The application of health privacy rules to health information on mobile devices is getting the attention of federal regulators as well members of congress.
The Department of Health and Human Services Office for Civil Rights published guidance to aid in determining when and how the Health Insurance Portability and Accountability Act (HIPAA) applies to mobile health applications.
Health App Use Scenarios & HIPAA, published in February to the OCR’s mHealth Developer Portal, includes six scenarios to help developers that are not covered entities (health plans and health providers directly covered by HIPAA) determine when they are considered business associates (not directly covered but still subject to HIPAA).
While the answers to the scenarios are fact and circumstance specific, app developers are probably not considered a HIPPA business associate when the consumer downloads a health app on her phone and manually inputs or uploads her protected health information into the app.
App developers that are offered by or contract with a consumer’s health provider to create, receive, maintain and transmit protected health information probably are considered HIPPA business associates.
"I think that this guidance is helpful in that it clearly reminds people, both covered entities and health app developers, of instances where the author of the health app is clearly not regulated under HIPAA as a business associate: When it's the consumer that's ultimately using the app and making the decision as to whether the covered entity receives data from it, and/or there's no relationship between the app developer and the covered entity (except for an interoperability arrangement)," Paula M. Stannard, counsel with Alston & Bird in Washington told Bloomberg BNA.
“I would like to see a few more examples of instances where the app developer would be regulated because that’s also important information to think about,” she said.
Stannard said the area where she is seeing confusion is apps used in connection with an employer wellness program. “An employer may offer a wellness program as an employee benefit available to all employees or it may offer a wellness program as part of the covered health plan. It really makes a difference where in an employee benefits plan the wellness program is offered as to whether that wellness program and any apps associated with it would be regulated under HIPAA,” she said.
“I want to note that even if an app developer or vendor is not a business associate of a covered entity under HIPAA they are not home free. Number one, if the app is considered to be a personal health record they are subject to an FTC Breach Notification Rule. Secondly, they would also be subject to California’s Confidentiality of Medical Information Act because under an amendment to that act that became effective over a year ago, developers of software and mobile apps that involve health or fitness data are considered to be providers of health care,” she said.
HHS isn’t the only actor devoting attention to HIPAA’s implications for health information technology.
At a March 22 hearing held by the House Subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules Rep. Ted Lieu (D-Calif.) said that current laws and regulations were enacted before key technological advances that we now take for granted.
“HIPAA was passed in 1996 before broad adoption of the mobile revolution, HITECH was passed in 2009 before much of cloud computing existed,” Lieu said.
“Right now old and unclear privacy laws hinder interoperability between health IT systems and devices,” Rep. Will Hurd (R-Texas) said at the hearing. “In today’s hearing I hope to hear specifically what laws or regulations need to be changed or updated and how they should be changed or updated or abandoned.”
Reps. Hurd and Lieu were two of eight House lawmakers who sent a March 10 letter to HHS asking for updated mobile health app guidance.
The letter was also signed by Reps. Tom Marino (R-Pa.), Peter DeFazio (D-Ore.), Renee Ellmers (R-N.C.), Suzanne Bonamici (D-Ore.), Blake Farenthold (R-Texas) and Earl Blumenauer (D-Ore.).
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)