The HHS Office for Civil Rights has published additional guidance on its mHealth Developer Portal that provides developers with different scenarios in which HIPAA might apply to the data their app collects.
“We hope these new scenarios will help developers determine how federal regulations might apply to products they are building; we also hope they will reduce some of the uncertainty that can be a barrier to innovation,” Office for Civil Rights Director Jocelyn Samuels wrote in a blog post.
The six scenarios listed in the guidance address two HIPAA-related questions. The first is how HIPAA applies to health information that a patient creates, manages, and organizes in a health app. The scenarios also explain when an app developer should comply with HIPAA.
In each scenario, the guidance explains whether or not the app developer is a HIPAA business associate, which is a developer that is not part of a covered entity but is creating or providing the app on behalf of a covered entity or the entity’s contractors.
Here are the six scenarios listed in the guidance:
Scenario 1: “Consumer downloads a health app to her smartphone. She populates it with her own information. For example, the consumer inputs blood glucose levels and blood pressure readings she obtained herself using home health equipment.”
The ORC says that in this case, the app developer is not a business associate because the consumer is uploading health information to the app without the involvement of health care providers.
Scenario 2: “Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. She downloads data from her doctor’s EHR through a patient portal, onto her computer and then uploads it into the app. She also adds her own information to the app.”
This app developer is also not a HIPAA business associate because there is no indication that a provider hired the app developer to offer this app to consumers.
Scenario 3: “Doctor counsels patient that his BMI is too high, and recommends a particular app that tracks diet, exercise, and weight. Consumer downloads app to his smartphone and uses it to send a summary report to his doctor before his next appointment.”
The developer in this scenario isn’t a HIPAA business associate because the doctor isn’t working with the developer to help the consumer manage their healthcare information.
Scenario 4: “Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. Health care provider and app developer have entered into an interoperability arrangement at the consumer’s request that facilitates secure exchange of consumer information between the provider EHR and the app. The consumer populates information on the app and directs the app to transmit the information to the provider’s
EHR. The consumer is able to access test results from the provider through the app.”
Because the app developer is providing an interoperability service to the consumer at the consumer’s request, the app developer is not a HIPAA business associate.
Scenario 5: “At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR.”
In this case, the developer is a business associate because, OCR explains, “it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity.”
Scenario 6: “Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health. Health plan analyzes health information and data about app usage to understand effectiveness of its health and wellness offerings. App developer also offers a separate, direct to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers.”
The app developer is a business associate in the case of the first app that is offered by the health plan. But the app developer is not a business associate in regards to its direct-to-consumer app.