Government Takes Steps on Privacy in Mobile Health Apps



The application of health privacy rules to health information on mobile devices is getting the attention of federal regulators as well members of congress.

The Department of Health and Human Services Office for Civil Rights published guidance to aid in determining when and how the Health Insurance Portability and Accountability Act (HIPAA) applies to mobile health applications.

Health App Use Scenarios & HIPAA, published in February to the OCR’s mHealth Developer Portal, includes six scenarios to help developers that are not covered entities (health plans and health providers directly covered by HIPAA) determine when they are considered business associates (not directly covered but still subject to HIPAA). 

While the answers to the scenarios are fact and circumstance specific, app developers are probably not considered a HIPPA business associate when the consumer downloads a health app on her phone and manually inputs or uploads her protected health information into the app.

App developers that are offered by or contract with a consumer’s health provider to create, receive, maintain and transmit protected health information probably are considered HIPPA business associates.

"I think that this guidance is helpful in that it clearly reminds people, both covered entities and health app developers, of instances where the author of the health app is clearly not regulated under HIPAA as a business associate:  When it's the consumer that's ultimately using the app and making the decision as to whether the covered entity receives data from it, and/or there's no relationship between the app developer and the covered entity (except for an interoperability arrangement)," Paula M. Stannard, counsel with Alston & Bird in Washington told Bloomberg BNA.

“I would like to see a few more examples of instances where the app developer would be regulated because that’s also important information to think about,” she said.  

Stannard said the area where she is seeing confusion is apps used in connection with an employer wellness program.  “An employer may offer a wellness program as an employee benefit available to all employees or it may offer a wellness program as part of the covered health plan.  It really makes a difference where in an employee benefits plan the wellness program is offered as to whether that wellness program and any apps associated with it would be regulated under HIPAA,” she said.  

“I want to note that even if an app developer or vendor is not a business associate of a covered entity under HIPAA they are not home free.  Number one, if the app is considered to be a personal health record they are subject to an FTC Breach Notification Rule. Secondly, they would also be subject to California’s Confidentiality of Medical Information Act because under an amendment to that act that became effective over a year ago, developers of software and mobile apps that involve health or fitness data are considered to be providers of health care,” she said. 

House Attention

HHS isn’t the only actor devoting attention to HIPAA’s implications for health information technology.

At a March 22 hearing held by the House Subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules Rep. Ted Lieu (D-Calif.) said that current laws and regulations were enacted before key technological advances that we now take for granted.

“HIPAA was passed in 1996 before broad adoption of the mobile revolution, HITECH was passed in 2009 before much of cloud computing existed,” Lieu said.  

“Right now old and unclear privacy laws hinder interoperability between health IT systems and devices,” Rep. Will Hurd (R-Texas) said at the hearing.  “In today’s hearing I hope to hear specifically what laws or regulations need to be changed or updated and how they should be changed or updated or abandoned.”  

Reps. Hurd and Lieu were two of eight House lawmakers who sent a March 10 letter to HHS asking for updated mobile health app guidance. 

The letter was also signed by Reps. Tom Marino (R-Pa.), Peter DeFazio (D-Ore.), Renee Ellmers (R-N.C.), Suzanne Bonamici (D-Ore.), Blake Farenthold (R-Texas) and Earl Blumenauer (D-Ore.).