Apple’s Health App and HealthKit and HIPAA

MattFisherWill the Hippo Swallow the Apple?

By Matt Fisher, Esq
Twitter: @matt_r_fisher

At its annual Worldwide Developers Conference on June 2, 2014, Apple announced its entry into the mobile health field with the introduction of the Health App and HealthKit. The Health App will be the face that users actually interact with, while HealthKit is the software framework behind the Health App that coders and developers will work with.

As announced by Apple, the Health App and HealthKit are intended to enable sharing of information across a number of devices. Information collected will not just come from an iPhone or iPad, but will be pulled from other iOS apps, wearables (i.e. Fitbit), smart medical devices (i.e. Bluetooth enabled blood pressure cuffs or glucose monitors), and any number of other devices if those devices can connect to an Apple device running the Health App. The Health App is an aggregator of medical and health information about the individual to a degree that, up to this point, may be unique and could create a wholly new picture of an individual’s health.

Although there have been previous attempts to create a similar personal health portal or record, think Microsoft’s HealthVault and Google Health, speculation is running rampant that Apple may succeed where the earlier efforts failed. One reason for the optimism about Apple is the fact that Apple has made such technology work where others failed before. Oftentimes software developers will look at Apple’s innovations and then adapt or crib those efforts to their own purposes. If Apple can get more people focused on these technology solutions then a critical mass may occur.

There is another aspect to the Health App and HealthKit that may lead to Apple’s success. In the announcement at the WWDC, Apple revealed that both the Mayo Clinic and Epic Systems (one of the leading electronic medical record companies) are partnering with Apple. The Mayo Clinic’s involvement theoretically gives Apple credibility with healthcare professionals because the Mayo Clinic has long been a leader in the healthcare field generally and with healthcare technology. For example, the Mayo Clinic has an app available on both iOS and Android, which is designed to enable easy sharing of information and increase patient connectivity.

With regard to Epic, that partnership theoretically gives Apple credibility within the health information technology field, a field in which Apple is not a regular participant. Epic is clearly recognized as one of the leading electronic medical records companies, and, like the Mayo Clinic, has successfully developed a patient portal (MyChart) in connection with its EMR. If Apple can make take advantage of the opportunities presented by these partnerships, then it may, as some are predicting, actually be able to revolutionize how health information is collected, the role of the individual in that process and how the information may be used and interpreted.

One natural goal of the data aggregation, and the work with the Mayo Clinic and Epic, is to provide a more comprehensive picture of an individual to healthcare professionals. This may occur in a number of ways, but one that may be easily anticipated is the direct connection of the Health App and the data collected with healthcare professionals. It is the potential for use by and connection with healthcare professionals that brings HIPAA into the picture.

Will HIPAA be a barrier to what Apple appears to be trying to do, or is it an issue that can be overcome? The answer will depend upon how the information is used and who uses it. It may not be possible to predict all of the different issues that may arise, since the Health App has not been used in the public yet, but it is still possible to identify and discuss how HIPAA can be addressed and handled.

The issue of HIPAA and compliance issues is becoming a common theme when discussing mobile health apps and other mobile solutions. As a refresher, HIPAA protects protected health information (PHI) when used or created by “covered entities” and “business associates.” Covered entities are health plans, healthcare provider in certain contexts, and healthcare clearinghouses. A business associate is any entity that handles, uses, or creates PHI for or on behalf of a covered entity. App developers are most likely to be swept under by HIPAA by becoming a business associate of a covered entity, though it is possible that the app developer could be a covered entity. The actual nature of the app developer may be irrelevant because the context of how data is created or collected and then used will be a primary driver in determining whether HIPAA applies.

In the context of Apple’s Health App, the first question to ask is who is using the app and what information is being collected. In most circumstances, it will be an individual user collecting information about themselves. For example, an iOS user measures their blood pressure and then either inputs the result into the Health App or the cuff can send the information by some sort of wireless connection. The blood pressure reading would most likely satisfy the definition of PHI under HIPAA, but is the information in that context actually covered by HIPAA? The answer would be no because the information created and recorded the information. No covered entity or business associate was involved. Accordingly, when considering an individual’s solitary use of the Health App, HIPAA is unlikely to cause any issues.

The questions do not end there. What if an app that interacts with the Health App is targeted to physicians as a way of communicating with an individual, or sending reminders from the physician about an upcoming appointment. In that case, the physician’s use would likely come under the purview of HIPAA. Then the app would need to comply with HIPAA privacy and security standards, which is where the real challenge begins. Entities not involved in the healthcare field may not be aware of what is needed to comply, or the many different implications for how an app can function. Unknowingly wandering into HIPAA can be scary. The standards can change, though usually not without warning, which means that any apps falling under HIPAA will force their creators to monitor any changes that may come from the government.

With regard to the Health App, and based solely upon conjecture from reading the announcement, it would seem that Apple’s partnership with the Mayo Clinic and Epic could lead to HIPAA becoming an issue. However, the Mayo Clinic and Epic should both be very familiar with HIPAA and would hopefully assist in bringing apps into compliance or spreading the word about what it takes to be compliant.

One last issue, at least for now, to consider from the HIPAA perspective is the interaction between an individual and their physician if information collected through the Health App will be shared. As explained above, if the individual collects the information, the information is outside of HIPAA at that point. However, once the physician, a covered entity, receives it and includes the information in the individual’s medical record, then it is likely PHI within HIPAA. A clear and open dialogue between the individual and the physician should be a predicate to any sharing of information, which can be used to set expectations and explain the risks of sharing information. Additionally, a dialogue gives the physician and other covered entities the opportunity to obtain consents and/or authorizations from the individual about use of information collected and shared. An authorization can provide protection to the covered entity under HIPAA.

Despite the concerns identified at the outset of this article, it is unlikely that the HIPAA Hippo will swallow Apple and its new developments. That does not mean care and attention should not be used by all in implementing and using the Health App. Once iOS 8 and the Health App are rolled out to the general public and all partnerships come more clearly into focus, a better assessment will be possible. However, at this time, it is good to be aware of the potential issues and begin planning as appropriate.

About the author:  Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA.  Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.