The Office for Civil Rights (OCR) has added a list of health app use scenarios in which HIPAA regulations would apply, helping to educate mHealth app developers on how to create apps that abide by HIPAA and that protect user and patient privacy.
These health app use scenarios are a part of OCR’s mHealth Developer Portal, which is geared toward mHealth developers but is accessible to all relevant parties seeking more information about mHealth privacy and security.
The health app use scenario list aims to answer two questions:
- How does HIPAA apply to patient-generated health data through the use of an mHealth app?
- When do mHealth app developers need to comply with HIPAA regulations?
OCR clarifies that mHealth app developers that are employees of a health insurance company, a clearinghouse, or a healthcare provider are covered entities under HIPAA and therefore need to abide by HIPAA regulations.
In other words, app developers that work for a hospital and are developing an app for physicians’ smartphones to be able to securely message one another are required to abide by HIPAA standards.
“Only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA. If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules,” OCR states.
The agency also explains the security responsibilities of business associates, or individuals or companies that work on behalf or for a covered entity. These parties are also required to be HIPAA compliant.
“So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates,” OCR says. “For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.”
OCR also offers the following guiding questions to help mHealth app developers determine if they are business associates:
- Does your health app create, receive, maintain, or transmit identifiable information?
- Who are your clients? How are you funded?
- Were you hired by, or are you paid for your service or product by, a covered entity? Or another business contracted to a covered entity?
- Does a covered entity (or a business associate acting on its behalf) direct you to create, receive, maintain or disclose information related to a patient or health plan member?
OCR also lists several example instances regarding mHealth app use and mHealth security, generally explaining that when PHI is exchanged on an app that was developed by or on the behalf of a covered entity, the app and the developer must be HIPAA compliant.
Instances during which app developers do not necessarily need to be HIPAA compliant are ones where providers and patients access an app on their own volition and then exchange information. In those cases, app developers are not sharing or storing the information on behalf of the covered entity.
mHealth security and mobile security are proving to be huge topics in the healthcare data security space, especially when it comes to HIPAA compliance.
In fact, HIPAA compliance is one of the top-cited 2016 mobile health security concerns. By starting off with basic data security measures such as HIPAA compliance, mHealth developers and app users can go a long way in making sure they preserve adequate healthcare data security and patient privacy.