Health apps are very popular in our tech savvy and health conscious society. Just Google “health apps” and you will be greeted with “The 10 Best Apps to Improve Your Health” and “The 25 Best Fitness Apps for 2016” among many other hits. Far down on the Google list, however, you might find this gem from Healthcare IT News: “8 Out of 10 Mobile Health Apps Open to HIPAA Violations, Hacking, Data Theft.”
The Healthcare IT News article claims that 84% of U.S. FDA-approved health apps that were tested by IT security vendor Arxan Technologies did not adequately address security issues. How is this possible? Don’t these apps need to comply with HIPAA, the federal privacy law?
Rules issued by the federal government under the Health Insurance Portability and Accountability Act (“HIPAA”) regulate the use and disclosure of individually identifiable health information. But HIPAA does not apply to all users of health information, only those who are specifically covered by the law. The HIPAA regulations apply to health care providers such as doctors, dentists, hospitals and nursing homes, as well as health insurance companies and organizations known as “healthcare clearinghouses.” Healthcare clearinghouses are entities that serve as weigh stations, processing non-standard data into standardized data elements that are recognizable by insurance companies, the federal government and others who pay for health care services. These entities that are subject to the HIPAA regulations are known as “covered entities.”
Covered entities often outsource functions that require access to health information. For example, many physician groups contract with medical billing companies, which review medical information provided by the doctor and prepare bills that are transmitted electronically to health insurance companies for payment. Medical billing companies and other contractors that collect, create, receive, maintain or transmit health information on behalf of covered entities are known as “business associates.” These business associates are also subject to the HIPAA regulations, as are any subcontractors of the business associates.
App developers have long sought better guidance from the federal government about how HIPAA applies to their industry. In response, on February 11, 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) released “Health App Use Scenarios & HIPAA” (the “Health App Guidance”). The Guidance sets out various factual scenarios involving health apps and OCR’s conclusion whether or not the HIPAA regulations would apply to the app developer in each scenario. The Health App Guidance builds upon OCR’s previous guidance concerning business associates and frames the scenarios in terms of whether or not the app developer is a business associate, and thus subject to the HIPAA regulations.
Unless the app is being developed by a health care provider, health insurer or healthcare clearinghouse, the app developer is almost assuredly not a covered entity. But under certain circumstances it is entirely possible that the app developer is a business associate of a covered entity and is therefore subject to the HIPAA regulations. The scenarios provided in the Guidance illustrate the basic analysis that must be performed to determine whether or not the app developer is a business associate.
The Health App Guidance makes clear that health apps that are downloaded and used solely by individual consumers are generally not subject to HIPAA because the developer is not collecting, creating, receiving, maintaining or transmitting health information on behalf of a covered entity. However, health apps that are offered directly by or on behalf of healthcare providers or their business associates and that collect, store or transmit health data very likely are subject to HIPAA. In those cases where the app developer is providing a service on behalf of the covered entity itself, or on behalf of a business associate of the covered entity, that app developer is, itself, a business associate subject to HIPAA.
While it is in every health app developer’s interest to make sure its app maintains the confidentiality and security of its customers’ health data, not all health app developers are subject to the HIPAA regulations. The Health App Guidance provides 6 scenarios that illustrate OCR’s analysis of the regulations. There are countless other scenarios not covered by the Guidance, however. Health app developers should seek advice from qualified attorneys with experience in health law in general and the HIPAA regulations in particular. The lawyers at Wetherington Hamilton are available to advise health app developers on these, and other regulatory matters.