The Office for Civil Rights (OCR) has published new guidelines to address the use of mobile health apps (known as mHealth apps) as it relates to the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
It's not uncommon for doctors, surgeons, chiropractors, nurses and other healthcare workers to use smartphone and other mobile apps to facilitate their normal day-to-day operations. These apps may contain information about patients, allowing healthcare workers to find their respective patients with greater ease. But covered entities should approach with caution when downloading and using mobile apps, because they may cause conflict with HIPAA laws.
Not all apps are covered under HIPAA laws, however. As noted by the OCR, only apps that involve the use or disclosure of Protected Health Information (PHI) are addressed by HIPAA. Assuming there is no PHI being transmitted by or stored on the app, the covered entity is not required to implement any special measures to protect it – not under HIPAA, at least.
Furthermore, covered entities are responsible for following HIPAA, not the app developer(s). If a covered entity outsources the task of developing a mobile health app to another company, a Business Associates Agreement (BAA) should be used.
“Only health plans, healthcare clearinghouses and most healthcare providers are covered entities under HIPAA,” explained the OCR in its new guidelines. “If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules.”
In its new document titled “Health App Use Scenarios & HIPAA,” the OCR reveals several scenarios involving mobile health apps, asking the question: is the app developer in the scenario a HIPAA business associate? One such scenario involves a patient who has downloaded a mobile health app to her smartphone to help manage a chronic condition. The patient later downloads data from her doctor's website and then uploads it to your phone's new mobile app. According to the OCR, the app developer in this scenario is NOT a business associate because the developer is not creating, receiving or maintaining PHI on behalf of the covered entity.
The OCR is certainly working to create greater transparency with HIPAA and mobile health apps. In addition to its new document, the OCR has also launched a portal aimed specifically for app developers. This portal can be accessed at http://hipaaqsportal.hhs.gov/.