OCR Issues Guidance for Mobile Health App Developers

The Department of Health and Human Services’ (HHS) Office for Civil Rights recently issued guidance on when HIPAA applies to health information that a patient creates, manages, or organizes through the use of a health app. The guidance also covers the issue of when mobile health app developers might need to comply with the HIPAA Rules.

When are Mobile Health App Developers Covered by HIPAA?

Health plans, healthcare clearinghouses, and healthcare providers are covered entities under HIPAA. Covered entities may employ individuals who create apps involving the use or disclosure of PHI. These individuals, and the covered entities they work for, must protect this information, in compliance with the HIPAA Privacy Rule and the HIPAA Security Rule.

If an entity creates or offers an app on behalf of a covered entity, or one of the covered entity’s contractors, the entity may be a business associate. A business associate is an entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity or another business associate. HIPAA defines the term “PHI,” which generally means individually identifiable health information.

Companies that provide services to, or perform functions for, covered entities, that involve access to PHI are business associates by definition. Examples of such companies include:

A company given access to PHI by a covered entity to provide a personal health record offered by the covered entity to its patients.

A company given access to PHI by a covered entity to manage a personal health record offered by the covered entity to its patients.

A company given access to PHI by a covered entity to provide or manage a patient portal offered by the covered entity to its patients.

These companies, as business associates, are required by HIPAA to apply reasonable safeguards to protect the information, as are the covered entities with whom they work. 

Not every app developer is a HIPAA business associate. The following are examples of app developers who, under the facts presented, are not HIPAA business associates:

Mobile health app developers that create an app used by consumers, who populate the app with their own health information – for example, an app through which a consumer inputs blood glucose levels she obtained herself using home health equipment. In this instance, the app developer neither creates, receives, maintains, nor transmits PHI on behalf of another covered entity or business associate. No healthcare provider is involved. Therefore, the mobile health app developer is not a BA.

A patient, acting on a doctor’s recommendation, downloads an app that tracks diet , exercise, and weight, in an effort to lower his or her body mass index (BMI) number. The patient then uses the app, on his or her smartphone, to send a summary report to the doctor before the next appointment. In this case, the mobile health app developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. The consumer’s use of the app to transmit data to a covered entity does not, by itself, make the app developer a BA of the covered entity.

Sometimes, health app developers are business associates with respect to one service they offer, and not with respect to a different service. For example, a health plan may offer a subscriber a mobile personal health record (PHR) app. The app offers subscribers in the plan network the ability to request, download, and store health plan records. The app also allows patients to check the status of claims and coverage decisions. In addition, the app contains the plan’s wellness tools for members, so they can track their progress in improving their health. The health plan analyzes health information and data about app usage to understand the effectiveness of its health and wellness offerings. The app developer also offers a separate, direct-to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits, and send health information to their providers.

Under these circumstances, the mobile health app developer is a HIPAA business associate with respect to the app offered by the health care plan, but is not, with respect to the direct-to-consumer app. The developer is a business associate of the health plan, because it is creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. However, the mobile health app developer’s direct-to-consumer product is not provided on behalf of a covered entity or other business associate, and developer activities with respect to that product are not subject to HIPAA. As long as the developer keeps the information attached to these two versions of the app separate, so that information from the direct-to-consumer version is not part of the product offering to the covered entity health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the “direct to consumer” app.

To summarize, for mobile health app developers to be subject to HIPAA, one or more of the following must apply:

There must be involvement of the healthcare provider – for example, the provider must have hired the app developer to provide, facilitate, manage, or organize PHI-related services.

The app developer must directly transmit PHI to the covered entity, or vice versa – the patient’s transmission of his or PHI to the covered entity is itself insufficient to make the mobile health developer a BA.

The mobile health app developer creates, maintains, transmits, or receives PHI, as part of its contract with the covered entity, on behalf of the covered entity

For more information on the OCR guidance for mobile health app developers, please click here.

See How It Works