Federal regulators have recently issued new guidelines under HIPAA for mobile apps. This includes newly published materials to clarify for healthcare entities and software developers the various scenarios under which HIPAA regulations might apply to mobile health applications, including situations when patients use smartphones to collect or transmit personal health data.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. This act is incorporated to set the standard and protect sensitive patient data. If any company deals with Protected Health Information (PHI), then it needs to ensure that all the required network, physical and other process security measures are there in place and are followed.
HIPAA also provides regulations that describe the circumstances in which CEs are permitted, but not required, to use and disclose PHI for certain activities without first obtaining an individual’s authorization: including for treatment and for health care operations of the disclosing CE or the recipient CE when the appropriate relationship exists.
HIPAA includes anyone who provides treatment, payment and operations in healthcare which is Covered Entities (CE) and anyone with access to patient information and provides support for treatment, payment or operations namely the business associates (BA). Moreover, the subcontractors or business associates of business associates also need to be in compliance.
Necessity of HIPAA for Mobile Apps
HIPAA was signed into law by Bill Clinton on August 21st, 1996. That's 20 years ago! At that point in time, it was close to impossible to even imagine anything like mobile apps. It is obvious that as years have passed, the challenges are now appearing especially in its understanding and interpretation, as an application to today's mobile applications.
If you think objectively, mobile apps and healthcare industry are like a match made in heaven. Mobile apps can help doctors work more efficiently and bring down the cost of health care. Moreover, mobile apps can help improve patient satisfaction and enable them to better understand their care. In the long run, and in the ideal scenario, this can actually mean good health for everyone. No wonder there are already more than 40,000 mobile health (or mHealth) apps currently available in various mobile AppStores, with new ones being launched every day.
While there has been tremendous growth in the healthcare apps available, there are some obvious dangers surrounding this because of the amount of personal information that these apps can contain. The smartphones that run these apps can be and are often lost or stolen which can lead to loss of personal data for many. Apart from that, many hackers perform planned attacks to get access to such information. It is needless to say that being compliant to HIPAA for mobile apps is more important today than ever before.
Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.
Does Your Mobile App Need to be HIPAA Compliant?
Simply put, if your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. If you are an app vendor, and you are not already a covered entity, you should consider the following questions in determining whether or not you may be a business associate – i.e., an entity that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity or business associate:
- Does your health app create, receive, maintain, or transmit identifiable information?
- Who are your clients? How are you funded?
- Are your clients covered entities? e.g.,
- hospitals, doctor’s offices, clinics, pharmacies, or other health care providers who conduct electronic transactions;
- health insurance issuers; health or wellness program related to a health plan offered by an employer
- Were you hired by, or are you paid for your service or product by, a covered entity? Or another business contracted to a covered entity?
- Does a covered entity (or a business associate acting on its behalf) direct you to create, receive, maintain or disclose information related to a patient or health plan member?
If you are only offering services directly to and collecting information for or on behalf of consumers, and not on behalf a provider, health plan or health care clearinghouse, you are not likely to be subject to HIPAA as either a covered entity or business associate.
- Is your app independently selected by a consumer?
- Does the consumer control all decisions about whether to transmit her data to a third party, such as to her health care provider or health plan?
- Do you have no relationship with that third party entity (other than an interoperability relationship)?
Some HIPAA Scenarios that Apply to Mobile App Developers
Consumer downloads a health app to her smartphone. She populates it with her own information. For example, the consumer inputs blood glucose levels and blood pressure readings she obtained herself using home health equipment.
HIPAA for Mobile Apps Compliance Needed?
No. Developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. The consumer is using the developer’s app to help her manage and organize her information without any involvement of her health care providers.
Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. She downloads data from her doctor’s EHR through a patient portal, onto her computer and then uploads it into the app. She also adds her own information to the app.
HIPAA for Mobile Apps Compliance Needed?
No. Developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. Instead, the consumer obtains health information from her provider, combines it with health information she inputs, and uses the app to organize and manage that information for her own purposes. There is no indication the provider or a business associate of the provider hired the app developer to provide or facilitate this service.
At the direction of her provider, patient downloads a health app to her smartphone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR.
HIPAA for Mobile Apps Compliance Needed?
Yes, the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting PHI, and the app is a means for providing those services.
Instances during which app developers do not necessarily need to be HIPAA compliant are ones where providers and patients access an app on their own volition and then exchange information. In those cases, app developers are not sharing or storing the information on behalf of the covered entity.
mHealth security and mobile security are becoming topics of concern in the healthcare data security space. In fact, HIPAA compliance is one of the top-cited 2016 mobile health security concerns.
Businesses and application developers can avoid major pitfalls by working with companies that provide HIPAA compliance services and make sure their mobile applications are compliant as well as secure. By using continuous integration security tools like Appknox, mobile application developers can avoid hassles associated with building compliant apps from scratch.