HIPAA: When Are Mobile App Developers Business Associates?

Posted by Donna Craig in Mar, 2016

With the explosion of electronic health technology aimed at improving patient health outcomes, it was only a matter of time before the Department of Health and Human Services (“HHS”)  weighed in regarding the electronic health technology’s impact on the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  HHS launched a new platform in October 2015 at http://HIPAAQsportal.hhs.gov (click on “Submit & View Questions”) which was intended to educate app developers on the HIPAA privacy and security rules.  This website allows app developers and others to browse the site, submit questions, and offer comments or vote on the relevancy of a topic.  Individuals access the site using their email addresses, but their identities and addresses are anonymous to HHS’s Office Civil Rights (“OCR”).  Postings or commenting on a question or topic will not subject anyone to an enforcement action.  The tradeoff is that OCR will receive input from those in the technology industry and provide OCR with information in developing future guidance and technical assistance efforts.

Following on the heels of this platform, OCR recently published HIPAA interpretation guidance for health app developers by publishing six scenarios.  This guidance will be valuable in assisting app developers when in the process of designing products rather than incurring costly product redesigns after the fact.

The guidance is meant to address two questions[1].

1. How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
2. When might an app developer need to comply with HIPAA Rules?

Scenarios[2] — An app developer is NOT a Business Associate based on the following scenarios:

1.  A consumer downloads a health app to her smartphone.  She populates it with her own information (e.g. – inputs blood glucose levels and blood pressure readings she obtained herself using home equipment).

Rationale –  The developer of the app is not creating, receiving, maintaining or transmitting protected health information (“PHI”) on behalf of a covered entity or another business associate.  The consumer is using the developer’s app to help her manage and organize her information without any involvement of her health care providers.

2. A consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition.  She downloads data from her physician’s electronic health record through a patient portal, onto her computer and then uploads it into the app.  She also adds her own information to the app.

Rationale –  The developer of the app is not creating, receiving, maintaining or transmitting PHI on behalf of a covered entity or another business associate.  Instead, the consumer obtains health information from her physician, combines it with health information she inputs, and uses the app to organize and manage that information for her own purposes.  There is no indication the physician or a business associate of the physician hired the app developer to provide or facilitate this service.

3. A physician counsels a patient that his BMI is too high, and recommends a particular app that tracks diet, exercise, and weight.  The consumer downloads a health app to his smartphone and uses it to send a summary report to his physician before his next appointment.

Rationale –  The developer of the app is not creating, receiving, maintaining or transmitting PHI on behalf of a covered entity or another business associate.  The physician’s recommendation implies her trust in the app, but there is no indication that the physician hired the app developer to provide services to patients involving the handling of PHI.  The consumer’s use of an app to transmit data to a covered entity does not by itself make the app developer a business associate of the covered entity.

4. A consumer downloads a health app to his smartphone that is designed to help him manage a chronic condition.  The health care provider and app developer have entered into an interoperability arrangement at the consumer’s request that facilitates secure exchange of consumer information between the provider electronic health information and the app.  The consumer populates information on the app and directs the app to transmit the information to the provider’s electronic health record.  The consumer is able to access test results from the provider through the app.

Rationale –  The developer of the app is not creating, receiving, maintaining or transmitting PHI on behalf of a covered entity or another business associate.  The interoperability arrangement alone does not create a business associate relationship because the arrangement exists to facilitate access initiated by the consumer.  The app developer is providing a service to the consumer, at the consumer’s request and on his behalf.  The app developer is transmitting data on behalf of the consumer to and from the physician; this activity does not create a business associate relationship with the covered entity.

An app developer IS a Business Associate based on the following scenario:

5. At the direction of her physician, the patient downloads a health app to her smart phone.  The physician has contracted with the app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, electronic health record integration and application interfaces.  Information the patient inputs is automatically incorporated into the physician’s electronic health record.

Rationale –  The developer of the app is a business associate  of the  physician, because it is creating, receiving, maintaining and transmitting PHI on behalf of a covered entity.  In this case, the physician contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting PHI, and the app is a means for providing those services.

In this sixth scenario, an app developer IS and IS NOT a Business Associate depending on whose behalf the health app was furnished:

6. A consumer downloads to his smart phone a mobile personal health record app offered by his health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions.  The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health.  The health plan analyzes health information and data about app usage to understand effectiveness of its health and wellness offerings.  The app developer also offers a separate, direct-to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers.

Rationale –  The answer is yes with respect to the app offered by the health plan, and no, when offering the “direct-to-consumer” app.  The developer of the app is a business associate  of the  health plan, because it is creating, receiving, maintaining and transmitting PHI on behalf of a covered entity.  The developer must comply with applicable HIPAA Rules with respect to the PHI involved in its work on behalf of the health plan.  But its “direct-to-consumer” product is not provided on behalf of a covered entity or other business associate, and the developer’s activities with respect to that product are not subject to the HIPAA Rules.  Therefore, as long as the developer keeps the health information attached to these two versions of the app separate, so that information from the “direct-to-consumer” version is not part of the product offering to the health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the “direct-to-consumer” app.

Key Questions – OCR’s published guidance also provides a series of questions for health information app developers to consider as to whether they are business associates[3].  These key questions are:

1. Does your health app create, receive, maintain, or transmit identifiable information?

2. Who are your clients?

3. How are you funded?

4. Are your clients covered entities?

     a. Covered entities include hospitals, doctor’s offices, clinics, pharmacies, or other health care providers who conduct electronic transactions;

     b. Health insurance issuers, health or wellness program related to a health plan offered by an employer.

5. Were you hired by, or are you paid for your services or product by a covered entity or another business contracted to a covered entity?

6. Does a covered entity or business associate acting on the covered entity’s behalf, direct you to create, receive, maintain or disclose information related to a patient or health plan member?

If health app developers are only offering services directly to and collecting information for or on behalf of consumers, and not on behalf of a covered entity, the health app developer is not likely to be subject to HIPAA as either a covered entity or business associate.  To make this determination the health app developer should ask:

1. Is the app independently selected by a consumer?

2. Does the consumer control all decisions about whether to transmit her data to a third party, such as to her health care provider or health plan?

3. Do you have no relationship with the third party entity (other than an interoperability relationship?

So the question all health app developers, business associates and covered entities should ask is: “Are we as app developers, or are the health app developers who convey patients’ electronic health information, business associates under HIPAA?  If you are not sure, contact The Health Law Center.  We will assist you in making this important determination.

[1] http://hipaaqsportal.hhs.gov/community-library/accounts/92/925889/OCR-health-app-developer-scenarios-2-2016.pdf

[2] Id.

[3] Id.