Gazelle Consulting

Do Healthcare Apps Need to be HIPAA Compliant?

Healthcare apps are a rising trend in the healthcare industry, from patient centered health record tracking apps, to on-demand coverage details for HMOs.

Mobile apps are often developed by individual developers, app development firms, or by the covered entities themselves. With such a wide variety of circumstances and development environments, how can an app developer determine whether or not they need to follow HIPAA compliance guidelines for their app?

How to Know if your Healthcare App Needs to be HIPAA Compliant

To answer this question we need to understand what type of data the app is storing, and the relationship the app developer has to any covered entities. 

Our Answer: Fundamentally, apps only need to be HIPAA compliant if they store, transmit, or display Protected Health Information (PHI) and if the company who makes the app is a Covered Entity or Business Associate.

Protected Health Information is any individually identifiable information such as real names, SSN, addresses, etc. in combination with health information such as health records, insurance records, clinical visits, etc. However, this type of information is only classified as PHI, and protected by HIPAA, if it is created by or on behalf of a covered entity.

So, if an app allows users to track their blood pressure by entering it directly into the app themselves, this information would NOT be considered PHI.

But, if a hospital created an app that allowed users to track blood pressure as it was measured by nurses or clinicians then it WOULD be considered PHI. See the difference?

Business Associates and Covered Entities

In regards to a business’ status, only certain organizations fall under the category of a Covered Entity, which are health care providers, health care clearing houses, and health plans.

Beyond that, subcontractors who have an existing agreement to use and protect Covered Entity’s PHI are called Business Associates, and they are also required to be HIPAA compliant. 

As HHS elaborates in their recently published guidance on HIPAA compliance for mobile apps, the crux of the issue is whether or not the app you are developing is on behalf of a provider, or on behalf of the patient. If the app you are developing is at the request of a provider, insurer, or clearing house, then you are operating as a business associate, and must implement HIPAA safeguards to protect the data. 


Healthecare apps only need to be HIPAA compliant if they store, transmit, or display Protected Health Information (PHI).

If you don’t fall into any of the categories of Covered Entity or Business Associate then you do not have to be HIPAA compliant even if you or your users are creating health related data.

However, you may be required to protect sensitive information by your state’s information privacy laws.

Remember, each app is different, and the principals described here must be used to evaluate each app before determining whether or not HIPAA compliance is required.

Do you need help ensuring your app is HIPAA compliant? Are you unsure if your data is considered PHI? Gazelle Consulting is here to help!

We make HIPAA compliance feel like a walk through a grassy savannah. Give us a call at (503) 389-5666 or email us at today!

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!