Over the past few years, and particularly during the COVID-19 pandemic, the Department of Health and Human Services Office for Civil Rights in Action (OCR) has made countless efforts to enhance its Health Insurance Portability and Accountability Act (HIPAA) guidance and other related resources on its website. Last week, the OCR launched a new feature on their website HHS.gov, entitled Health Apps, which updates and renames  the OCR’s previous Health App Developer Portal, and is available here.

The new site features the OCR’s helpful guidance on “when and how” HIPAA regulations may be applicable to mobile health applications, acutely relevant during the COVID-19 pandemic as many aspects of the healthcare industry shift to telehealth.

Here are the key features of the OCR’s new Health Apps:

  • Mobile Health Apps Interactive Tool
    • The Federal Trade Commission (FTC), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), created a web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.
  • Health App Use Scenarios & HIPAA
    • Provides various use scenarios for mHealth applications, and explains when an app developer may be acting as a business associate under the HIPAA Rules.
  • FAQs on the HIPAA Right of Access, Apps & APIs
    • Provides helpful insight on how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps, and application programming interface (APIs).
  • FAQs on HIPAA & Health Information Technology
    • Provides helpful insight on the relationship between HIPAA and Health IT.
  • Guidance on HIPAA & Cloud Computing
    • Assistance for HIPAA covered entities and business associates, including cloud service providers, in how to effectively utilize cloud computing while still maintain HIPAA compliance.

As telehealth has increasingly become the norm, and the US continues to implement and consider various forms of contact tracing apps, patient privacy and maintaining HIPAA privacy and security obligations has never been more important.   The increased use of mobile health applications and other related tools to assist healthcare providers with facilitation of telehealth capabilities, also comes with an increased risk of data breaches and improper disclosures of protected health information (PHI) to unauthorized individuals.  The features of OCR’s new Health apps are a great starting point for HIPAA covered entities and businesses associates that utilize mobile health apps, and want to ensure compliance with their HIPAA obligations.

Below are some of our additional resources on OCR HIPAA related initiatives of late:

 

 

 

Tags: health app, Health App Developer, Health Insurance Portability and Accountability Act, HIPAA, HIPAA guidance, OCR, Office of Civil Rights, telehealth, U.S. Department of Health and Human Services
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
Sooner State Soon to Join Consumer Privacy Patchwork
March 30, 2026
Top 10 Privacy, AI & Cybersecurity Issues for 2026
January 28, 2026
Florida’s Digital Wiretapping Surge: What Businesses Need to Know About FSCA Litigation
January 27, 2026