The HIPAA law subjects covered entities – defined as health plans, health providers, and healthcare clearinghouses – to its regulatory scheme. By definitions, non-covered entities are not subject to HIPAA regulations. Apps and consumer devices that collect protected health information (PHI), and the vendors that manufacture them, do not meet the definition of a “covered entity.” However, a number of organizations have called for HIPAA compliance for non-covered entities, to ensure these apps do not compromise patient privacy by placing them under stricter scrutiny.
Is HIPAA Compliance for Non-Covered Entities a Concern?
Very much so.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
Health information is now collected by apps and computer devices. The types of data collected are often exactly the same as the data collected by healthcare organizations, which are subject to the HIPAA Privacy Rule and the HIPAA Security Rule. And yet, while healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI) and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by these apps and devices. In other words, same data, different rules.
However, in the event of a data breach, the consequences can be just as damaging if the breach occurred on an app or device, as if it occurred at a healthcare organization.
Why is there this disparity in regulatory treatment?
When HIPAA and its subsequent implementing regulations (the Privacy and Security Rules) were enacted, the extent to which health information would be collected and used by apps and consumer devices was unknown. Indeed, the concept of mobile apps and consumer devices was a fairly new one in the mid 1990s when HIPAA was passed. (To offer an illustration of this, smartphones did not offer a camera function until 2002).
On the state, but not federal, level, laws have been introduced to extend privacy and security requirements on app and device manufacturers and the health data the apps and devices collect. These laws, though, at best, will create a patchwork, with consumer protection at the mercy of state legislative priorities.
While HIPAA was updated by the HITECH Act of 2009, which does cover electronic medical records (EMRs, which are sometimes referred to as EHRs, or electronic health records), HITECH does not extend to apps and devices. This is so in spite of the fact that by the year 2009, such apps and devices had become ensconced in the marketplace
But What About Business Associates?
HIPAA does apply to business associates of covered entities that provide apps and devices on behalf of the covered entity. If the business associate uses the app or device to perform a business function for a covered entity, and that function involves handling of PHI, the business associate is subject to the HIPAA Privacy and Security Rules with respect to the apps and devices. This is so only by virtue of definition, though. Under HIPAA, BAs must safeguard PHI they handle in providing services to covered entities. If that PHI is handled through an app or device, then by definition, the app or device must be properly secured and privacy safeguards must be implemented with respect to it.
However, if the app or device is not provided by a vendor acting as a business associate of a HIPAA covered entity, HIPAA Rules do not apply. A huge number of vendors that are not business associates, are the entities that are manufacturing the apps and devices.
To make matters worse for privacy advocates, the determination as to whether a vendor, and whether the devices and apps are offered “on behalf of” the covered entity, is not clear-cut. Healthcare organizations struggle with determining which side of the business line some vendors fall on.
Have Proposals Been Made to Require HIPAA Compliance for Non-Covered Entities?
Proposals have been made to require HIPAA compliance for non-covered entities, or at least heightened HIPAA awareness A group known as the eHealth Initiative Foundation has called for the introduction of a “values framework” to better protect health information. eHealth Initiative hopes to bring public awareness to the topic of this legal limbo, so that federal legislators will consider taking action, including modifying HIPAA to bring these apps and devices into its sweep.