How does HIPAA apply to health information that patients create, manage or organize through the use of health apps? And, when must an app developer comply with the HIPAA Rules? Those are some of the questions that the HHS Office for Civil Rights has tried to answer in new guidance released to industry.

The OCR guidance, which offers a range of health app use scenarios and how HIPAA might apply, comes at a time when provider organizations are increasingly turning to mHealth apps to boost patient engagement. For example, two-thirds of the nation’s 100 largest hospitals now offer mobile apps to their patients, according to survey results released last month by consulting firm Accenture.

When it comes to health apps, individuals and organizations that meet the definition of a covered entity or business associate must comply with the HIPAA rules, says Deven McGraw, deputy director for health information privacy at OCR. However, McGraw makes the case that a “covered entity” must comply with HIPAA Privacy, Security and Breach Notification Rules “in their entirety,” while a business associate “does not have that same level of responsibility nor does it have all of the same rights” with regard to protected health information (PHI).

Deven McGraw
Deven McGraw

“Only health plans, healthcare clearinghouses and most healthcare providers are covered entities under HIPAA,” according to the OCR guidance. “If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules.”

At the same time, the guidance argues that “even if you are not a covered entity, you may be a business associate if you are creating or offering the app on behalf of a covered entity (or one of the covered entity’s contractors)—and in that case you are required to comply with certain provisions of the HIPAA Rules.”

The HIPAA Privacy Rule allows covered providers and health plans to disclose PHI to business associates if providers or health plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

As the OCR guidance points out, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are considered business associates, such as a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees.

The guidance is the first of its kind for OCR and follows the agency’s launch in November 2015 of an mHealth Developer Portal that serves as a platform to enable app developers and others to gain a better understanding of how HIPAA regulations apply to mHealth design and development.

“We don’t cover the entire app community,” adds McGraw, referring to developers that do not create, receive, maintain or transmit PHI on behalf of a covered entity or business associate. “As you can see in the guidance, there are plenty of such circumstances—particularly when the mobile app is marketed directly to consumers and is designed to be consumer controlled. It is much more likely that that kind of app is not going to be covered by HIPAA—either as a covered entity or business associate.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access