Health Law Alert: OCR Releases Platform to Solicit Comments from Health App Developers on HIPAA Requirements


By Jesse Berg and Julia Marotte

The Office for Civil Rights (OCR), the sub-agency within the U.S. Department of Health and Human Services charged with enforcement of HIPAA, recently launched a new tool that is intended to help developers of health care technology understand more about this important law. The idea with this new platform is that developers can post questions and comments about HIPAA privacy and security concerns. This will allow OCR to better understand the barriers that developers face and provide helpful feedback and guidance. The new platform is available here.


The HIPAA Privacy Rule went into effect back in the spring of 2003, long before apps, smartphones, tablets, or Apple Watches were on anyone’s radar. Since that time, HIPAA has changed in several important ways, but it really has not been modified to take into account technology’s ever-growing role in the way health care is delivered. Depending on the kind of technology they offer, and whether patient protected health information (PHI) plays a role in how that technology is used, developers often find themselves facing an unfamiliar and sometimes confusing or counterintuitive set of regulations. Questions that many developers have struggled with in the past include:

  • Who is a business associate? What kinds of provisions should be in a business associate agreement?
  • When does information become PHI? If an individual provides information directly to the app, does that constitute PHI?
  • Can a developer use PHI for its own purposes or can PHI be used only for the purposes of the physician that involves the developer’s technology in patient care?
  • Do state privacy laws apply and, if so, how do they interact with HIPAA?
  • What if the technology in use has outpaced the standards and specifications in the HIPAA Security Rule?

New Platform: A Place to Ask Questions and (Hopefully) Get Answers

To try and help developers sort through these and other questions, OCR has created this new platform. The idea is that people can raise questions and provide feedback to questions posed by others. OCR will monitor discussion and use the information to publish guidance from time-to-time to address matters that seem to be of common concern. The identities of all posters will be anonymous to the agency, and OCR helpfully notes that “posting or commenting on a question … will not subject anyone to enforcement action.” OCR explains that it wants to hear from the industry about which HIPAA requirements are confusing and what kinds of guidance would be helpful so that businesses can better understand their HIPAA obligations.

Next Steps

OCR has been very proactive about providing guidance to the industry about HIPAA. In recent years, they seem to have redoubled their efforts. This latest platform appears to be a nice way to express concerns and potentially get feedback from others about health care privacy and security matters. Federal agencies have repeatedly said that it is difficult for them to provide guidance to the health care industry when they do not hear directly from those in the industry about the problems encountered in meeting regulatory standards. This tool may be a helpful way to provide feedback to OCR about HIPAA issues that are vexing your organization.

If you have questions about HIPAA or the new OCR platform, please contact Jesse Berg at (612.632.3374) or Julia Marotte at  (612.632.3280).