When HIPAA applies to mobile applications

By MHN Staff
June 16, 2011
03:15 am
Share

Adam GreeneBy Adam H. Greene, JD, MPH, former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, now a partner in the Health IT/HIPAA practice of Davis Wright Tremaine.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules can be a daunting challenge. Sometimes, the biggest question facing mobile application developers is not how to comply with (or make sure users are complying with) HIPAA, but rather whether HIPAA even applies. To understand whether software falls under the HIPAA rules, a developer must answer two questions: (1) Who will be using the application, and (2) What information will be on the application?

The HIPAA Rules only apply to HIPAA “covered entities” and their “business associates.” They do not apply to health care consumers or to other types of entities. Covered entities include health plans (including employer-sponsored group health plans), entities known as health care clearinghouses (which convert health care claims and other administrative transactions into or from a standard format), and health care providers -- but only if the health providers electronically conduct certain transactions, such as submitting claims to health plans electronically. A business associate is an entity that handles “protected health information” on a covered entity’s behalf, such as a health information exchange organization sharing health information on behalf of a health care provider, or a pharmacy benefit manager operating a health plan’s prescription benefit.

Additionally, the HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). Accordingly, an e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

A mobile application developer will need to analyze whether the software will be used by a covered entity, such as physician, hospital, or health plan, and whether it will include any protected health information: individually identifiable information about health, health care services, or payment for health care services. An application that assists a physician with following up with patients would need to be designed to allow the physician to comply with HIPAA. Likewise, a mobile application for use by health plan employees to obtain an individual’s enrollment information remotely would need to be designed in accordance with HIPAA.

In contrast, an application that is for use by patients is not going to fall under HIPAA; an application on a person’s smartphone that assists the user with following a medication schedule would not fall under HIPAA because there is no covered entity involved. Even if the application permitted the user to send information to her physician, the application would not be subject to HIPAA, although the information would become subject to HIPAA once the HIPAA-covered physician received it.

An application that is to be used by a covered entity but does not involve protected health information would also not be subject to HIPAA; an application that provides a nurse with “de-identified” influenza statistics would not be subject to HIPAA because it does not use individually identifiable health information. Note that if the application allows the nurse to add information about the hospital’s influenza patients (such as that an individual came in with H1N1 symptoms today), then the patient information will be subject to HIPAA.

Other types of entities, such as public health authorities, are not covered entities either -- an exception may be if they are also providing a health plan or providing health care services. Accordingly, a mobile application for a local government epidemiologist that assists with a public health investigation would generally not fall under HIPAA.

In determining whether an application falls under HIPAA, the developer should focus on the user, rather than the distribution channel. If a health plan provides enrollees with an application that allows them to track their weight on their smartphone, the application is not subject to HIPAA (since it is used by a non-covered entity – the enrollee – on the enrollee’s smartphone). If the application stores data on the health plan’s server, however, the information on the health plan’s server would be subject to HIPAA.

It is worth noting that, while health-related applications that are not used by covered entities or business associates are not subject to HIPAA, they may be subject to other privacy and security laws. For example, if the software is sharing user information in violation of a privacy notice, this could represent a deceptive trade practice subject to the Federal Trade Commission’s enforcement authority.

Tomorrow, in part two of this series, we will look at what an application developer should do if their application is subject to HIPAA.

Adam H. Greene previously served as the Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, and now is a partner in the Health IT/HIPAA practice of Davis Wright Tremaine. Mr. Greene's full bio is available at http://www.dwt.com/People/AdamHGreene

Tags: 
HIPAA mobile health, HIPAA mobile health IT, mHealth HIPAA

More regional news

Medical personnel and executives in a conference

Google announces accelerator for generative AI social impact solutions

By
Anthony Vecchione
December 31, 2024
Scientist in a lab looking at a test tube

Databricks hits $62B valuation after $10B funding round

By
Jessica Hagen
December 31, 2024
Doctor in scrubs standing in front of computer screens

Executives forecast AI's place in healthcare in 2025, part one

By
Jessica Hagen
December 31, 2024
Share

Top Story

Doctor in scrubs standing in front of computer screens
Executives forecast AI's place in healthcare in 2025, part one

Editor's Pick

Digital health funding predictions for 2025
Executives reflect on 2024’s biggest surprises, part one
Executives reflect on 2024's biggest surprises, part two
Q&A: Withings on the convergence of consumer technology and healthtech
Predictions for mergers and acquisitions in 2025
Q&A: Hackensack Meridian Health on its AI expenditures in 2025

More Stories

Medical personnel and executives in a conference
Google announces accelerator for generative AI social impact solutions
Scientist in a lab looking at a test tube
Databricks hits $62B valuation after $10B funding round
Close-up of smart watch
Digital health tools grow in scope and function to 337,000, according to IQVIA report
Silhouette of man interacting with a virtual environment while wearing a VR headset
Researchers aim to study AI-generated voice cloning, VR to decrease pain
PhnyX representatives demonstrating the genAI chatbot Cheiron
SK Group-backed startup unveils first medicine genAI search platform in Korea
Healthcare professional examining an x-ray
Royal Health closes investment deal with HealthQuest Capital to expand operations
Executives in a meeting
Healthtech company Commure acquires navigation platform Memora Health
Five businesspersons sitting around a table with two of them shaking hands
Predictions for mergers and acquisitions in 2025