By Adam H. Greene, JD, MPH, former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, now a partner in the Health IT/HIPAA practice of Davis Wright Tremaine.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules can be a daunting challenge. Sometimes, the biggest question facing mobile application developers is not how to comply with (or make sure users are complying with) HIPAA, but rather whether HIPAA even applies. To understand whether software falls under the HIPAA rules, a developer must answer two questions: (1) Who will be using the application, and (2) What information will be on the application?
The HIPAA Rules only apply to HIPAA “covered entities” and their “business associates.” They do not apply to health care consumers or to other types of entities. Covered entities include health plans (including employer-sponsored group health plans), entities known as health care clearinghouses (which convert health care claims and other administrative transactions into or from a standard format), and health care providers — but only if the health providers electronically conduct certain transactions, such as submitting claims to health plans electronically. A business associate is an entity that handles “protected health information” on a covered entity’s behalf, such as a health information exchange organization sharing health information on behalf of a health care provider, or a pharmacy benefit manager operating a health plan’s prescription benefit.
Additionally, the HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). Accordingly, an e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.
A mobile application developer will need to analyze whether the software will be used by a covered entity, such as physician, hospital, or health plan, and whether it will include any protected health information: individually identifiable information about health, health care services, or payment for health care services. An application that assists a physician with following up with patients would need to be designed to allow the physician to comply with HIPAA. Likewise, a mobile application for use by health plan employees to obtain an individual’s enrollment information remotely would need to be designed in accordance with HIPAA.
In contrast, an application that is for use by patients is not going to fall under HIPAA; an application on a person’s smartphone that assists the user with following a medication schedule would not fall under HIPAA because there is no covered entity involved. Even if the application permitted the user to send information to her physician, the application would not be subject to HIPAA, although the information would become subject to HIPAA once the HIPAA-covered physician received it.
An application that is to be used by a covered entity but does not involve protected health information would also not be subject to HIPAA; an application that provides a nurse with “de-identified” influenza statistics would not be subject to HIPAA because it does not use individually identifiable health information. Note that if the application allows the nurse to add information about the hospital’s influenza patients (such as that an individual came in with H1N1 symptoms today), then the patient information will be subject to HIPAA.
Other types of entities, such as public health authorities, are not covered entities either — an exception may be if they are also providing a health plan or providing health care services. Accordingly, a mobile application for a local government epidemiologist that assists with a public health investigation would generally not fall under HIPAA.
In determining whether an application falls under HIPAA, the developer should focus on the user, rather than the distribution channel. If a health plan provides enrollees with an application that allows them to track their weight on their smartphone, the application is not subject to HIPAA (since it is used by a non-covered entity – the enrollee – on the enrollee’s smartphone). If the application stores data on the health plan’s server, however, the information on the health plan’s server would be subject to HIPAA.
It is worth noting that, while health-related applications that are not used by covered entities or business associates are not subject to HIPAA, they may be subject to other privacy and security laws. For example, if the software is sharing user information in violation of a privacy notice, this could represent a deceptive trade practice subject to the Federal Trade Commission’s enforcement authority.
Tomorrow, in part two of this series, we will look at what an application developer should do if their application is subject to HIPAA.
Adam H. Greene previously served as the Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, and now is a partner in the Health IT/HIPAA practice of Davis Wright Tremaine. Mr. Greene’s full bio is available at http://www.dwt.com/People/AdamHGreene