Practical mHealth HIPAA Advice: At Long Last

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher

The Office for Civil Rights (OCR) at the Department of Health and Human Services, the Office of the National Coordinator of HealthIT (ONC) and others are becoming prolific in the amount of HIPAA guidance being issued. ONC is in the midst of a blog series entitled “The Real HIPAA” that is exploring common misunderstandings. Of focus in this article is guidance from OCR on health apps and when HIPAA applies.

Over the summer, OCR launched an mHealth Developer question and answer portal to theoretically begin addressing these issues. The portal was intended to enable industry folks to post questions and receive responses from OCR or others in the government. Users can vote on questions to hopefully move them up the answer queue. However, not much activity has occurred on the portal, At least until February 11th when OCR posted a fair amount of information directed at app developers.

The most important component of the guidance was a list of scenarios when HIPAA applies to app developers as well as a series of questions to consider in assessing the application of HIPAA. The scenarios are instructive because concrete examples are identified along with a supporting explanation as to why HIPAA applies in the scenario or not. The common theme that emerges is to focus on the intended user and for whom an app is developed. If the end user is the target, it is more likely than not that HIPAA will not apply. While the guidance is not necessarily groundbreaking (since it is consistent with good legal advice), the clear statements that can be used by the mHealth industry are a positive development.

Additionally, OCR prepared a list of threshold questions for app developers to consider when trying to figure out if a proposed app is governed by HIPAA. The list of questions includes:

  • Does the health app create, receive, maintain, or transmit PHI?
  • Who are the clients? Are the clients covered entities, business associates, or consumers?
  • Who is providing funding for the creation of the app? Is a covered entity or a consumer paying?
  • Is the app independently selected by a consumer? What role does a physician or covered entity play in selection?
  • Who controls decisions about where data are transmitted? If data are transmitted to a healthcare provider or health plan, who makes the decision to make the transmission?

As indicated, the questions help guide an app developer through a basic HIPAA analysis. If the analysis leads the app developer down a path where a covered entity is playing a primary role, then HIPAA compliance should be built in. Being able to make the determination early in the development process will only help all connected to the potential app.

The common complaint and danger is that an app is nearing a go-live date or is in use and then questions are raised about HIPAA. This can stop all use of the app or greatly reduce the manner in which it is used. mHealth solutions are clearly growing and ensuring appropriate compliance is a worthy goal. The new guidance from OCR is the first largely public step in that direction.

It is not too surprising that the seeming flood of guidance is coming on the eve of the HIMSS Annual conference. A large portion of the HealthIT and mHealth fields will be there as well as representatives from OCR and ONC. The convergence of all of these interests offers a perfect opportunity to promote compliance and understanding, both of which have been sorely lacking when it comes to HIPAA.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.