HIPAA guidelines for health app developers

The HHS Office for Civil Rights (OCR) has published new guidance on its mHealth Developer Portal, to help app developers determine how HIPAA regulations might apply to the products they are building.

The new guide, entitled Health App Use Scenarios & HIPAA, includes six hypothetical scenarios which set out to address the following two questions:

• How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?

• When might an app developer need to comply with the HIPAA Rules?

The topic of HIPAA compliance in app development is particularly pertinent at this moment in time for two reasons:

1. According to research undertaken by HealthITSecurity.com, HIPAA compliance is one the top-cited mobile health concerns for 2016 – as mobile usage within healthcare continues to grow, so do the risks.
2. The OCR’s imminent phase 2 HIPAA audits will include business associates, as well as covered entities, so even those who provide services to covered entities will be under the microscope this time around.

Am I a business associate?

Within the guide, OCR clarifies that any person or organization creating an application on behalf of a HIPAA covered entity is considered a business associate (BA) under HIPAA, and is therefore required to comply with certain provisions of the HIPAA Rules.

To recap, a business associate is defined as follows: “A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

For those who have question marks over whether or not they are considered to be a business associate, OCR suggests the following questions should be considered carefully:

• Does your health app create, receive, maintain, or transmit identifiable information?
• Who are your clients? How are you funded?
• Are your clients covered entities? e.g.,
  • hospitals, doctor’s offices, clinics, pharmacies, or other health care providers who conduct electronic transactions;
  • health insurance issuers; health or wellness program related to a health plan offered by an employer
• Were you hired by, or are you paid for your service or product by ,a covered entity? Or another business contracted to a covered entity?

• Does a covered entity (or a business associate acting on its behalf) direct you to create, receive, maintain or disclose information related to a patient or health plan member?

If the answer to one or more of these questions is “yes”, there’s a good chance you are a business associate.

Conversely, OCR also provides instances during which app developers do not necessarily need to be HIPAA compliant: “If you are only offering services directly to and collecting information for or on behalf of consumers, and  not on behalf a provider, health plan or health care clearinghouse, you are not likely to be subject to  HIPAA as either a covered entity or business associate.”

Such scenarios include:

• If the app is independently selected by a consumer
• If the consumer controls decisions about whether to transmit his or her data to a third party, such as a health care provider or health plan
• If you (the developer) has no relationship with that third party entity (other than an interoperability relationship)

Even in these scenarios though, the developer retains a duty to protect the user’s’ health data.

App developers seeking further advice on HIPAA compliance should consult OCR’s mHealth Developer Portal.