HIPAA Guidance for Health App Developers Issued by OCR

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health app developers. The new guidance covers a number of scenarios when HIPAA Rules must be followed, as well as explaining when app developers are not bound by HIPAA rules.

The new HIPAA guidance for health app developers is intended to clear up confusion about when HIPAA rules must be obeyed and when HIPAA Rules do not apply.

HIPAA Guidance for Health App Developers Explains When HIPAA Rules Apply

The new HIPAA guidance for health app developers aims to provide answers to two of the most important questions asked by mHealth app developers via OCR’s new app developers portal:

  1. Do we have to comply with HIPAA if patients record health information using a health app?
  2. When do app developers need to comply with HIPAA rules?

Health app developers should incorporate a number of security controls to ensure that their health apps protect the privacy of all users, but when it comes to complying with HIPAA, mHealth app developers are only covered if they are business associates of HIPAA covered entities.

A business associate is any vendor or service provider that is required to record, transmit, access, or disclose any data classed as protected health information under the definition used in the Health Insurance Portability and Accountability Act of 1996. If app developers are provided with PHI of patients by a covered entity (a healthcare provider, healthcare clearinghouse, or health insurer) that has not been de-identified, or their software is required to touch PHI, they are classed as business associates and must abide by HIPAA rules.

If an app developer is working with a HIPAA covered entity to develop a health app that records protected health information, then they must ensure that they are in compliance with the provisions laid down in HIPAA Rules.

However, if a health app is provided to consumers and consumers alone make the decision about whether or not to enter personally identifiable information or other data included in the definition of PHI laid down in HIPAA, the health app developer is not classed as a business associate and will not need to follow HIPAA rules.

As OCR points out, even if mobile health app developers are not covered by HIPAA they should implement a number of safeguards into the design of their health apps to ensure the privacy of consumers is protected.

The new HIPAA guidance for health app developers can be viewed on the following link.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news