Healthcare apps are a rising trend in the healthcare industry, from patient centered health record tracking apps, to on demand coverage details for HMOs. Mobile apps are often developed by individual developers, app development firms, or by the covered entities themselves. With such a wide variety of circumstances and development environments, how can an app developer determine whether or not they need to follow HIPAA compliance guidelines for their app?
To answer this question we need to understand what type of data the app is storing, and the relationship the app developer has to any covered entities. Fundamentally, apps only need to be HIPAA compliant if they store, transmit, or display Protected Health Information (PHI) and if the company who makes the app is a Covered Entity or Business Associate.
Protected Health Information is any individually identifiable information such as real names, SSN, address, etc. in combination with health information such as health records, insurance records, clinical visits, etc. However, this type of information is only classified as PHI, and protected by HIPAA, if it is created by or on behalf of a covered entity. So, if an app allows users to track their blood pressure by entering it directly into the app themselves, this information would NOT be considered PHI. But, if a hospital created an app that allowed users to track blood pressure as it was measured by nurses or clinicians then it WOULD be considered PHI. See the difference?
In regards to a business’ status, only certain organizations fall under the category of a Covered Entity, which are health care providers, health care clearing houses, and health plans. Beyond that, subcontractors who have an existing agreement to use and protect Covered Entity’s PHI are called Business Associates, and they are also required to be HIPAA compliant. As HHS elaborates in their recently published guidance on HIPAA compliance for mobile apps, the crux of the issue is whether or not the app you are developing is on behalf of a provider, or on behalf of the patient. If the app you are developing is at the request of a provider, insurer, or clearing house, then you are operating as a business associate, and must implement HIPAA safeguards to protect the data.
If you don’t fall into any of the categories of Covered Entity or Business Associate then you do not have to be HIPAA compliant even if you or your users are creating health related data. However, you may be required to protect sensitive information by your state’s information privacy laws.
Remember, each app is different, and the principals described here must be used to evaluate each app before determining whether or not HIPAA compliance is required.