Even for those of us in healthcare, HIPAA can be pretty vexing especially when it comes to digital health in particular. Nearly six months ago, the Office of Civil Rights within HHS launched a new site to solicit questions about HIPAA and digital health, in particular medical apps.
They recently posted a great resource on how HIPAA would apply to medical apps with several specific examples of different uses of medical apps. One particularly interesting example is an app that a patient downloads to manage a chronic disease that can pull data from the EHR thanks to an agreement between the app developer and the healthcare provider. According to OCR, this app is not covered by HIPAA:
No. Developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. The interoperability arrangement alone does not create a BA relationship because the arrangement exists to facilitate access initiated by the consumer. The app developer is providing a service to the consumer, at the consumer’s request and on her behalf. The app developer is transmitting data on behalf of the consumer to and from the provider; this activity does not create a BA relationship with the covered entity.
Privacy and data security have been ongoing issues in digital health, with concerns that consumers are putting a lot of personal data into apps that aren’t secure. As this guidance from OCR highlights, HIPAA actually applies to a very specific scope of products and generally excludes most health apps, regardless of what information patients put in there.
Perhaps most importantly, it reminds us that it’s ultimately up to the consumer, whether clinician or patient, to consider what personal information an app is asking for and how that data is being secured.
Source: OCR, Health and Human Services