ropesgray.com

The Health App Guidance also clarifies that a health app that is downloaded and used solely by individual consumers does not result in the app developer’s becoming subject to HIPAA. The Health App Guidance is the latest development to arise from OCR’s mHealth Developer Portal, a platform launched last fall that allows health app developers and others to ask OCR questions regarding health technology and privacy laws, including HIPAA. Accordingly, OCR has stated that such a developer is clearly not a BA for this same reason even if: (i) a Provider recommends the health app to his or her patient, (ii) the consumer uploads his or her electronic health record (“EHR”) to the health app from a Provider’s patient portal or (iii) the app developer enters into an interoperability agreement with the Provider that allows the consumer to transmit information from the health app to the Provider. Scenarios in which Health Apps are BAs. In contrast, in this latter scenario, the Health App Guidance specifies that if the same developer offers a separate, direct-to-consumer version of the health app with the same functionality, this version of the health app would not be subject to the HIPAA rules as long as the developer keeps the health information contained in the two versions of the health app entirely separate.

As Ropes & Gray has summarized Cures Act provisions related to Medicare and Medicaid, FDA regulatory and digital health in separate Alerts, the bill contains significant changes to FDA’s regulation of drugs and devices as part of medical innovation reform, as well as modifications to Medicare and Medicaid programs. The Clinical Research provisions of the House-passed version of the 21st Century Cures Act signal a trend by Congress to minimize unnecessary and duplicative administrative (including federal and institutional) requirements, and to promote the broad availability of clinical research data, with adequate security and privacy measures, to advance medical product innovation. This provision would require HHS to amend the HIPAA Privacy Rule to: (1) allow the use and disclosure of protected health information by a covered entity for research purposes, including for studies whose purpose is to obtain generalizable knowledge, to be treated as the use and disclosure of such information for “health care operations”; (2) include research activities related to the quality, safety, or effectiveness of an FDA-regulated product as a public health activity to allow a covered entity to disclose protected health information under certain conditions; and (3) permit remote access to health information by a researcher if appropriate security and privacy safeguards are maintained and if the protected health information is not retained by the researcher. Following the House’s passage of the Cures Act, HELP Committee Chairman Lamar Alexander (R-TN) stated that the Senate’s work would continue “on a parallel track . . . to produce a bill that [the Senate] can combine with 21st Century Cures and send to the President’s desk.