Does HIPAA compliance apply to your mobile app? A review of considerations for any mobile app developer
For many, the terms HIPAA compliance and mobile apps do not often make an immediate connection, however the considerations for HIPPA and its purpose in the use of a mobile app should be given more thought.
HIPAA (Health Insurance Portability and Accountability Act) protects privacy and security of certain health information. If you (or an organization you know) is considering using/developing a mobile app, it is important to ask if HIPPA compliance applies. In the following post we will review some considerations to address when utilizing a mobile app platform and the impacts of implementing HIPAA compliant software, specifically around liability and accountability.
Many organizations ask themselves the question: Do we need to consider HIPAA requirements and should we comply?
In short, HIPAA regulations require any organization, falling directly in the chain of health care providers or indirectly by archiving or transmitting confidential health related data, to fully comply with HIPAA regulations.
The long answer of when compliance needs to be considered and under which circumstances is a little bit harder to explain and often leads to more grey areas than answers. However, we can say that for any consumer product that keeps daily logs of results (such as wearable health monitors) and for any app enabling a consumer to provide medical information to a third party for archiving, backup, or medical research, HIPAA is a must-comply requirement.
While some of these examples may seem innocuous, anytime servers or cloud-based systems store information, there are major implications. It is best to consider these implications in 2 ways: Liability and Accountability.
The National Institute of Health (NIH) defines covered entities in the HIPAA rules as:
(a) health plans,
(b) healthcare clearinghouses, and
(c) healthcare providers.
If an app transaction consists of either billing and/or payment for services or insurance coverage, it is then considered a covered entity. A business associate in partnership with the covered entity is also considered a covered entity.
A general rule of thumb is if you have to sign a BAA (Business Associate Agreement), this institutes an act of transferring the liability from a covered entity to your business. Health and Human Services (HHS) has adapted the privacy regulations that define and add methodology for enforcement processes. It is thus important for any app developer to visit HHS and determine if they fall under a covered entity.
Another side of the liability is the FDA regulation. Any software/hardware collecting data and/or providing input to the decision making process of the healthcare provider can be classified as a medical device. Depending on the user of the proposed system, some software has been termed a “decision support system” requiring FDA certification versus a data warehouse.
If we set the legal aspects of HIPAA aside for a moment, there would still be ethical questions about what to do to protect a consumer’s information. Consumers expect privacy from independent providers regardless of legal requirements. This fact alone makes providers accountable for meeting their consumers’ (implicit) needs.
Considering this consumer expectation, and planning for the possibility that the NIH/HHS will expand the covered entities definition, software/app developers can choose to have these practices already in place.
Most providers are still reluctant to take data/exceptions from consumer devices and act on it. Possibly due to data quality issues or the fact that providers are restricted by the payers (e.g. reimbursement models for care may not be defined). There is still much gray area. As long as the software is not connected to EPIC/Cerner/AllScripts, for example, it is not a covered entity. If a hospital decides to use an app to connect to EMR (Electronic Medical Records), that would create a different set of considerations a company would want to explore relating to how this information relates to HIPAA regulations.
With the push for pay-for-performance and fixed reimbursement models, more and more physicians and hospitals will push the monitoring and data collection to consumers. This will open up exciting opportunities for service providers and data aggregators. Eventually, NIH/HSS will come after data aggregators with privacy rules and enforce HIPAA compliance. Here is a quick snapshot of what clients can think about in the context of HIPAA compliance:
HIPAA compliance and mobile app development carry strong considerations for any software or app developer and its consumers. HIPAA regulations are not a checklist, rather a loose set of guidelines that are constantly changing. Because of this, staying current on the latest information relating to liability and accountability should be a priority. Whether you are considering app development, currently in development, or are a consumer utilizing app platforms that may have HIPAA regulation implications, being aware of what is protected information and how that information is protected should not be overlooked. By staying informed and supported on the changing regulations, both developers and consumers can ensure they are receiving the protections HIPAA was designed to provide.
We, at Calance, understand the complexity of the Healthcare IT environment. IT executives need to strike a balance between the emerging technologies, the restrictions posed by the ever changing government regulations, reporting requirements and the usability for users.
Since 2004, Calance has helped academic medical centers, Health Information Exchanges (HIEs), hospital systems and private clinics achieve their IT goals while ensuring compliance, functionality and usability.
We understand the importance of HIPAA compliance and ensure our healthcare clients remain compliant.
If you would like to learn more how we can help, contact one of our healthcare experts.