuses on oneway data sharing. However, in the future, it is likely that increasing amounts of data will be flowing in the opposite direction.

While much media coverage focuses on breaches of data integrity and threats to patient health privacy, others have noted the prospective gains from integrating mHealth technology more closely into health practices. Lorne Basskin, PharmD, previously told Pharmacy Times that although “the potential reward of big data is tremendous, it coexists with the possibility of serious problems resulting from its misuse.”

Chief among his concerns are “unverified data from patients; databases that cannot communicate and share information; the risk of missing, incomplete, or inaccurate information; and a lack of rigor in research.”

Although the HHS platform constitutes a good faith effort to help protect patient privacy, room remains for violations of privacy integrity via mHealth apps from developers that are not considered covered entities.

According to study results published in the Journal of the American Medical Informatics Association, only 30% of the 600 most popular medical apps had a privacy policy—and most of those policies were either lengthy or hard to understand. Apps evaluated included fitness trackers, first-aid apps, medical calculators, chronic disease management tools, and health records.

Kenneth Mandl, MD, MPh, Harvard Medical School professor at the Boston Children’s Hospital Informatics Program, previously told Pharmacy Times that app data protection is an important issue because “there is an unmet expectation by app users that when using a health app, they are protected… The average citizen does not understand that mobile apps not managed by covered entities are not regulated in their use of protected health information.”