The Federal Trade Commission (FTC) has created a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them. The FTC developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).
The guidance tool asks developers a series of high-level questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on the developer’s answers to those questions, the guidance tool will point the app developer toward detailed information about certain federal laws that might apply to the app. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Food, Drug and Cosmetics Act (FD&C Act).
Developers and others seeking more information about how the HIPAA Rules might apply to their health apps, as well as a place to ask OCR questions about HIPAA compliance, should visit OCR’s health app developer portal —more information about the portal is below. One new resource on the portal is Health App Use Scenarios and HIPAA,which analyzes whether HIPAA applies to a range of example health app scenarios and offers key questions to consider in determining when HIPAA’s regulations cover a particular health app.
OCR Invites Developers to Ask Questions about HIPAA Privacy and Security
OCR has launched a new platform [http://HIPAAQsportal.hhs.gov] for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy protection. We are experiencing an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes. Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security and Breach Notification Rules. Yet many mHealth developers are not familiar with the HIPAA Rules and how the rules would apply to their products.
Anyone may browse the site, which is on the Ideascale cloud-based idea management platform. Users who want to submit questions, offer comments on other submissions or vote on how relevant the topic is will sign in using their email address, but their identities and addresses will be anonymous to OCR. OCR will consider the input provided on this site in developing our guidance and technical assistance efforts.
Stakeholders will use this site to help OCR understand what guidance on HIPAA regulations would be helpful. We are asking stakeholders to provide input on the following issues: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? Stakeholders can also use this page to submit questions about HIPAA, present a use case, or see what their peers are discussing. Users can comment on the discussions and vote on which topics or use cases would be the most helpful or important.
Posting or commenting on a question on this site will not subject anyone to enforcement action. We will be moderating submissions for appropriateness but OCR does not endorse the accuracy of their representations. While we cannot respond individually to questions, we will try to post links to existing relevant resources when we can. We appreciate input from stakeholders and will consider comments as we develop our priorities for additional guidance and technical assistance.
To learn more about non-discrimination and health information privacy laws, civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at www.hhs.gov/ocr
Follow us on Twitter @HHSOCR .
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.
Date Published: 6/8/2020