Congressmen Decry 'Sluggish' Release of HIPAA GuidanceCall for Guidance on Mobile Apps, Cloud Storage
Federal regulators are moving too slowly in issuing HIPAA security and privacy guidance related to mobile health apps, cloud storage and other emerging technologies, eight members of Congress from both parties assert in a letter to the Department of Health and Human Services.
See Also: 12 Top Cloud Threats of 2016
The March 9 letter to HHS Secretary Sylvia Mathews Burwell from Rep. Peter DeFazio, D-Ore., Tom Marino, R-Pa., and six other members of the U.S. House of Representatives complains that HHS hasn't fulfilled commitments HHS made in 2014 to issue certain HIPAA guidance.
Those HHS commitments were included in a letter that Burwell sent to Marino in November 2014 in response to an earlier letter questioning what mobile technology companies needed to do to comply with HIPAA.
In a March 10 statement issued by DeFazio's office, the congressmen say, "The lawmakers first contacted HHS in 2014, requesting updated guidance to HIPAA privacy and security rules for connected health technologies. HHS has yet to provide a comprehensive plan for how to best implement new standards."
A spokeswoman for DeFazio tells Information Security Media Group that the lawmakers wrote the recent letter to HHS because "they have heard from companies that have heard from consumers, doctors and medical providers that they are wary to use technologies for which there is no HIPAA guidance. Some of these technologies could potentially save lives."
While most of the concerns voiced to the congressmen pertained to mobile health apps running on smartphones, some of the worries also relate to Internet of Things devices, such as consumer wearable fitness and health gear, the spokeswoman says.
In the letter to HHS, the congressmen write: "More than 15 months have passed since you outlined a number of commitments to Congress. The sluggish pace of work since has been very disappointing."
Although the letter acknowledges that HHS' Office for Civil Rights issued mobile health application guidance in February for developers, the legislators say that's insufficient. "The sum of its efforts reveals a worrisome lack of urgency," the congressmen write. "At this stage, a detailed plan with concrete deadlines is required."
The letter continues: "We have serious concerns about the consequences of HHS inaction. Advances in mobile health technology have the potential to dramatically improve patient outcomes and the accessibility of health care. This innovation is coming at a rapid pace, but your agency has done little to demonstrate it can manage the significance."
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says congressional scrutiny of OCR's HIPAA guidance for mobile health technology is being fueled by pressure from vendors that want to avoid HIPAA regulatory oversight.
"OCR's recent guidance concerning health apps and the requirements of the HIPAA standards took a very narrow approach, seemingly to have gone out of their way to avoid extending the privacy and security standards to health apps that are in the hands of consumers," he says. "What I suspect this is really about is an aggressive campaign by healthcare app vendors to have unrestricted ability to collect and market the sensitive information of patients using health-related apps in every circumstance without having to get permission of the consumer."
In addition to seeking HIPAA guidance related to mobile health technology, the congressmen write that HHS missed fulfilling other commitments made in 2014, including:
- Providing up-to-date and clear information about what is expected of technology companies for compliance with the HIPAA rules and identifying the implementation standards that can help technology companies conform to the regulations;
- Providing more clarity on HIPAA obligations for companies and services that store data in the cloud;
- Engaging regularly with technology companies to provide compliance assistance.
"We welcomed these commitments in 2014, but have seen little evidence of meaningful follow through," the congressmen write. "Directing queries to outdated content on the HHS website does not meet our expectations for sufficient guidance. And the Feb. 10, 2016, release of the [mobile health app guidance] document underscores persistent shortcomings in the HHS response."
Long To-Do List
During an interview at the recent HIMSS 2016 conference, Deven McGraw, OCR deputy director of information privacy, told ISMG that among new guidance planned by OCR for 2016 is advice related to cloud computing issues.
In recent months, OCR has also issued several other guidance documents, including a "crosswalk" between the HIPAA Security Rule and NIST's Cybersecurity Framework to help healthcare entities and business associates map NIST standards to HIPAA requirements.
Also, on March 14, OCR Director Jocelyn Samuels issued guidance pertaining to HIPAA and certain workplace wellness programs. She noted that "HIPAA does not apply to all workplace wellness programs; it does apply to programs offered as part of an employer-sponsored group health plan."
In addition to the HIPAA guidance that the congressmen say is overdue, OCR is also tackling a long list of other projects that have been in the pipeline for some time. That includes launching phase two of OCR's long delayed HIPAA compliance audits later this year, with a new audit protocol slated for release in April.
OCR also plans to resume work on the long-delayed accounting of disclosures rule and a notice of proposed rulemaking for sharing monetary penalties collected by OCR for HIPAA noncompliance with certain breach victims.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says he's hoping that the next guidance issued by OCR is for cloud computing, "preferably with an opportunity [for public] comment." But even more urgent is the new HIPAA compliance audit protocol, he says.
OCR, which investigates health data breaches as the nation's HIPAA enforcer, has limited resources, Greene acknowledges. "The reality is that OCR is understaffed and sometimes has limited control over when guidance and other documents are released, as there are multiple layers of clearance that must be completed," says Greene, who was formerly an OCR attorney. "When I was with HHS, I learned that if I tried to even conservatively promise when a regulation or guidance would come out, I would frequently be wrong."
Holtzman, who also formerly worked at OCR as a senior adviser, says federal funding hasn't kept up with congressional demands on the office.
"The fact is that OCR's congressional budget authorization has not kept pace against even the meager increases in the annual cost-of-living," he says. "In real dollars, Congress has provided OCR less in the current fiscal year than the year before, and next fiscal year does not look any better."
An OCR spokeswoman tells ISMG that HHS is preparing a response to the congressmen's letter and declined further comment.