In recent years, there has been a surge in the number of health apps being developed and there is no indication that this will slow down anytime soon. Moreover, with the spread of HIPAA compliant home speaker devices like Alexa, it has become extremely important to understand when apps are subjected to HIPAA compliance.
In a recent presentation to the Senate Cybersecurity Caucus, Jennifer Bordenick, CEO of eHealth Initiative & Foundation stated that there are many myths and misinterpretations of HIPAA. Bordenick states that one of the biggest and most problematic is the common belief that "HIPAA protects all of your healthcare data." In fact, HIPAA compliance is circumstance specific and differs from case to case. Accordingly, there are some well-established rules that help developers & providers determine whether an app must comply with HIPAA or not.
Web App HIPAA Compliance Not Needed
Compliance, or lack thereof, is determined by a number of things including the app's purpose, type of access, the way data flows through it and how it is branded.
Apps that are for personal use only
For example, if the app's purpose is to allow users to collect their own data for their personal use, it does not have to be HIPAA compliant. In such cases, the app developer is not receiving, managing or sharing that data for a covered entity or its associates.
Apps that patients use to monitor their own conditions to share with their providers
The aforementioned ruling also applies even in instances where patients download apps that monitor their health and send the reports to their healthcare provider. As long as the user is the one who initiated data access, the app developer and provider do not need to be compliant. This kind of app provides direct-to-consumer services. Some apps offer the two versions; one that must be HIPAA compliant (for example if it is offered by a health plan) and another that provides the service directly to the consumer.
Apps in which the developer does not create, receive, maintain, transmit protected health information (PHI)
As a general rule, if an app developer is not managing data as a business associate (BA) on behalf of covered entities, their app does not need to be compliant.
Web App HIPAA Compliance Needed
"Generally, HIPAA covers data in health plans with healthcare providers that are conducting transactions, like claims transactions, billing, clearing houses
and business associates," states Bordenick.
When an app contains protected health information (PHI)
PHI includes data about both the physical or mental condition of a patient, data that can identify an individual, demographic data, healthcare operations and billing information.
Health plans, transactions and clearing houses
If apps that manage PHI must be HIPAA compliant, then it is only natural that the same applies to apps that are offered by health plans and apps that manage any sensitive transactions, such as clearing house apps.
If an app developer is a business associate, they can determine their need for HIPAA compliance by answering the following questions:
- Are your clients covered entities?
- Are you funded or receive payment for your product by a covered entity or another BA contracted by a covered entity?
- Do you create, receive, maintain or disclose any data related to a patient or health plan member?
If your answer is yes to any of the above, then HIPAA compliance is a must.