May 6, 2021

Volume XI, Number 126

Advertisement

May 06, 2021

Subscribe to Latest Legal News and Analysis

May 05, 2021

Subscribe to Latest Legal News and Analysis

May 04, 2021

Subscribe to Latest Legal News and Analysis

May 03, 2021

Subscribe to Latest Legal News and Analysis

Is My Telehealth App Subject to HIPAA?

Many telehealth and mHealth app developers are concerned about whether or not their app is a medical device under FDA regulations (and rightfully so), they often pay less attention to the Health Insurance Portability and Accountability Act (“HIPAA”) rules. The developer either mistakenly presumes HIPAA applies to their app or neglects to consider health privacy issues altogether. Addressing privacy and security issues (HIPAA and state law) should be on the “to do” list of any telehealth app developer’s business plan.

telehealth, mhealth, healthcare, health-care, HIPPA, medical

In reality, an app developer frequently is not a Covered Entity subject to HIPAA rules, and in many apps, the developer is not a Business Associate either. The specifics, of course, depend on the nature and function of the app itself. But simply because an app collects identifiable, health-related data does not mean the app is subject to HIPAA. A wearable health app used by a consumer is not necessarily subject to HIPAA, nor is a medication-adherence health app for patient self-use. These apps may be subject to Federal Trade Commission oversight and its “unfair acts” power, however.

A more important area of focus for app developers is state law, particularly if the developer intends the app to be used in multiple states across the country (or the world). More and more states have enacted their own state law privacy and security statutes. These state laws apply to a much broader scope of companies than HIPAA. An app developer can easily be subject to state privacy and security laws, even if it is not a Covered Entity or Business Associate and not subject to HIPAA rules.

California is one example. California’s Confidentiality of Medical Information Act (“CMIA”) dictates rules for permissible uses and disclosures of medical information. In the past, the California law applied to the type of companies commonly subject to HIPAA – health care providers, health services plans, and businesses that contract with these entities for work that involves access to medical information. However, the law was recently amended to expand its scope to apply to health app developers, including:

any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or provider of health care for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual.

With these changes, California law now requires health app developers and PHR vendors to “maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.” These safeguards are in addition to any safeguards that the health app developer or PHR vendor is subject to under HIPAA. Failure to comply with the CMIA obligations could result in administrative fines and civil penalties.

Many other states have similar laws and regulations, requiring entities like telehealth app developers to comply with certain privacy and security requirements even if the company is not subject to HIPAA. Other California laws require apps to have “do not track” functionality. Florida overhauled its data security breach reporting law last year and this summer passed a law requiring specific contact information on websites and other online services. These laws have important implications for existing health apps, developers of consumer-facing health tools, and telehealth app offerings. As states continue to expand the scope of state privacy and security laws, it is critical for health app developers to understand the breath of these laws, and ensure they are in compliance.

Advertisement
© 2021 Foley & Lardner LLPNational Law Review, Volume V, Number 196
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Nathaniel Lacktman, Health Care Attorney, Foley and Lardner Law Firm
Partner

Nathaniel (Nate) Lacktman is a partner and health care lawyer with Foley & Lardner LLP, and a Certified Compliance & Ethics Professional (CCEP). His practice focuses on health care compliance, counseling, enforcement and litigation, as well as telemedicine and telehealth. Mr. Lacktman is a member of the firm’s Health Care Industry Team which was named “Law Firm of the Year — Health Care Law” for three of the past four years on the U.S. News – Best Lawyers® “Best Law Firms” list. 

813-225-4127
Claire Marblestone, health care lawyer, Foley and Lardner, Law firm
Partner

Claire Marblestone is a Partner and health care lawyer with Foley & Lardner LLP. Her practice focuses on transactional and health care regulatory matters, with an emphasis on HIPAA compliance, the Anti-Kickback Statute, Stark law, provider enrollment, and licensure and certification. She advises a number of clients, including hospitals, health systems and physician groups on regulatory and compliance issues presented by telemedicine and telehealth.

213-972-4822
Advertisement
Advertisement