Dr. Iltifat Husain’s physician take is at the end of this article
Last month we wrote how the The U.S. Department of Health and Human Services provides mobile app developers with a useful resource to help them understand if their product will need to conform to HIPAA regulations. The service, located at http://hipaaqsportal.hhs.gov/, recommends that developers submit HIPAA security and privacy rule questions directly on the web site, promising to offer guidance in a timely manner.
Since electronic health record systems, cloud storage vendors, and many others may be required to adhere to a long, complicated list of rules and regulations, being able to tap a resource like this may help save developers from having to rewrite many lines of code to become compliant. Although the government states it cannot respond individually to questions, it says it will try to post links to existing relevant resources when possible.
Now – it looks like questions that app developers have on HIPAA and patient privacy are being answered.
A few samples from the web site will give you a taste of the kinds of questions that the HHS Office of Civil Rights is willing to entertain. One questioner asks: Can HIPAA address patient generated data? They go on the state “Developers need better guidance around patient generated health data, since HIPAA focuses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.” OCR responded to this developer by explaining that Information created or held by individuals/patients/consumers is not subject to HIPAA unless and until it is received by a covered entity (or a business associate).
Another query asked: “How should developers execute audit logging?” They further explain that developers put a great deal of time and energy into creating an audit logging feature into their products but have no way of knowing if their efforts are compliant with HIPAA regulations. More specifically, the developer asks: “Could HHS provide an open source library of code to help developers understand how to execute audit logging.”
Dr. Iltifat Husain’s take:
This is a great resource by the U.S. Department of Health and Human Services. We have written extensively in the past about concerns we have with digital medicine apps and the health data some apps store. I’m even impressed by how the system looks somewhat like reddit – enabling developers to vote on questions so some of them take a higher priority and get answered more quickly.