The mobile health industry is expected to reach a market size of $60 billion by 2020. As our society becomes more health conscious, thousands of individuals across the country are using health apps and devices, such as Fitbits, for a variety of medical and wellness-related purposes. This trend has caused greater amounts of data — including highly sensitive information — to flow through these apps. The data collected by these apps and devices can include everything from geographic location to medical records to medical history to biometric identifiers (finger and voice prints) to photos and more.
Collecting this data can mean significant compliance responsibilities for app developers. Health apps used for purposes like fitness tracking, mental health, and medication usage are considered Personal Health Record (PHR) devices according to the Health Insurance Portability and Accountability Act (HIPAA). (A PHR device is defined as software that can contain features, such as data copying and data sharing with healthcare providers.) These features bring up an interesting question for app developers:
Do health care app developers need to comply with HIPAA?
The answer to this question lies in the data source and the purpose of data collection. HIPAA defines Protected Health Information (PHI) as information that is created or received by a covered entity (i.e., a healthcare provider or health plan) and relates to the past, present, or future mental or physical health of an individual as well as any information that identifies the individual. Therefore, some app developers may need to comply with HIPAA requirements, specifically the Security Rule.
In this post, we will examine how health app developers can determine if they are required to be compliant with HIPAA, how the HIPAA Security Rule applies, and specific scenarios where HIPAA does or does not apply to health apps. We will also explore the relationship between the developer, covered entity, business associate, and consumer and how these relationships may be affected by HIPAA.
Does HIPAA Apply to Your App?
Under HIPAA, developers may fall into one of two categories: covered entities or business associates.
- Covered entities are defined as health plan providers (i.e., insurance agencies), health care clearinghouses, and health care providers who electronically transmit any health information.
- A business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity or provides services to a covered entity.
Apps that require users to enter their own information (meaning the covered entity does not receive and/or enter the information) may not have to comply with HIPAA. Take, for example, a fitness-tracking app that asks for the weight, height, and medical background of the end user. If the end user enters this data on their own using their own equipment (i.e., scale, blood pressure machine), then the app developer does not have to comply with HIPAA.
But if an app is developed for a covered entity or is used as a service provided by a business associate, HIPAA may apply to the app developers. A good example would be an insurance provider that has an app for consumers that tracks the status of claims and coverage details. The information in the app is populated directly by the insurance provider, which would mean this app and the information collected falls within scope of HIPAA.
How Does the HIPAA Security Rule Apply?
App developers who must comply with HIPAA will need to give special attention to the HIPAA Security Rule. The HIPAA Security Rule applies to electronic PHI (ePHI) and requires both covered entities and business associates to ensure the confidentiality, integrity, and availability of all ePHI that the entity creates, receives, maintains, or transmits. The Security Rule requires covered entities and business associates to implement three types of safeguards:
- Administrative – Actions, including policies and procedures, taken to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of how employees protect that information.
- Physical – Measures, policies, and procedures used to protect a covered entity's systems and related buildings and equipment from natural disasters and unauthorized access.
- Technical – Technology and the policies and procedures that protect ePHI and control access to it. These mechanisms may include encryption as well as data backups and access controls.
If HIPAA applies, app developers should evaluate the vulnerabilities, threats, and risks that can impact the confidentiality, availability, and integrity of ePHI. The HIPAA Security Rule requires that covered entities or business associates perform a risk analysis to identify the appropriate safeguards that should be implemented. The Security Rule also requires an in-depth, documented analysis of an entity’s systems to determine how it will implement these safeguards. Policies and procedures must also be created and enforced, and the developer’s workforce must be trained.
It’s important to note that these requirements are not just limited to systems. App developers should also implement privacy-by-design principles in the application development lifecycle, taking into consideration data protection standards and mechanisms.
Helpful Scenarios: When HIPAA Applies to Health Apps
An important distinction in determining when HIPAA would apply to a health care app is understanding how the data is initially collected from a business associate. Below are two scenarios outlining when a developer may or may not have to comply with HIPAA.
Scenario One: Healthcare Provider App
A patient downloads a health app to their smartphone per guidance from their healthcare provider. The provider has contracted with the app developer for patient management services, including the monitoring of the patient’s food and exercise habits as well as messaging services between the patient and the healthcare provider. The personal information stored in the app is automatically fed into the app from the healthcare provider’s system.
Does HIPAA apply? Yes.
In this scenario, HIPAA does apply to the developer. The developer is considered a business associate of the provider because it receives, transmits, and maintains PHI on behalf of the healthcare provider (covered entity) per the contract.
Scenario Two: Fitness App
A consumer downloads a fitness health app to their smartphone. This individual enters their information into the app. Information populated includes height, weight, and pressure readings obtained by the consumer using the home-health equipment.
Does HIPAA apply? No.
In this case, HIPAA would not apply as the developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or another business associate. The consumer is using the app to input information they obtained at home using their equipment. The consumer’s healthcare providers have had no role in providing (i.e., receiving, processing, etc.) the information.
Next Steps: How to Apply HIPAA
When determining if HIPAA applies, the source and type of data involved in the app should always be considered. Health app developers can start by asking themselves the below questions:
- What is the source of the data (i.e., consumer or healthcare provider)?
- What type of data is being collected? Is it considered PHI under HIPAA?
- What is the relationship between the developer, covered entity, business associate and consumer?
If a health app developer determines from the above that HIPAA applies, they should conduct the required Security Rule analysis to determine what safeguards are required to be implemented (the US Department of Health and Human Services has many helpful resources). App developers who must comply with HIPAA should begin addressing privacy and data security issues during the early stages of development. Implementing compliant policies and controls from the beginning will aid developers greatly as they grow their tool and will make maintaining compliance much easier.
Developers should also ensure appropriate updates are made to agreements with business associates and/or covered entities so they address each party’s responsibilities with respect to the collection, use, transfer, or storage of ePHI.
Developers should keep in mind that failure to comply with HIPAA can result in steep fines and penalties. HIPAA penalties can be up to $50,000 for each violation, with a maximum of $1.5 million during a calendar year.
If you have questions about whether HIPAA applies to your company or need assistance with performing a HIPAA Security Rule analysis, Focal Point has experts ready and willing to help.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.