OCR Updates mHealth Portal Adding New Resources for HIPAA Health App Developers

In certain circumstances, the developers of mobile health apps are classed as business associates and are required to comply with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

The Department of Health and Human Services’ Office for Civil Rights (OCR) has previously published guidance for the developers of mobile health apps in its Health App Developer Portal to help them determine if and when they need to comply with HIPAA Rules and the steps they must take to ensure their products and services are compliant with the HIPAA Rules.

Recently, OCR updated and renamed the Health App Developer Portal, adding new resources for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules. The new portal contains guidance on how HIPAA applies to health apps, application programming interfaces (APIs), health information technology, and cloud computing.

“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” said OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”

The new portal explains how HIPAA applies to mHealth applications by explaining various health app use scenarios where the health app developer would be classed as a business associate and would be required to comply with the HIPAA Rules.

The portal also includes a mobile health apps interactive tool developed by the Federal Trade Commission (FTC) in collaboration with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). The web-based tool can be used by mHealth app developers to determine which federal laws apply to their health apps. By asking a series of questions about the apps, the data they collect, the service they provide, and how they function, developers will discover which laws may apply – HIPAA, the Federal Food, Drug and Cosmetics Act (FD&C Act), the FTC Act, and the FTC’s Health Breach Notification Rule. They will then be provided with several resources with more detailed information about each law.

OCR is often asked questions about health apps and the HIPAA Rules. These questions and answers have been compiled into a FAQ that covers apps, APIs, and the rights of individuals to access the health data collected through apps. A separate FAQ covers HIPAA and HealthIT, and there is a guidance document to help HIPAA covered entities and business associates, including cloud services providers (CSPs), understand how cloud computing technologies can be used in a HIPAA-compliant way.

The new portal – named Resources for Mobile Health Apps Developers – will be regularly updated with new resources added to help clear up any areas of confusion about HIPAA and mHealth.