Health Apps and HIPAA: OCR Publishes New Guidance For Health App Developers
OCR’s guidance presents hypothetical scenarios and key questions to help app developers determine when they are subject to HIPAA regulations.
On February 11, the Department of Health and Human Services’ Office for Civil Rights (OCR) released “Health App Use Scenarios & HIPAA” (Health App Guidance) that addresses the applicability of the Health Insurance Portability and Accountability Act (HIPAA) to mobile device applications (“apps”) that collect, store, manage, organize, or transmit health information.
The Health App Guidance responds to requests from app developers for additional guidance from OCR on when and how HIPAA applies to the growing field of health apps. As such, the Health App Guidance sets forth various factual scenarios involving mobile health apps and whether OCR believes that HIPAA would apply to the app developer in each scenario. While the Health App Guidance is consistent with previous general guidance from OCR on HIPAA business associate relationships, it does provide helpful clarity regarding the application of those rules to mobile apps.
The Health App Guidance is the latest development to arise from OCR’s mHealth Developer Portal, a platform released last fall that allows (1) health app developers and others to seek OCR guidance regarding HIPAA and health technology and privacy laws, and (2) OCR to publish guidance to educate developers on how HIPAA regulations may apply to various technologies.
Overview of Factual Scenarios
The Health App Guidance outlines six specific scenarios (encompassing a broad spectrum of health apps in which health apps collect, store, manage, organize, or transmit health information) and assesses whether HIPAA would apply to the app developer in each case.
In the first four scenarios, the developer is not considered a business associate subject to HIPAA. The first four scenarios are as follows:
Scenario: A consumer downloads a health app to her smartphone and populates it with her own health information to help manage and organize her information without any involvement by her healthcare providers.
Is App Developer Subject to HIPAA? In this situation, the consumer is not a covered entity or a business associate and is voluntarily downloading the app for her own use. Accordingly, because the developer is not creating, maintaining, or transmitting protected health information (PHI) on behalf of a covered entity or business associate, it is not subject to HIPAA.
Scenario: A consumer downloads a health app to her smartphone to help manage a chronic condition. She downloads data from her doctor’s electronic health record (EHR) through a patient portal, onto her computer, and then uploads it to the app. She also adds her own information to the app.
Is App Developer Subject to HIPAA? Again, the consumer is not a covered entity or business associate and is voluntarily downloading the app, obtaining health information from her provider, combining it with health information she inputs, and using the app for her own purposes. The healthcare provider (or a business associate of the provider) did not hire the app developer to facilitate this service. The developer is not creating, maintaining, or transmitting PHI on behalf of a covered entity or business associate, and thus is not subject to HIPAA.
Scenario: A doctor recommends that his patient use a particular app that tracks diet, exercise, and weight. The consumer downloads the app to his smartphone and uses it to send a summary report to his doctor in advance of his next appointment.
Is App Developer Subject to HIPAA? While the doctor recommended the app, she did not hire the app developer to provide services to patients involving the handling of PHI. The consumer’s use of the app to transmit data to a covered entity does not alone make the developer a business associate of the covered entity. The developer is not subject to HIPAA.
Scenario: A consumer downloads a health app to her smartphone to help manage a chronic condition. The app developer and healthcare provider have entered into an interoperability arrangement at the consumer’s request to facilitate the secure exchange of consumer information between the two. The consumer inputs information on the app and directs it to transmit the information to the provider’s EHR. The consumer can access test results from the provider through the app.
Is App Developer Subject to HIPAA? This situation is the same as the first two. The developer is not subject to HIPAA because it is not creating, maintaining, or transmitting PHI on behalf of a covered entity or business associate. The consumer’s use of the app to transmit data to a covered entity does not alone make the developer a business associate of the covered entity. And the interoperability arrangement alone does not create a business associate relationship because the arrangement exists to facilitate access initiated by the consumer.
In the fifth and sixth scenarios, the developer is considered a HIPAA business associate. The scenarios are as follows:
Scenario: A provider has contracted directly with the health app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, and EHR integration. The provider instructs his patients to download the app to their smartphones.
Is App Developer Subject to HIPAA? Because the provider is a covered entity contracting directly with the developer for services that involve creating, receiving, maintaining, and transmitting PHI, the developer is considered a business associate under HIPAA.
Scenario: A health plan offers a health app that allows plan members to download and store health plan records, check the status of claims/coverage decisions, and document and track their general wellness information. The helath plan then analyzes the information uploaded to the app by members.
Is App Developer Subject to HIPAA? Because the health plan is a covered entity contracting directly with the developer for services that involve creating, receiving, maintaining, and transmitting PHI, the developer is considered a business associate. If, however, the developer offers a separate, direct-to-consumer version of the health app with the same functionality, such a version of the app would not be subject to HIPAA as long as the developer keeps the health information contained in the two versions of the app separate.
In sum, health apps that are downloaded and used solely by individual consumers do not result in the app developer becoming subject to HIPAA, since the developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or business associate. Rather, the consumer is directly providing the PHI being used or stored by the app. This holds true even if
a provider recommends the health app to patients,
the consumer uploads EHR to the health app from a provider’s patient portal, or
the app developer enters into an interoperability agreement with the provider that allows the consumer to transmit information from the app to the provider.
By contrast, health apps that are created and offered directly by or on behalf of covered entities or business associates and that collect, store, or transmit PHI are subject to HIPAA. Accordingly, a developer who contracts directly with a covered entity to collect, maintain, or transmit PHI through a particular app is considered a business associate under HIPAA because the developer is providing a service for the benefit of the covered entity and has access to the covered entity’s PHI. Similarly, a developer who contracts with a business associate on behalf of a covered entity to do to the same thing will also be subject to HIPAA.
OCR’s Key Questions
The Health App Guidance concludes with a series of questions that developers should consider about their business and health apps to determine if they are business associates under HIPAA. These questions include
whether the health app creates, receives, maintains, or transmits identifiable information;
whether the health app is selected independently by the consumer;
whether all decisions to transmit health data to third parties are controlled by the consumer; and
whether the developer has any contractual or other relationships with third-party entities besides interoperability agreements.
OCR does not provide an analysis of how answers to these questions may affect classification of an app developer as a business associate, but rather offers the questions to help developers determine whether their health app’s functions and business model focus primarily on consumers or on creating, receiving, maintaining, or transmitting PHI for covered entities. If the app focuses on the latter, the developer will be considered a business associate and thus subject to HIPAA.