HIPAA and mHealth: OCR unveils new guidance on role of developers
The federal government is continuing its push to help those in the healthcare industry better understand HIPAA regulations--most recently releasing guidance focusing on mHealth.
- How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
- When might an app developer need to comply with the HIPAA Rules?
The scenarios provided address whether an app developer would be considered a HIPAA business associate (BA). However, the report's authors add that covered entities that transmit private health information also must apply safeguards.
One case where a developer would not be seen as such would be if a physician suggests a patient download an app to track diet and exercise and the patient sends the info to the doctor. Another instance would be if a patient downloads an app to manage a chronic condition and the provider and developer enter into an interoperability agreement at the patient's request so information can be seamlessly shared.
As for when a developer would be seen as a BA, that could include if a patient downloads an app for which the provider "has contracted with [the] app developer for patient management services, including remote patient health counseling, monitoring of patients' food and exercise."
In addition, a developer would be a BA if patient data from the app is automatically incorporated into the provider's electronic health record.
The authors also say that even if a developer determines it is not a covered entity, patient data protection and privacy is still of utmost importance.
To learn more:
- here's the guidance (.pdf)
Health industry must move beyond HIPAA 101
HHS Office for Civil Rights unveils new guidance on patient rights to data under HIPAA
ONC: HIPAA does not hinder interoperability
More enforcement likely in second round of HIPAA audits, attorney says