Application security, Compliance Management, Privacy, DevSecOps

Fed’s updated mobile health app tool aims to reduce HIPAA compliance mistakes

A man's hands hold a smartphone
Federal agencies released an update to its mobile health app tool to help developers understand what laws and regulations apply to their products. (Photo by George Frey/Getty Images)

The Department of Health and Human Services, the FDA, and the FTC have updated the mobile health app interactive tool for developers, the latest effort to clarify how regulations impact health data and apps that fall outside of the Health Insurance Portability and Accountability Act.

The tool is meant for any mobile app developer intending to access, collect, share, use, or maintain consumer health information tied to diagnoses, treatments, fitness, wellness, and/or addiction.

In light of recent missteps on tracking pixels used on healthcare websites and continued FTC enforcement around health apps and data brokers, the guidance is crucial to better protecting patients and effectively regulating health apps that fall outside of HIPAA.

The guidance tool was issued in 2016 to assist developers of health-related mobile apps with understanding what and how federal laws and regulations apply to their products. As SC Media has often reported, HIPAA does not apply to health apps not connected to or recommended by providers and are chosen by consumers for their care needs.

The FTC has the authority through its Health Breach Notification Rule and has signaled that it will be ramping up regulation of the rule.

To navigate these compliance challenges, the tool walks developers through a series of poignant questions to assess the function of the app, collected data, and the service provided to users.

Those answers direct the developer to more customized insights on the federal laws that could apply to its product, including the aforementioned rules and the Children’s Online Privacy Protection Act (COPPA), the Federal Food, Drug and Cosmetics Act (FD&C Act), the 21st Century Cures Act, Information Blocking Regulations of the Office of the National Coordinator.

The hope is that developers and other leaders with questions on the applicability of HIPAA to their products would leverage the tool to determine possible compliance issues and better understand how these rules apply to particular health apps.

Specifically, the tool provides these parties “a snapshot of potential compliance obligations and point them to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.”

In addition to the update, the FTC also issued best practices for mobile health app developers to reduce some of the ongoing confusion and privacy risks to patients. The insights include recommended foundational security elements tailored specifically to health app developers with a focus on data retention, minimizing data and access, and the importance of authentication.

More importantly, there’s a section urging developers not to reinvent the wheel and to rely on industry-standards developed by reputable entities like NIST and Sans Institute for implementing appropriate safeguards and keeping updated on the latest security vulnerabilities.

The guidance also reminds developers that the first step of development should be to leverage the tool to determine just what federal laws and applications may apply to their tech.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.