Recently, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published two guidance documents related to HIPAA compliance. To help mobile app developers understand HIPAA compliance obligations, OCR published guidance on the use of mobile health apps (the “Health App Guidance”). OCR also released a crosswalk (the “Crosswalk”) that maps the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity Framework (the “NIST Cybersecurity Framework”) to the HIPAA Security Rule.
The Health App Guidance sets out several scenarios for health apps and analyzes whether the app developer would be a HIPAA business associate in each scenario. For example, when consumers download a health app that enables them to populate the app with information about their blood sugar levels and blood pressure, OCR indicates that the app developer would not be a business associate because the app developer is not creating, receiving, maintaining or transmitting protected health information (“PHI”) on behalf of a covered entity or another business associate. In contrast, OCR believes that an app developer who contracts with a health care provider to develop an app that enables the patient to input information and sends it to the provider to be incorporated into the providers’ electronic health records would be a business associate.
The Health App Guidance summarizes that an app developer is likely a business associate if it is (1) hired, or has the app paid for, by a covered entity or another business associate, and (2) directed by the covered entity or business associate to create, receive, maintain or disclose PHI. The app developer is likely not a business associate if (1) the app is independently selected by a consumer, (2) the consumer alone decides whether to transmit PHI to a third party, and (3) the app developer does not have a relationship with that third party (apart from an interoperability relationship).
The Crosswalk maps the administrative, physical and technical safeguards in the HIPAA Security Rule to a NIST Cybersecurity Framework Subcategory (or in some cases, multiple Subcategories). For example, the HIPAA Security Rule implementation specification for “Log-in mentoring” obligates entities to implement procedures for monitoring log-in attempts and reporting discrepancies. This is mapped to numerous NIST Cybersecurity Framework Subcategories, including those that require that “[t]he network is monitored to detect potential cybersecurity events” and “[m]onitoring for unauthorized personnel, connections, devices, and software is performed.” OCR cautions, however, that the Crosswalk is intended to be “an informative reference” rather than a guarantee of HIPAA Security Rule Compliance.
The Health App Guidance and Crosswalk should serve as valuable tools that will help both covered entities and business associates evaluate their potential HIPAA obligations and take steps to achieve compliance with those obligations.