The App Association and leading mobile health companies today called on Congress to adopt a more sensible implementation of health privacy laws. This is urgently needed since uncertainty around how existing regulation applies in the mobile environment means advances in mobile health technology are slow to reach consumers.

The group highlighted several areas where federal agencies can adopt practices to eliminate uncertainty and simplify compliance with regulatory obligations. While there has been an enormous amount of innovation in mobile health, outdated regulatory guidance causes hurdles for developers and prevents new entrants to the space.

The App Association and five co-authors sent the following letter to Rep. Tom Marino, who has been active on issues involving the mobile app industry. We look forward to working with him and other members of Congress on this issue:

The app industry is grateful for your ongoing support for mobile entrepreneurs. We appreciate your efforts to foster innovation and your staff has been a tremendous resource for emerging app companies.

We write today about the remarkable innovation taking place in the mobile health marketplace, and its potential to help us live healthier and better manage medical conditions. Our concern lies in a regulatory environment that has not kept pace with the rapid growth of technology that gives users greater access to healthcare providers and more control over their health information.

ACT | The App Association represents over 5,000 companies in the mobile app ecosystem. Our members create industry-leading apps and services for healthcare, children’s education, productivity, and custom products for many Fortune 500 companies. The app marketplace didn’t exist seven years ago, but has since grown into a $68 billion industry.

The app ecosystem is now evolving from a resource for shopping, socializing, and games into a mobile hub for personal finance, education, and health. Given how important privacy is for this sensitive data, we understand that our life-changing innovations must feature strong security measures to safely manage access to information and protect it from misuse.

Our members understand the importance that patient trust plays in an effective healthcare system, and work very hard to meet that high bar. For example, San Antonio-based AirStrip was the first mobile health app in the App Store to receive FDA clearance. AirStrip products use Department of Defense-level encryption allowing doctors to remotely view live patient data to make urgent care decisions. Aptible, from New York City, provides a service to ensure that health apps properly protect patient data and comply with federal privacy requirements. Ideomed, based in Grand Rapids, Michigan, has created an application that helps people with chronic diseases remember to take their medication and keep track of the results. Early testing has revealed that Ideomed’s product has helped dramatically reduce emergency room visits.

Our members are improving the lives of patients and empowering their doctors within the current law. Unfortunately, this comes at significant cost in both time and innovation. It is clear that the pathway to success in the mobile health marketplace requires protecting sensitive information. But for innovators to best achieve this, the Department of Health and Human Services (HHS) must take a fresh look at the implementation of Health Insurance Portability and Accountability Act (HIPAA) to ensure that it better fits today’s mobile world.

Specifically, we would like to see the following changes to HIPAA and improvements in the way in which developers can access this information.

1. Make existing regulation more accessible for tech companies

Information on HIPAA is still mired in a Washington, DC, mindset that revolves around reading the Federal Register, or hiring expert consultants to “explain” what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.

Further, the Office of the National Coordinator (ONC) has taken efforts to provide information on how to protect and secure health information on mobile devices for medical professionals and to a lesser extent, the public. But there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers – not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.

Other government websites and information repositories have scant information on how HIPAA can be implemented in the new mobile environment. There are no “developers” tabs; no appendices with examples for what can and cannot be done; no technical documentation or searchable database that gives context to the various requirements. Other government agencies draft FAQs to provide direct answers to the questions faced by the developer community.

HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.

2. Improve and update guidance from OCR on acceptable implementations

The current technical safeguards documentation available on the website is significantly out of date. In fact, the document covering “Remote Use” was last updated December of 2006.  For comparison, the very first iPhone did not become publicly available until June 29, 2007. Without new documentation that speaks to more modern uses, it will be difficult for developers to understand how to implement HIPAA in an effective way for patients.

Given that HIPAA is a federal statute that mandates several requirements, the Office of Civil Rights (OCR) should provide implementation standards — or examples of standard implementations that would not trigger an enforcement action — instead of leaving app makers to learn about these through an audit.

For example, cloud storage is essential for success in the new mobile, always-on world. However, we lack clarity when it comes to data in the cloud that is encrypted, and where the cloud provider has no access to the encryption key. Most technologists (and some at HHS) see that kind of storage as different and one that should not trigger HIPAA obligations. But lack of clarity prevents new, and beneficial technologies from helping patients.

HHS and OCR must update the “Security Rule Guidance Material” and provide better guidance with regards to mobile implementations and standards.

3.  Improve outreach to new entrants in the healthcare space

The most exciting new products in the mobile health space have been coming from companies outside the traditional healthcare marketplace.  Yet a review of most HHS speeches and outreach reveals a persistent attachment to these traditional communities, and not enough expansion into newly-forming health technology communities. To effectively reach out to mobile health app makers, HHS should increase its participation in existing developer-focused events.  These often occur in locations far from Washington, but the agency must be focused on directly connecting with this audience so it can learn more about the evolving marketplace. This cannot be a passive exercise in which the agency waits for industry engagement. HHS must be participatory.

In order to ensure the expansion of innovative new technologies, it is essential that HHS, OCR and others expand their outreach to the communities with whom they must engage.

Thank you for your attention to these issues critical to the mobile health economy. We welcome the opportunity to work with you to create a better regulatory environment that encourages innovation in this life-changing marketplace.


ACT | The App Association

Coverage: InformationWeek, re/code, Reuters, MobiHealthNews, FierceMobileHealthcare, Modern Healthcare