My company is a mobile health vendor so we may be required to be HIPAA-compliant. The standard isn't exactly clear...
about its application to health app developers. Could you briefly explain how HIPAA compliance requirements apply to mobile health apps?
You're not the only one who finds the applications of HIPAA to mobile apps a confusing world. The HIPAA regulations first took effect in 2003, years before the advent of iOS and Android devices. The drafters of the regulation simply did not envision the explosive growth of mobile technology and its potential applications to the world of healthcare. Attempting to apply the HIPAA regulations to mobile app requirements is very confusing, and it's the reason that several major developers recently sent a letter to Congress requesting clarification.
The most important question you can answer is the relationship your company has with health information. In order to fall under the scope of HIPAA, your company must fit into one of the following categories:
- Healthcare providers that engage in listed electronic transactions
- Healthcare clearinghouses
- Health plans
- Business associates who have entered into formal business associates agreements (BAA) with any of the above entities
Unless your company fits into one of these categories, the HIPAA regulations simply do not apply. If the mobile app your company develops is targeted at consumers, it's probably safe unless it receives data directly from a HIPAA-covered entity and signed a BAA. The fact that your company has health information does not subject it to HIPAA, unless the information was obtained from a HIPAA-covered entity. Health information volunteered by consumers using the app is certainly sensitive, but it does not qualify for HIPAA protection.
If your company's mobile application is targeted at healthcare providers or other HIPAA-covered entities, that's a different story. Congratulations, your company fits into the legal gray area that is worrying many in the mobile medical industry! If the app deals with protected health information, covered entities will likely request that your company signs a BAA, and then it is legally bound to comply with the provisions of HIPAA related to security, privacy and breach notification. Under the recent omnibus rule, your company carries the same liability for HIPAA compliance as the covered entity itself. What does this mean for the app? Read my article on the provisions of the HIPAA omnibus rule to learn more.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The FDA takes a step back from mobile device data systems management.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading