A tricky issue for mobile health app developers since the Office for Civil Rights (OCR) released its first “Health App Use Scenarios & HIPAA” guidance back in 2016 has been deciphering whether the developer is a business associate if it offers its app on a consumer-facing basis as well as through covered entities (or their business associates).  I wrote about this at the time, highlighting the “maybe”:  whether a health app is acting as a business associate and subject to HIPAA depends on how an individual accesses the app. If the app is offered by or through a covered entity health plan or health care provider, the health data created, received, maintained or transmitted via the app is subject to HIPAA.  If the same app is accessed as a “direct-to-consumer” product, it is not.

This past week, OCR announced a new resource page for mobile health app developers.   The “maybe” is still there — the resource page includes the same “Health App Use Scenarios & HIPAA” guidance from 2016.  However, the OCR has added  a page on “Access Right, Apps, and APIs” that includes new guidance on the relationship between health apps and HIPAA.   As described in my August 17, 2020 post, the 21st Century Cures Act and implementing regulations adopted this past May generally require health care providers, plans, and many types of health information technology vendors to allow individuals to access electronic health information by way of a mobile health app.   Consumer use of health apps, whether provided by a health care provider, health plan, electronic health records company, or other entity subject to HIPAA, or whether purchased or accessed directly by the consumer without involvement of these persons or entities, is likely to steadily increase.

The “Access Right, Apps, and APIs” guidance includes its own tricky “maybe” when it comes to apps developed by or on behalf of an electronic health records system:

Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?

A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.

If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Understanding whether HIPAA applies to the information accessed (or created, stored, or sent) in this manner is critical for covered entities, business associates, and individuals alike.  And even though a health app developer that markets directly to consumers may not be providing services on behalf of a covered entity or business associate and not be subject to HIPAA, the developer should make sure the individual using the health app understands how their individually identifiable health information is (and is not) protected.