When HIPAA applies to mobile applications

By: admin | Jun 16, 2011        

Tags: | |  |

Adam GreeneBy Adam H. Greene, JD, MPH, former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, now a partner in the Health IT/HIPAA practice of Davis Wright Tremaine.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules can be a daunting challenge. Sometimes, the biggest question facing mobile application developers is not how to comply with (or make sure users are complying with) HIPAA, but rather whether HIPAA even applies. To understand whether software falls under the HIPAA rules, a developer must answer two questions: (1) Who will be using the application, and (2) What information will be on the application?

The HIPAA Rules only apply to HIPAA “covered entities” and their “business associates.” They do not apply to health care consumers or to other types of entities. Covered entities include health plans (including employer-sponsored group health plans), entities known as health care clearinghouses (which convert health care claims and other administrative transactions into or from a standard format), and health care providers — but only if the health providers electronically conduct certain transactions, such as submitting claims to health plans electronically. A business associate is an entity that handles “protected health information” on a covered entity’s behalf, such as a health information exchange organization sharing health information on behalf of a health care provider, or a pharmacy benefit manager operating a health plan’s prescription benefit.

Additionally, the HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). Accordingly, an e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

A mobile application developer will need to analyze whether the software will be used by a covered entity, such as physician, hospital, or health plan, and whether it will include any protected health information: individually identifiable information about health, health care services, or payment for health care services. An application that assists a physician with following up with patients would need to be designed to allow the physician to comply with HIPAA. Likewise, a mobile application for use by health plan employees to obtain an individual’s enrollment information remotely would need to be designed in accordance with HIPAA.

In contrast, an application that is for use by patients is not going to fall under HIPAA; an application on a person’s smartphone that assists the user with following a medication schedule would not fall under HIPAA because there is no covered entity involved. Even if the application permitted the user to send information to her physician, the application would not be subject to HIPAA, although the information would become subject to HIPAA once the HIPAA-covered physician received it.

An application that is to be used by a covered entity but does not involve protected health information would also not be subject to HIPAA; an application that provides a nurse with “de-identified” influenza statistics would not be subject to HIPAA because it does not use individually identifiable health information. Note that if the application allows the nurse to add information about the hospital’s influenza patients (such as that an individual came in with H1N1 symptoms today), then the patient information will be subject to HIPAA.

Other types of entities, such as public health authorities, are not covered entities either — an exception may be if they are also providing a health plan or providing health care services. Accordingly, a mobile application for a local government epidemiologist that assists with a public health investigation would generally not fall under HIPAA.

In determining whether an application falls under HIPAA, the developer should focus on the user, rather than the distribution channel. If a health plan provides enrollees with an application that allows them to track their weight on their smartphone, the application is not subject to HIPAA (since it is used by a non-covered entity – the enrollee – on the enrollee’s smartphone). If the application stores data on the health plan’s server, however, the information on the health plan’s server would be subject to HIPAA.

It is worth noting that, while health-related applications that are not used by covered entities or business associates are not subject to HIPAA, they may be subject to other privacy and security laws. For example, if the software is sharing user information in violation of a privacy notice, this could represent a deceptive trade practice subject to the Federal Trade Commission’s enforcement authority.

Tomorrow, in part two of this series, we will look at what an application developer should do if their application is subject to HIPAA.

Adam H. Greene previously served as the Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, and now is a partner in the Health IT/HIPAA practice of Davis Wright Tremaine. Mr. Greene’s full bio is available at http://www.dwt.com/People/AdamHGreene

  • Alan S. Goldberg

    It is interesting to ponder how FDA initiatives (which seem to be ambiguous regarding some areas of medical device law and lore, including software) complement or are not necessarily consistent with the mHealth area of  endeavor.  

    Furthermore, one must ponder whether, now that HIPAA Ad/Si and HITECH Act requirements seem, according to some, to be the foundational regulatory platform for evaluating privacy and security requirements and performance, any effort to distance any mHealth initiative from HIPAA and HITECH Act requirements is wise and consumer/customer-friendly  

    See also the following disquieting news report, implicating challenges even for banks that supposedly have been doing privacy and security for many more years before there was a HIPAA, and consider what this portends for newly initiated mHealth vendors and customers and patients affected:http://www.reuters.com/article/2011/06/09/us-citi-idUSTRE7580TM20110609
    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Verdana; color: #2322cc}
    p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Verdana; min-height: 15.0px}
    p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Verdana}
    span.s1 {text-decoration: underline}

    (Reuters) – Major U.S. banks came under growing pressure from banking regulators 
    to improve the security of customer accounts after Citigroup Inc became the 
    latest high-profile victim of a cyber attack…Regards, Alan@Goldberg:disqus Adjunct Professor of Health Lawwww.GoldbergLawyer.comNOT ADVERTISING: FOR EDUCATIONAL PURPOSES ONLY

  • Alan S. Goldberg

    Note that I have nothing to do with zona wrestling (!) and my prior posting that seems to link me to that is an error.  Thanks.  ASGoldberg

  • Phil

    One of the most cogently written treatments I’ve ever read on this topic.  Well done.

  • E. Montag

    Great article.  Looking forward to the next in the series about what a developer should do if their app does fall under HIPAA.  Wondering if Mr. Greene could comment on use of security certificates (if apps are even able to support this) and data encryption.

  • drneelesh

    Cracked it for me. Thanks. Great Analysis.

  • Adam Greene

    Stay tuned for part two.  It touches on encryption (although it’s not going to give the black-and-white answer that I imagine you are looking for).

  • Pingback: Mobile health: How to comply with HIPAA | mobihealthnews()

  • David Inns

    Regardless of the fine print of the who is subject to HIPAA, i think it is prudent for a company to go through HIPAA training if they are dealing with sensitive consumer health information, such as medication schedules, period.  In your example, if the medications are being stored on servers, or if a customer service rep can assist customers with the entry of those medication, consumer should know that the company they are dealing with understands the seriousness of protecting that information.

  • Pingback: Mixed message from HHS Text4Health Task Force | mobihealthnews()

  • http://twitter.com/OnlineTech Online Tech

    Compliance vs. security is the issue here – do the mobile health apps want to be secure enough to keep health information protected? They should, if they want to attract healthcare clients. From a legal standpoint, they may have no responsibility, but from a business perspective, it’s worth the investment for a HIPAA independent audit or risk assessment to be done, not to mention signing a business associate agreement. It’s the difference between just doing enough to get by, or doing the right thing.

  • Vivek

    Precise & Crisp. Like the comment about focusing on the User rather than Distribution channel.

  • http://www.facebook.com/jelly.andrews.7 Jelly Andrews

    Does this suggest that HIPAA is all about confidentiality? What would be the
    consequences when the confidentiality of information was broke? What is the legal implication of it?


  • John Davis

    You say if the application stores data on the health plan’s server, the information on that server would be subject to HIPAA. I would go one extra step. If that application stores data on a server of a business associate of the health plan, that data would be subject to HIPAA.