Is My Telehealth App Subject to HIPAA?
Many telehealth and mHealth app developers are concerned about whether or not their app is a medical device under FDA regulations (and rightfully so), they often pay less attention to the Health Insurance Portability and Accountability Act (“HIPAA”) rules. The developer either mistakenly presumes HIPAA applies to their app or neglects to consider health privacy issues altogether. Addressing privacy and security issues (HIPAA and state law) should be on the “to do” list of any telehealth app developer’s business plan.
In reality, an app developer frequently is not a Covered Entity subject to HIPAA rules, and in many apps, the developer is not a Business Associate either. The specifics, of course, depend on the nature and function of the app itself. But simply because an app collects identifiable, health-related data does not mean the app is subject to HIPAA. A wearable health app used by a consumer is not necessarily subject to HIPAA, nor is a medication-adherence health app for patient self-use. These apps may be subject to Federal Trade Commission oversight and its “unfair acts” power, however.
A more important area of focus for app developers is state law, particularly if the developer intends the app to be used in multiple states across the country (or the world). More and more states have enacted their own state law privacy and security statutes. These state laws apply to a much broader scope of companies than HIPAA. An app developer can easily be subject to state privacy and security laws, even if it is not a Covered Entity or Business Associate and not subject to HIPAA rules.
California is one example. California’s Confidentiality of Medical Information Act (“CMIA”) dictates rules for permissible uses and disclosures of medical information. In the past, the California law applied to the type of companies commonly subject to HIPAA – health care providers, health services plans, and businesses that contract with these entities for work that involves access to medical information. However, the law was recently amended to expand its scope to apply to health app developers, including:
any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or provider of health care for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual.
With these changes, California law now requires health app developers and PHR vendors to “maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.” These safeguards are in addition to any safeguards that the health app developer or PHR vendor is subject to under HIPAA. Failure to comply with the CMIA obligations could result in administrative fines and civil penalties.
Many other states have similar laws and regulations, requiring entities like telehealth app developers to comply with certain privacy and security requirements even if the company is not subject to HIPAA. Other California laws require apps to have “do not track” functionality. Florida overhauled its data security breach reporting law last year and this summer passed a law requiring specific contact information on websites and other online services. These laws have important implications for existing health apps, developers of consumer-facing health tools, and telehealth app offerings. As states continue to expand the scope of state privacy and security laws, it is critical for health app developers to understand the breath of these laws, and ensure they are in compliance.