The U.S. Department of Health and Human Services (HHS) recently issued guidance to help mobile application developers analyze whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may apply to them.1 Not every mobile application developer that handles personal health information is subject to HIPAA regulation, and determining whether HIPAA applies is situation-dependent and requires thoughtful analysis. The HHS guidance lists some of the factors to consider when assessing whether HIPAA applies to an app developer and analyzes several scenarios where apps handle health-related information.
Generally, HIPAA regulates only organizations that meet two criteria. First, an organization must play a certain role in the provision of healthcare to patients. The organization must be deemed a covered entity or business associate, as those terms are defined by HIPAA. Second, HIPAA applies only when an organization handles Protected Health Information (PHI). Therefore, to determine whether HIPAA applies, an organization needs to assess whether it is a covered entity or business associate and whether it handles PHI.
HIPAA describes the types of entities that are covered entities and business associates. However, the analysis is not always straight-forward when looking at a particular situation, especially when analyzing whether an organization is acting as a business associate.
Covered Entities. Health plans, healthcare clearinghouses, and most healthcare providers are covered entities under HIPAA. If these covered entities develop mobile applications that collect, use, or disclose PHI, then the mobile application likely must be included in its HIPAA compliance program.
Business Associates. In general, a HIPAA business associate is an organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate. Most vendors or contractors that provide services to or perform functions that involve access to PHI for covered entities or business associates are business associates. An app developer may be a business associate if it creates or offers a mobile app that handles PHI on behalf of a covered entity. For example, the HHS guidance states, “[A] company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.”
Protected Health Information. Generally, PHI is identifiable health and healthcare payment-related information. However, HIPAA defines PHI broadly to include medical record numbers, health plan account numbers, vehicle identifiers, device identifiers and serial numbers, URLs, IP addresses, biometric identifiers, and other unique codes associated with a patient. Therefore, information may be PHI even when it is not a patient record and does not contain information about individuals’ health.
Any app developer that handles health or healthcare payment-related information and/or does business with a covered entity or business associate should analyze whether it needs to comply with HIPAA. The recent HHS guidance may be helpful in that analysis.
Analyzing Whether an App Developer is a Business Associate Under HIPAA
A mobile app that is developed and provided directly by a covered entity to patients likely should be part of the covered entity’s HIPAA compliance program. Determining whether HIPAA compliance is required for an app developer that is not a covered entity takes more analysis.
An app developer that is not a covered entity is required to comply with HIPAA only if it is acting as a business associate. The HHS guidance lists some questions for app developers to consider when assessing whether they are HIPAA business associates and need to comply with HIPAA, including:
- Does the mobile app handle identifiable health information?
- Who are the app developer’s clients? Who pays for the services provided by the app?
- Who directs or controls how information is handled and transmitted by the app?
- How does a consumer select the app for use? Does a covered entity recommend or require its use?
- What are the formal relationships the app developer has with covered entities?
The answers to these and other questions can help an app developer assess whether it is regulated by HIPAA. The questions also provide a blueprint of sorts that can guide an app developer on potential tweaks to app functionality and its business model to avoid serving as a business associate and complying with the associated HIPAA regulations.
HHS Analyzes Six Example Scenarios
In addition to identifying some of the right questions an app developer can use to help assess whether HIPAA compliance is necessary, the HHS guidance analyzes whether HIPAA likely applies to the app developers and health-related mobile applications in six different scenarios. HHS cautioned that the scenarios are fact-dependent and subtle changes to the facts may change the analysis and conclusions. Therefore, app developers are advised to obtain counsel on whether their particular circumstances would be regulated by HIPAA.
The HHS guidance describes four examples of health app developers that are likely not regulated by HIPAA:
- A health app used by consumers to input and monitor health information without involvement of a healthcare provider.
- A health app that permits consumers to submit their own information and upload for personal use health information separately obtained from a healthcare provider.
- A health app recommended by a healthcare provider to a patient when the app developer does not have a business relationship with the provider and the app collects health information and sends summary reports to the provider. The HHS guide states, “The consumer’s use of an app to transmit data to a covered entity does not by itself make the app developer a [business associate] of the covered entity.”
- A health app that permits users to submit information and transmit it to a healthcare provider and to access test results from the provider, and a consumer requests that the app developer and healthcare provider enter into an interoperability agreement to facilitate secure information exchanges. The HHS guide states, “The interoperability arrangement alone does not create a [business associate] relationship because the arrangement exists to facilitate access initiated by the consumer.”
The HHS guidance also describes two examples where health app developers are likely regulated by HIPAA:
- A healthcare provider contracts with an application developer to create an app for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, and EHR integration. Information from the mobile application is automatically incorporated into the healthcare provider’s EHR.
- A health plan offers a PHR app to manage health plan records, including claims and coverage decisions, provide wellness activity tracking, and analyze health information. The app developer also offers a direct-to-consumer version to manage health records, improve health habits, and send information to healthcare providers. According to the HHS guide, only the health plan app—and not the direct-to-consumer app—makes the app developer a business associate under HIPAA. As long as the app developer separates the two apps, the app developer has HIPAA obligations only with respect to the health plan app.
The scenarios above show that a crucial factor to the HIPAA analysis is whether the app developer has a formal relationship/agreement with a covered entity or business associate. While a formal agreement is not always enough to create a business associate relationship, it is highly relevant to the analysis. Another important factor is determining who controls how the information is processed and transmitted.
As the above considerations and scenarios show, determining whether a mobile app developer has HIPAA obligations is a fact-intensive inquiry. Slight changes to functionality and business models can result in different conclusions on whether HIPAA applies. For this reason, an app developer may consider analyzing its HIPAA obligations early in the business model and app development phases to set clear boundaries for itself so that it can avoid being regulated by HIPAA. As the app and business model change, an app developer may also consider regularly reviewing its prior HIPAA analysis to assess whether any of its conclusions change.
1 Department of Health and Human Services, “Health App Use Scenarios & HIPAA,” available at http://hipaaqsportal.hhs.gov/community-library/accounts/92/925889/OCR-health-app-developer-scenarios-2-2016.pdf.