On February 11, 2016, the Department of Health and Human Services, Office for Civil Rights (“OCR”), released important guidance on its Developer Portal to address the application of the Health Insurance Portability and Accountability Act (“HIPAA”) regulations to developers of mobile health apps. Whether a mobile app developer is directly employed by a covered entity (i.e., health plans, health care clearing houses, and most health care providers) or a business associate of a covered entity (or one of the covered entity’s contractors), reasonable safeguards must be applied when the developer creates, receives, maintains or transmits protected health information (“PHI”) on behalf of a covered entity or other business associate.
The OCR guidance provides “Key Questions” for app developers in determining whether or not they may be a business associate of a covered entity. In addition, the OCR guidance provides several factual scenarios to further assist app developers in determining whether they are considered a business associate. Below are two of the scenarios included in the OCR guidance, one in which the developer would not be considered a business associate and one where the developer would be considered a business associate.
Scenario: Consumer downloads a health app to her smartphone. She populates it with her own information. For example, the consumer inputs blood glucose levels and blood pressure readings she obtained herself using home health equipment.
Business Associate? No. Developer is not creating, receiving, maintaining or transmitting PHI on behalf of a covered entity or another business associate. The consumer is using the developer’s app to help her manage and organize her information without any involvement of her health care providers.
Scenario: At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR.
Business Associate? Yes, the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting PHI on behalf of a covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting PHI, and the app is a means for providing those services.
While OCR acknowledges that the scenarios provided in the guidance are fact and circumstance specific, the information contained in the guidance provides a valuable starting point for mobile app developers in determining whether they are subject to HIPAA regulations. If you have additional questions pertaining to HIPAA’s application to you or your organization, or otherwise need assistance regarding HIPAA, please contact an experienced healthcare attorney at (248) 544-0888 or via email at firstname.lastname@example.org.