- How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
- When might an app developer need to comply with the HIPAA rules?
Developer is NOT a HIPAA Business Associate.
In all of these cases, the developer is not a HIPAA Business Associate because the developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. That last piece is the key. The consumer made the choice to take these actions, and the consumer has the right to do what she wants with this information.
This last example is also what would likely apply when a consumer chooses to make use of Apple's HealthKit, which we have been using for over a year here at Duke. The way it's set up here, even when a physician makes a recommendation to have a consumer share his/her information in order to facilitate care, the consumer can choose to do so manually via MyChart or via HealthKit. HealthKit is never required - it's the consumer's choice.
There are two additional examples in the document regarding cases when the developer would be a business associate. Those include the following:
"At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR."
"Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health. Health plan analyzes health information and data about app usage to understand effectiveness of its health and wellness offerings. App developer also offers a separate, direct- to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers."
Hopefully this helps provide a little clarity regarding when HIPAA is relevant. If you have additional questions, I suggest submitting them to the mHealth HIPAA site referenced above.