On October 5, 2015, the HHS Office of Civil Rights (OCR) unveiled a new resource to provide mobile health (mHealth) developers guidance on complying with Health Information Portability and Accountability Act (HIPAA) requirements applicable to those organizations. The portal permits developers to submit questions and offer comments on existing OCR guidance regarding how mobile medical applications may be subject to HIPAA. OCR’s intent in offering the portal is to create a “safe space” where developers may submit inquiries on an anonymous basis, without fear of subsequent enforcement action.

In a statement introducing the portal, OCR recognized that, though “we are experiencing an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes,” many mHealth developers are still not familiar with HIPAA, or how HIPAA rules might apply to their mobile application products. OCR stressed the importance of privacy by design, encouraging mHealth developers to build privacy and security protections directly into their products. Doing so will not only “[enhance] their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected,” but may be required in some cases by federal and state laws (including the HIPAA Privacy, Security and Breach Notification Rules). OCR thus encourages developers to submit their questions so they may better understand those requirements.

Early inquiries submitted to OCR’s portal seek guidance on cloud storage/computing in compliance with the HIPAA Security Rule, and requirements for treatment of patient generated data.

OCR’s medical application developer portal is available here.