Health-related technology has developed light-years faster than health information privacy and security protection laws and policies, and consumers can find new mobile health applications for a wide range of purposes ranging from diabetes management to mole or rash evaluation to fitness tracking. Smart mobile app developers wondering when and how HIPAA privacy and security requirements affect their products need to take a step back and ask that most basic of HIPAA questions: What am I?
The question one that has been posed on this blog in the past, and one worth returning to on a regular basis because the answer is not always obvious, but is critical for HIPAA compliance.
The Secretary of Health and Human Services (HHS) recently released a letter written to U.S. Representative Peter DeFazio regarding development and use of mobile health apps and HIPAA compliance reminding him (and anyone reading the letter) that:
“The first question for any entity … is whether it is a covered entity or a business associate within the meaning of the HIPAA rules.”
The Secretary then helpfully provides links to the Office for Civil Rights (OCR) website’s “frequently asked questions” tools (see here for examples of “Who are Business Associates” and here for information on Covered Entities) and points out that OCR works closely with the Office of the National Coordinator for Health Information Technology (ONC) developing guidance and tools (a tool specific to mobile device privacy and security is available here) for securing health information technology. However, there’s no quick and easy way to figure out whether HIPAA applies to a specific mobile health application. The inquiry must always go back to the beginning: are you a Business Associate (or subcontractor of a Business Associate) or a Covered Entity? If not, while there may be other state and federal laws that require you protect individually identifiable information (of which protected health information, or PHI, is a subset), HIPAA does not apply.
Bear in mind that your HIPAA identity will change depending on who is using you and for what purpose. If you develop a mobile health app allowing an individual to create, receive, maintain or transmit information about herself, it is likely the app is not covered by HIPAA because the individual is not acting as a Business Associate or Covered Entity when using the app. Even if the individual uses the app to send her PHI to her health care provider, the app most likely will not be subject to HIPAA, just as the patient herself is not subject to HIPAA with respect to information about herself she chooses to share with her provider. However, if you develop the app for use by the health care provider, you very well may be a Business Associate to the Covered Entity health care provider. In this scenario, if you are providing a service on behalf of the provider that involves your access to PHI (whether sent by the individual patient herself or not), you must comply with HIPAA.
So while the basic “What am I?” question sounds simple, the answer requires consideration of who is downloading and using the mobile health app you create, and the purpose for which it is being used.