ACT/The App Association and mHealth companies want uncertainties in the existing regulations removed and more sensible health privacy laws adopted.
Several mHealth companies and the 5000-member strong ACT/The App Association called on Congress to adopt more sensible and simplified rules and regulations regarding health privacy and security to eliminate uncertainty.
In a letter sent to Congressman Tom Morino, The App Association appealed that the outdated regulatory guidance in the Health Insurance Portability and Accountability Act (HIPAA) has not kept pace with the advances and innovation taking place in the mHealth marketplace—and called for three specific changes to the Act:
1. The app makers complained that HIPAA regulations are “still mired in a Washington, DC, mindset that revolves around reading the Federal Register or hiring expert consultants to ‘explain’ what should be clear in the regulation itself,” which makes the Federal Register a not-so-effective source for app makers.
While the Office of the National Coordinator (ONC) did make an effort to provide information on how to protect and secure information on mobile devices, the available user-friendly resources are still limited. There is a lack of technical documentation, a searchable database, developer tabs and lack of clarity on what can be and cannot be done.
The developers want the Department of Health and Human Services (HHS) “to provide HIPAA information in a manner that is accessible and useful to the community who needs it” and “draft new FAQs that directly address mobile developer concerns.”
2. The existing technical safeguards documentation is out of date and some parts were last updated December of 2006, at a time when the first iPhone wasn’t even released. It does not address the modern uses and there is a lack of clarity regarding when standard implementations would trigger an enforcement action by the Office of Civil Rights (OCR).
At present, the FDA is concerned only about medical apps and not fitness apps. The distinction between the two is largely defined by the clinical utility and the likely consequences of a malfunction. For example, if the data collected or generated by the app is used only for fitness and educational purposes and if its malfunction does not cause any injury or risk to the user—then it’s categorized as a fitness app.
On the other hand, if the data is used for clinical purposes and if a malfunction of the device or inaccuracy of the data causes harm to the user, then it will be categorized as a medical device and the FDA will regulate it. However, the distinction between a fitness app and a medical app is not always that clear.
It is also not clear to what extent a doctor would be liable if a patient is injured because of a malfunction or use of inaccurate information generated by a self-monitoring app that the doctor recommends.
Also, it is not clear when and how encrypted data stored in the cloud—to which the cloud provider has no access to encryption keys—would trigger HIPAA obligations. Such lack of clarity leaves app makers in a fix and forces them to learn about these issues only through audits.
The App Association requested the HHS and OCR to “update the ‘Security Rule Guidance Material’ and provide better guidance with regards to mobile implementations and standards.”
3. With most of the health and wellness apps being created by independent app makers and companies outside the traditional healthcare marketplace, the Association wants “the HHS, OCR and others to expand their outreach” and engage the newly-forming health technology communities “to ensure the expansion of innovative new technologies.”
The recent launch of Apple’s iWatch and HealthKit has put some app developers in a quandary. Existing HIPAA regulations do not cover the data generated by health and wellness apps as long as it sits on the consumer’s device, but if it makes its way onto doctors’ records, it would be.
However, Apple is requiring third party developers to sign a privacy policy on HealthKit that prevents app developers from selling data they get from HealthKit for marketing purposes. This adversely impacts the interests of app makers who rely on marketing the app-generated data to data brokers.
Interestingly, Apple itself faces many questions regarding its privacy and security policy. Connecticut Attorney General has asked Apple to reveal more on how it will store and safeguard personal health information, review app privacy policies, regulate medical apps without regulatory approval, and enforce app compliance.
Against this backdrop of legal complexities, uncertainty and confusion regarding privacy, security, medical licensure and malpractice liability, app developers have a lot to consider. It’s time that the FDA, HHS and OCR come up with clear, unambiguous and supportive policies to help fuel the growth of the mHealth app ecosystem to fully benefit from the potential that health and wellness apps offer for improving the lives of consumers everywhere.
Shiva Gopal Reddy has a Bachelor's degree in Physics and a Master's in Applied Psychology and writes frequently on the latest research, impact, happenings and trends in digital health technology.