App developers are asking the Department of Health and Human Services to clarify the rules regarding HIPAA in the mobile health marketplace. Many have complained over the years about ambiguity, vagueness, and unanswered questions in HIPAA but I, for one, have rather appreciated the flexibility HIPAA provides health care providers, organizations, and business associates to embrace the spirit of the law without being overly encumbered by the letter of the law.

At the urging of the App Association (ACT) and several leading health companies, Congressmen Marino and DeFazio have sent a letter to HHS Secretary Sylvia Burwell to request the department take steps to make it easier for developers to better understand what is required of them under HIPAA.

There is certainly reluctance to enter the mobile health arena among many developers and companies due to fear of making a misstep that could land them in trouble with HHS and the Office of Civil Rights overseeing HIPAA. ACT contends that this reluctance is limiting much needed innovation.

It’s clear from our research that the industry is experiencing tremendous growth. However, a commitment from Congress and the administration to take action on regulatory constraints facing the mobile health industry would ultimately accelerate innovation and improve healthcare in our country.      ~ Jonathan Godfrey,, September 18, 2014

I can only hope those driving the letter to HHS are prepared for the answer they might get. Their call to attention and request for clarification may awaken a sleeping giant of burdensome regulation they could find more limiting than the current flexibility.

Health care providers, security experts, and others have sought for years to reduce HIPAA compliance to a simple formula. Many people still want to think that they can purchase a premade checklist, cross off a few boxes, and relax and call their company “compliant.” I believe it is by design that the security and privacy provisions of HIPAA are cleverly worded to put the burden of determining how, what, and when compliance and remediation steps are taken squarely on the regulated organization.

What works for one provider may not work for another organization’s structure, processes, or budget. HIPAA essentially forces covered entities and business associates to embrace the spirit of the regulation. Many find this unsettling but, in reality, it is a much stronger incentive to real security and more effective privacy measures that work for an individual organization.

A persistent lack of understanding regarding the vague design of HIPAA provisions, however, may be leading us to a more restrictive regulatory approach if we are not careful. If organizations continue to fall short of adequate security either by resorting to a checklist mentality or by avoiding their security and privacy issues altogether, we will continue to see avoidable breaches cost companies and patients dearly. If covered entities, business associates, and lawmakers continue to pressure HHS to provide clarity in hopes of finding a guarantee of immunity should something go wrong, they could find themselves with more clarity than they bargained for. In the end this could just do more to stifle innovation.

If your organization is struggling with the ambiguity in HIPAA regulation, our experts would like to help you understand how this allows you to chart your organization’s best path to compliance. If you are an app developer concerned about making a misstep and finding yourself in trouble with HIPAA, we can help.

Click to Call Us Skip to content