Posted by:Shyam Deval March 29th, 2016

There is no denying the impact of mHealth apps on healthcare. It continues to revolutionize the way healthcare is delivered. From being a repository of useful information, to helping patients become more active participants in their care to remote patient monitoring and more, health apps continue to push the boundaries. These apps also provide a wealth of actionable insights to physicians, caregivers and patients – right in the palm of their hands.

But with access to such data, also comes great responsibility towards patient privacy. HIPAA compliance and regulations, especially as it concerns to mHealth has always been a grey area. In principle, organizations or individuals that meet the definition of a covered entity or business associate will have to comply with HIPAA rules. However the level of responsibility may differ. While a covered entity will have to ensure compliance in its entirety, a business associate might not have the same responsibilities or rights. Interpretation and application of these and other rules have always proved to be a challenge to app developers, providers and other entities working on mHealth apps.

The Office for Civil Rights (OCR) recently released a list of health app scenarios in which HIPAA regulations would apply.

This list helps in answering two pertinent questions –

1) How does HIPAA apply to patient-generated health data through the use of an mHealth app?

2) When do mHealth app developers need to comply with HIPAA regulations?

A brief synopsis of some of the scenarios listed and what determines if the app developer is a HIPAA business associate include –

  • First set of scenarios includes consumer apps that are downloaded by the patients typically from public app stores such as iTunes and Google Play. For example a health app used by a user to record her own health information such as blood glucose levels using home health equipment or a health information app that informs and helps patients with managing a chronic condition.

  • Another example is an app used by patients for communication with the providers such as to send some reports to the physician before an appointment through an interoperability agreement the app developer may have with a provider organization.

    In all these cases, it is crucial to note that the developer is not creating, receiving,maintaining or transmitting protected health information (PHI) on behalf of a covered entity such as a provider or health plan organization or a business associate associated with a covered entity. So essentially the app developer is merely providing a service to the consumer on her behalf and at her request. If there is no indication that a provider organization or an independent physician hired the app developer to provide services to patients involving the handling of PHI, then merely the the consumer’s use of an app to store, manage and possibly even transmit data to a covered entity does not by itself make the app developer subject to HIPPA compliance.

  • On the other hand are mHealth apps that are commissioned from an app developer by a covered entity such as a provider or insurance organization. For example, a PHR app offered by health plan that enables users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions. Also in this category will be an app developed for a provider that offers patient management services like remote patient health counseling and patient messaging, health record access and more.

  • In cases like these, any information the user inputs within an app could be automatically incorporated to the provider’s EHR. In these type of scenarios where the app developer is creating, receiving, maintaining or transmitting protected health information on behalf of a covered entity, then they are considered to be a BA (business associate) and subject to HIPAA compliance as well.

    If there is any ‘direct-to-consumer’ component to these apps (which was not commissioned by any CE organization), then developer activities with respect to that do not fall under HIPAA regulations, as long as the developer takes care to keep the health information attached to these two versions of the app separate. Here is a link to the detailed guidance report

Therefore, it becomes extremely important for app developers to determine who their clients are and if they are covered entities, and if their app creates, receives, maintains or transmits identifiable information. Each individual app scenario is different and must be looked at carefully to determine HIPAA compliance obligations.

What is the mhealth Roadmap to Success ? Download the infographic to know more!

Leave a Reply

Your email address will not be published. Required fields are marked *