The Department of Health and Human Services’ Office for Civil Rights has revealed that it has made available new resources for mobile health app developers and has refreshed and renamed its Health App Developer Web Portal.
The Web portal – Resources for Mobile Health Apps Developers – hosts guidance for mobile health app creators on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs).
The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate.
OCR commented on the release saying: “Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”
The portal allows access to the Mobile Health Apps Interactive Tool created by the Federal Trade Commission (FTC) in conjunction with the HHS’ Office of the National Coordinator for Health IT (ONC) and the Food and Drug Administration (FDA). The Tool can be utilized by the developers of health-related apps to determine what federal rules may apply to their apps. By answering questions about the aims of the apps, developers will find out which federal rules apply and will be directed to resources providing more detailed information about each federal rule.
The portal also hosts information on patient access rights under HIPAA, how they apply to the data gathered, saved, processed, or transmitted through mobile health apps, and how the HIPAA Rules are relevant to application programming interfaces (APIs).
The update to the portal comes not long following the ONC’s final rule that called for health IT developers to establish a 100% safe, standards-based API that providers could use to support patient access to the data stored in their electronic health records. While it is crucial for patients to be able to have easy access to their health data to allow them to check for mistakes, make corrections, and share their health data for research reasons, there is some worry that sending data to third-party applications, which may not be covered by HIPAA, is a privacy danger.
OCR has previously revealed that once healthcare providers have shared a patients’ health data with a third-party app, as requested by the patient, the data will no longer be covered by HIPAA if the app developer is not a business associate of the healthcare supplier. Healthcare suppliers will not be responsible for any subsequent use or disclosure of any electronic protected health data shared with the app developer.