The U.S. Department of Health and Human Services' Office for Civil Rights launched a website to gather information from the healthcare and technology industries on the applications of the Healthcare Insurance Portability and Accountability Act. More recently, it has been using the site, HIPAAQsPortal.hhs.gov, to better understand industry concerns over HIPAA and the burgeoning field of mobile health.

"It's really set up as a way for the agency to connect with the developer community and get a better sense of the issues in that space," said Jeffrey Dunifon, an associate attorney in the technology and communications practice at Baker & McKenzie LLP, who focuses on information privacy and security.

"The agency has received good participation, a fair number of questions," he said. "They have framed 'the ask' as a means to help them direct their guidance on the subject."

Learn more at the upcoming HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles. Register here. 

The next step for the OCR is to review all of the information gathered to see whether it can use the information to develop guidance for HIPAA and mHealth.

"Many times, lessons more broadly applicable also will fit in the mobile space, and to date the OCR has tried to leverage some of its guidance there," Dunifon said. "I think the OCR really does want to create mobile guidance for HIPAA. Previously, I worked at the OCR, and I can say that developing such guidance is a difficult process because the agency wants to be very careful about information they are putting out there."

There is significant demand for mobile health HIPAA guidance, which is one of the reasons why the agency built the website, suggesting the agency is prioritizing guidance on the subject, Dunifon added.

"One of the questions that's very interesting is, 'What is our scope of compliance?'" Dunifon said. "That is a good question, especially for companies not exclusively dealing with healthcare. And the answer to that question goes back to how a company is conducting its risk assessments. The most important factor in HIPAA compliance is diligence, and taking reasonable and good faith measures to control risk."

Sign up for the Healthcare IT News Privacy & Security Update newsletter.

Although questions like this often are popping up in the context of mobile health developers new to healthcare, lessons have been developed and honed in other parts of the HIPAA regulated space that are instructive, Dunifon added.

"I have heard a fair number of questions about whether patient-generated data is subject to HIPAA, especially in the mobile context where you have devices that collect patient health information or help them track things like dosages," he said. "Approaching questions more generally, looking back at the various definitions under the rule, as examples what is PHI and what is a business associate, can help clarify business thinking about these kinds of issues."