There has been lots of confusion in the marketplace regarding when the Health Insurance Portability and Accountability Act, or HIPAA (one 'p' and two 'a's), should apply to mobile apps. You can read more about HIPAA here.
Typically, confusion ≠ innovation.
Recently the Department of Health and Human Services released a new website targeted at mobile health app developers via the Office of Civil Rights. This site was intended to open a dialog regarding issues relevant to mHealth developers, and one of the issues likely raised by many was the applicability of HIPAA. In response to this, they recently updated the site with additional guidance, found here.
This document, only a few pages long, helps to clarify a number of issues through relevant examples. The questions it attempts to address are:
- How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
- When might an app developer need to comply with the HIPAA rules?
Please refer to the document for all the detail (and it makes clear that a slight change in the facts of a situation may change the applicability), but here are some highlights:
"A consumer downloads a health app to her smartphone. She populates it with her own information."
Developer is NOT a HIPAA Business Associate.
"Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. She downloads data from her doctor's EHR through a patient portal, onto her computer and then uploads it into the app. She also adds her own information to the app."
Developer is NOT a HIPAA Business Associate.
"Doctor counsels patient that his BMI is too high, and recommends a particular app that tracks diet, exercise, and weight. Consumer downloads app to his smartphone and uses it to send a summary report to his doctor before his next appointment."
Developer is NOT a HIPAA Business Associate.
"Consumer downloads a health app to her smartphone
that is designed to help her manage a chronic condition.
Health care provider and app developer have entered
into an interoperability arrangement at the consumer’s
request that facilitates secure exchange of consumer
information between the provider EHR and the app. The
consumer populates information on the app and directs
the app to transmit the information to the provider’s
EHR. The consumer is able to access test results from the
provider through the app. "
Developer is NOT a HIPAA Business Associate.
In all of these cases, the developer is not a HIPAA Business Associate because the developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. That last piece is the key. The consumer made the choice to take these actions, and the consumer has the right to do what she wants with this information.
This last example is also what would likely apply when a consumer chooses to make use of Apple's HealthKit, which we have been using for over a year here at Duke. The way it's set up here, even when a physician makes a recommendation to have a consumer share his/her information in order to facilitate care, the consumer can choose to do so manually via MyChart or via HealthKit. HealthKit is never required - it's the consumer's choice.
There are two additional examples in the document regarding cases when the developer would be a business associate. Those include the following:
"At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR."
"Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health. Health plan analyzes health information and data about app usage to understand effectiveness of its health and wellness offerings. App developer also offers a separate, direct- to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers."
Hopefully this helps provide a little clarity regarding when HIPAA is relevant. If you have additional questions, I suggest submitting them to the mHealth HIPAA site referenced above.
Developer is NOT a HIPAA Business Associate.
In all of these cases, the developer is not a HIPAA Business Associate because the developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. That last piece is the key. The consumer made the choice to take these actions, and the consumer has the right to do what she wants with this information.
This last example is also what would likely apply when a consumer chooses to make use of Apple's HealthKit, which we have been using for over a year here at Duke. The way it's set up here, even when a physician makes a recommendation to have a consumer share his/her information in order to facilitate care, the consumer can choose to do so manually via MyChart or via HealthKit. HealthKit is never required - it's the consumer's choice.
There are two additional examples in the document regarding cases when the developer would be a business associate. Those include the following:
"At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR."
"Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health. Health plan analyzes health information and data about app usage to understand effectiveness of its health and wellness offerings. App developer also offers a separate, direct- to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers."
Hopefully this helps provide a little clarity regarding when HIPAA is relevant. If you have additional questions, I suggest submitting them to the mHealth HIPAA site referenced above.