The U.S. Department of Health and Human Services' Office of Civil Rights ("OCR") recently published guidance for developers working on healthcare applications with physicians who may need to follow and comply with the Health Insurance Portability and Accountability Act ("HIPAA").
The new guidance, which addresses mobile health (mHealth) apps, primarily concentrates on two main questions: First, how does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app? Second, when might an app developer need to comply with the HIPAA rules?
OCR emphasizes that the answers for these questions are fact and circumstance specific. Rather than a list of rules, the health app guidance sets out several scenarios for health apps and analyzes whether the app developer would be subject to HIPAA in each scenario.
The OCR guidance emphasizes that regardless of whether HIPAA applies, mobile app developers should consider consumer privacy and security in designing an app. The guidance refers to FTC resources on app security and marketing as a place to start in this regard.
OCR has also published a Crosswalk that charts the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity framework to the HIPAA security rule.
The health app guidance and crosswalk provide a meaningful starting point for mobile app developers in determining whether they are subject to HIPAA regulations. We will be glad to provide further advice and recommendations in this regard concerning the required steps in order to achieve compliance with the applicable obligations.