When it comes to mHealth app development, HIPAA compliance is the first thing a customer wants to hear about the delivered product. That means the app will adhere to the officially established security and privacy standards — including administrative, physical, and technical safeguards.
However, quite often the tricky part is not how to comply with HIPAA, but rather when the HIPAA Privacy and Security Rules apply. To puzzle out this dilemma, you should answer these three questions: 1. Who will use the app? 2. What info will it include? 3. Is there a need for a contract with a covered entity?
On its mHealth Developer Portal, the US Department of Health and Human Services (HHS) provides additional guidance on when an app should comply with HIPAA. Let’s have a closer look at some common scenarios.
When an mHealth app falls under HIPAA
First and foremost, HIPAA will apply to covered entities and their business partners. This includes healthcare providers (doctors, clinics, nursing homes, and pharmacies), health plans (health insurance companies or governmental programs), and health clearinghouses. And their partners who are usually software vendors employed to accelerate innovation in hospitals.
A medical app is also subject to HIPAA if it contains protected health information (PHI), i.e. data on a patient’s physical or mental conditions, healthcare services (type, date), as well as past, present, or future payment for the provision of care. The examples of such mHealth solutions include communication apps connecting doctors across the network for enhanced decision-making or telehealth software streamlining patient-physician interaction.
Another common scenario of HIPAA-compliance includes tracking and downloading PHI via a mobile EHR or PHR app offered by a particular health plan.
When an mHealth app isn’t subject to HIPAA
The majority of medical apps you see on Google Play and App Store don’t fall under HIPAA, as they’re usually intended for a patient’s personal use. These are apps for monitoring certain health aspects (weight, pulse, or glucose levels) or those to follow the medication schedule (unless this data is transmitted to a health plan server).
Also, the HIPAA Rules won’t apply if a patient downloads an app to send summary reports by a doctor’s recommendation. This is because the covered entity (in our case, the physician) doesn’t enter into an agreement with a developer.
Let’s look at another case. A patient is recommended a medical app to manage a chronic condition. A healthcare provider creates an interoperability arrangement with a software vendor so that the app’s data could be securely transmitted to an EHR system at a patient’s request. In this case, the app won’t be subject to HIPAA, because the interoperability arrangement isn’t a business associate partnership, and the developer facilitates data exchange on a patient’s behalf, i.e. offers services to the consumer.
As public health authorities don’t fall under the category of a covered entity, the medical apps they use won’t be subject to HIPAA either. An example is a mobile app for a local center of epidemiology conducting a public health survey.
Even minor amendments matter
On the way to HIPAA-compliance you can also come across double-edged scenarios, meaning an app isn’t subject to HIPAA unless a certain condition comes into play.
For example, the majority of medical apps for a patient’s personal use don’t have to be HIPAA-compliant, because they’re built to collect consumer health information (CHI) that won’t be necessarily shared with a covered entity. But once a health provider inks a formal agreement with a healthcare app developer to manage patient-generated health data (PGHD), the Security and Privacy Rules will apply.
Here’s another case in point. If a covered entity uses a medical app without involving PHI — for instance, regional stats on influenza — it won’t fall under HIPAA. Yet, if these stats incorporate the info on influenza patients in a particular hospital, the app will need to comply with the HIPAA regulations.
There’s more to the story
For medical practices and software vendors, understanding the ins and outs of the HIPAA Rules — when and how to comply — is a must when it comes to mHealth development; yet, there are other things to keep in mind.
If your app doesn’t fall under HIPAA-compliance scenarios — isn’t used by covered entities and doesn’t contain PHI — that doesn’t mean its market launch will be a walk in the park. Your solution may be subject to other federal laws, e.g. the US Federal Food, Drug, and Cosmetic Act.
If you have doubts about what regulations your medical app should meet, use this mobile health apps interactive tool created by the Federal Trade Commission.
On a final note
With a variety of use cases and exceptions, HIPAA-compliance turns to be a fact-intensive issue. To be sure about whether the rules apply or not, you need to clearly understand the type of data the app will use (PHI or CHI), as well as define the parties involved in managing this data and the relationship between them.
Besides, mind the fact that slight changes to an app’s functionality and business models may result in different decisions with regard to HIPAA, and you’ll have to analyze the regulations as well as your client’s business processes early on to go ahead with product development.
HIPAA and mHealth: Is Your App Covered? was first published on HITECH Answers.