March 19, 2018

March 16, 2018

Subscribe to Latest Legal News and Analysis

OCR New Guidance Aims to Help Medical Mobile App Developers Predict when HIPAA Obligations Might Apply

Predicting whether the activities of a mobile health application (app) developer trigger legal obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) presents some new challenges – not surprising when 20th century law is extrapolated to apply to 21st century technology.

In recognition of the complexity introduced by rapidly evolving and innovative digital health technology, the Office for Civil Rights (OCR) on Feb. 11, 2016, issued new guidance on its mHealth Developer Portal (here) titled “Health App Use Scenarios & HIPAA.” OCR released the guidance in hopes that it “will help developers determine how federal regulations might apply to products they are building” and “will reduce some of the uncertainty that can be a barrier to innovation.”

The new guidance describes six scenarios involving a mobile health app, accompanied by OCR’s analysis and determination under each scenario as to whether the app software developer would be considered a business associate under HIPAA. In each scenario, the app collects, stores, maintains, or transmits health information from the consumer and/or the consumer’s provider.

The apps in these various scenarios range in function from tracking the user’s diet, exercise, and weight; enabling the user to enter certain health metrics collected by other devices (e.g., blood glucose levels and blood pressure readings obtained using home health equipment); helping users manage chronic conditions; to providing users with a mobile version of their Personal Health Records (PHRs), as offered by the users’ health plan.

The new guidance provides insight into OCR’s approach that attempts to strike a balance between protecting consumer health information and minimizing uncertainty that can stifle innovation. While app developers may be able to navigate HIPAA more clearly, they will still have to navigate other potentially applicable federal laws and state privacy laws.

© Polsinelli PC, Polsinelli LLP in California


About this Author

Jean Marie R. Pechette, Polsinelli, Business Strategy Attorney, Life Sciences Industries lawyer

Jean Pechette is a creative yet practical thinker who partners with clients and fully engages in assisting them to achieve their matter-specific goals by first understanding their overall business strategies. Jean has over 20 years of experience in information technology, privacy and intellectual property law, with a focus on health care and life sciences industries, including serving as a division general counsel for a Fortune 50 company.  She brings to clients a unique perspective to help them navigate novel and complex technology-related problems.

Lindsay R. Kessler, Polsinelli PC, Corporate Compliance Attorney, Regulatory Matters Lawyer, Chicago,

Lindsay Kessler brings a unique and diverse professional background to the Polsinelli Health Care group. Prior to joining the firm, Lindsay worked with the American Medical Association, American Dental Association, and Rehabilitation Institute of Chicago. This in-house experience in corporate compliance and regulatory issues serves her practice and her clients well.

She is a recent graduate of Loyola University Chicago School of Law, with a certificate in Health Law. Lindsay works frequently with Polsinelli's Long-Term Care and Senior Housing practice to assist providers in litigating regulatory matters and navigating through guardianship and other probate processes. Additionally, Lindsay works closely with the Privacy Security and Technology group to advise clients on Health Insurance Portability and Accountability Act and Health Insurance Technology for Economic and Clinical Health compliance, as she was formerly a legal extern with the Illinois Office of Health Information Technology. In her spare time, Lindsay is an active member and volunteer in the non-profit cancer legal community.