Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights (OCR) has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.
The guidance, titled “Health App Use Scenarios & HIPAA,” builds on the mHealth Developer Portal, which serves as a platform for users to share difficult use cases and best practices. On the portal, developers can also submit questions to OCR that will inform future guidance releases. OCR announced the guidance with a statement that the agency hopes it will help developers determine “how federal regulations might apply to the products they are building” and reduce uncertainty. The guidance offers developers background information on HIPAA and then details various scenarios, identifying when an app developer is—and is not—acting as a business associate.
In scenarios where consumers enter their own health information and a HIPAA covered entity is not involved, the guidance makes clear the developer is not a Business Associate. The guidance also explains that in many cases, where an app developer is not hired by a provider or plan to offer or facilitate the service, they will not be a business associate.
The guidance also runs through scenarios in which developers are acting as business associates—for example, when a provider has contracted with an app developer for patient management services like health counseling, patient messaging, or patient monitoring; or when a health plan offers an app to store and analyze health information.
Finally, the guidance lists key questions for app developers to help them determine if they are a business associate, including:
Does your health app create, receive, maintain, or transmit identifiable information? Who are your clients? How are you funded? Is your app independently selected by a consumer? Does the consumer control all decisions about whether to transmit her data to a third party, such as to her health care provider or health plan?
If developers determine they are business associates, certain provisions of the HIPAA Rules will apply, including a requirement to enter into business associate agreements, when appropriate, and comply with their terms.
In addition to using this guidance, developers should consider the following steps to ensure they are aware of all applicable regulations and enforcement.
For apps that target international consumers, developers should take care to understand how mHealth is regulated in the EU, including what information is considered personal and/or sensitive data and what the new GDPR means for health data. Regardless of whether HIPAA applies, developers should consider consumer privacy and security in designing an app; the OCR guidance provides FTC resources on app security and marketing as a place to start. Developers that determine they are acting as business associates should take steps to prepare for the upcoming HIPAA audits, which will target business associates for the first time.