App developers, who say they are being left out of important mHealth privacy and security conversations, are calling on the federal government to give them a little more transparency around the issues. 

 

In a letter to Congressman Tom Marino, R-Pa., several developers and the 5,000-member ACT/The App Association have asked to be brought up to date on mHealth regulations. They've also requested changes to the Health Insurance Portability and Accountability Act, or HIPAA, to make it more in tune with current technology.

 

[See also: Takeaways from Privacy & Security Forum.]

 

Specifically, the letter calls on the government to make existing regulations more accessible to developers, improve outreach to new companies in the mHealth space, and update "Security Rule Guidance Material" to help developers stay abreast of mobile implementations and standards.

 

The letter was signed by ACT/The App Association, AirStrip, AngelMD, Aptible, CareSync and Ideomed.

 

HIPAA information "is still mired in a Washington, D.C., mindset that revolves around reading the Federal Register, or hiring expert consultants to 'explain' what should be clear in the regulation itself," according to the letter. It argues that the Office of the National Coordinator for Health IT has helped healthcare providers and, to a lesser extent, the public to understand HIPAA, but "there are limited user-friendly resources available for app developers."

 

"Other government websites and information repositories have scant information on how HIPAA can be implemented in the new mobile environment," the letter reads. "There are no 'developers' tabs, no appendices with examples for what can and cannot be done, no technical documentation or searchable database that gives context to the various requirements."

 

The group calls on the Department of Health and Human Services to "provide HIPAA information that is accessible and useful to the community who needs it."

 

The letter also notes that current HIPAA information covering "remote use" on the hhs.gov website hasn't been updated since 2006 – and notes the first iPhone wasn't even available until June 2007. The group argues that HHS and the OCR should update that information, including examples of actions that would and would not trigger enforcement action, "instead of leaving app makers to learn about these through an audit."

 

As an example, the group pointed to cloud storage, which it called "essential for success in the new, mobile, always-on world."

 

"We lack clarity when it comes to data in the cloud that is encrypted, and where the cloud provider has no access to the encryption key," the letter states. "Most technologists see that kind of storage as different and one that should not trigger HIPAA obligations. But lack of clarity prevents new and beneficial technologies from helping patients."

 

Finally, the group is urging federal officials to expand their outreach, noting that "the most exciting new products in the mobile health space have been coming from companies outside the traditional healthcare marketplace." It calls on government officials to participate in more developer-focused events. 

 

This story first appeared in mHealth News here.