iQoncept - Fotolia

Experts weigh in on HHS' healthcare app development guidance

Who falls under the umbrella of HIPAA? The easy answer is healthcare providers. The not-so-easy answer? App developers.

When you think of HIPAA, you might naturally think of patients and providers. What you might not think of is healthcare app development.

As mobile applications become ever more popular -- not only among consumers, but also as a part of the more traditional healthcare setting -- increasingly, these apps are handling and storing PHI. For app developers this means -- depending on the situation -- they may be bound by HIPAA. But app developers don't necessarily have a background in healthcare and may not be familiar with HIPAA.

In February 2016, however, the U.S. Department of Health and Human Services (HHS) released healthcare app development guidance in its mHealth developer portal, detailing specific examples and scenarios to help developers better understand whether their app is dealing with PHI and therefore needs to be HIPAA compliant.

HHS' healthcare app development guidance

HHS' guidance described six scenarios and discussed whether app developers fall under HIPAA and why for each scenario. The scenarios are meant to help app developers address two questions:

  1. How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
  2. When might an app developer need to comply with the HIPAA rules?

In four of the scenarios, the app developer does not have to be compliant with HIPAA and is not considered a business associate under HIPAA. In these four scenarios, the key point is that the patient or consumer downloads the app on his own and the developer is not "creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate," according to the guidance.

In the remaining two scenarios, the app developer does fall under HIPAA and would be considered a business associate under HIPAA.

Here is one scenario where the app developer would be considered a business associate:

At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring patients' food and exercise, patient messaging, EHR integration and application interfaces. Information patient inputs is automatically incorporated into provider EHR.

"What's made extremely clear through this doc is the use of the phrase 'on behalf of,'" Jason Wang, founder and CEO at Truevault, a HIPAA-compliant API and cloud data store for healthcare software applications based in San Jose, Calif., said. "I think that's the line that HHS is trying to draw. If this app is developed on behalf of a covered entity, then you do fall under HIPAA because you're being a business associate of this covered entity; you're working on behalf of this covered entity."

Wang added that another key point that HHS seems to make here is the importance of who is funding the application's development. "Even if an app touches an EHR or interfaces with a covered entity, if the app is not commissioned by or funded by or it's not built on behalf of a covered entity, then based on the guidance given by HHS, it doesn't fall under HIPAA because the customer's the one downloading it," Wang said. "Even if the app is recommended by a physician, if the app is not developed by the physician, if the app is not developed by the physician provider group, then it doesn't fall under HIPAA."

However, David Reis, vice president of information services and CISO at Lahey Hospital and Medical Center in Burlington, Mass., said he thought the third scenario described by HHS in the guidance could be the most confusing for app developers new to health IT and HIPAA.

The scenario is as follows:

Doctor counsels patient that his BMI is too high, and recommends a particular app that tracks diet, exercise, and weight. Consumer downloads app to his smartphone and uses it to send a summary report to his doctor before his next appointment.

In this scenario, according to HHS' guidance, the app developer would not be considered a business associate and therefore would not fall under HIPAA.

To Reis, this scenario gives "a great description of where I think the grey area in HIPAA is as it relates to interconnectivity and [healthcare] app development," he said. "Just to kind of play it out, you're not really contracting a service from the app developer, so according to the HHS guidance the app developer is not a business associate, but at the same time you are establishing an interoperability arrangement. The interoperability without subscribing to a service is where things can get confusing for HIPAA-covered entities and app developers alike."

However, both Reis and Wang agreed that HHS' guidance is the beginning of an evolution and likened this evolution of mobile in healthcare to the payment card industry (PCI).

"[With PCI], it took a big industry push to kind of get that information out so that banks and merchants and software providers all understood what the requirements were," Reis said. "I think we're kind of going through that same evolution now in health IT."

Next Steps

What to expect from the OCR HIPAA audits in 2016

HHS, ONC devise healthcare app development contests

Key components to healthcare app development: Usability, security

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)