Healthcare apps are a rising trend in the healthcare industry, from patient centered health record tracking apps to on-demand coverage details for HMOs. Mobile apps are often developed by individual developers, app development firms, or by the covered entities themselves. With such a wide variety of circumstances and development environments, how can an healthcare app developer determine whether or not they’re required to be HIPAA compliant?
How to Know if your Healthcare App Needs to be HIPAA Compliant
To answer this question we need to understand what type of data the app is storing, and the relationship the app developer has to any covered entities.
Our Answer: Fundamentally, apps only need to be HIPAA compliant if they store, transmit, or display Protected Health Information (PHI) and if the company who makes the app is a Covered Entity or Business Associate.
Protected Health Information is any individually identifiable information such as real names, SSN, addresses, etc. in combination with health information such as health records, insurance records, clinical visits, etc. However, this type of information is only classified as PHI, and protected by HIPAA, if it is created by or on behalf of a covered entity.
So, if an app allows users to track their blood pressure by entering it directly into the app themselves, this information would NOT be considered PHI.
But, if a hospital created an app that allowed users to track blood pressure as it was measured by nurses or clinicians then it WOULD be considered PHI. See the difference?
Business Associates and Covered Entities
In regards to a business’ status, only certain organizations fall under the category of a Covered Entity, which are health care providers, health care clearinghouses, and health plans.
Beyond that, subcontractors who have an existing agreement to use and protect Covered Entity’s PHI are called Business Associates, and they are also required to be HIPAA compliant.
As HHS elaborates in their recently published guidance on HIPAA compliance for mobile apps, the crux of the issue is whether or not the app you are developing is on behalf of a provider, or on behalf of the patient. If the app you are developing is at the request of a provider, insurer, or clearing house, then you are operating as a business associate, and must implement HIPAA safeguards to protect the data.
Takeaways
Healthcare apps only need to be HIPAA compliant if they store, transmit, or display Protected Health Information (PHI).
If you don’t fall into any of the categories of a Covered Entity or Business Associate, then you do not have to be HIPAA compliant even if you or your users are creating health related data.
However, you may be required to protect sensitive information by your state’s information privacy laws.
Remember, each app is different, and the principles described here must be used to evaluate each app before determining whether or not HIPAA compliance is required.
Do you need help ensuring your app is HIPAA compliant? Are you unsure if your data is considered PHI? Gazelle Consulting is here to help!
We make HIPAA compliance feel like a walk through a grassy savannah. Give us a call at (503) 389-5666 or email us at info@gazelleconsulting.org today!