everythingpossible - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are HIPAA's mobile app requirements that developers should know?

There's a lot of confusion surrounding the HIPAA compliance requirements for mobile health apps. Expert Mike Chapple finally clears it up for health app vendors.

My company is a mobile health vendor so we may be required to be HIPAA-compliant. The standard isn't exactly clear...

about its application to health app developers. Could you briefly explain how HIPAA compliance requirements apply to mobile health apps?

You're not the only one who finds the applications of HIPAA to mobile apps a confusing world. The HIPAA regulations first took effect in 2003, years before the advent of iOS and Android devices. The drafters of the regulation simply did not envision the explosive growth of mobile technology and its potential applications to the world of healthcare. Attempting to apply the HIPAA regulations to mobile app requirements is very confusing, and it's the reason that several major developers recently sent a letter to Congress requesting clarification.

The most important question you can answer is the relationship your company has with health information. In order to fall under the scope of HIPAA, your company must fit into one of the following categories:

Unless your company fits into one of these categories, the HIPAA regulations simply do not apply. If the mobile app your company develops is targeted at consumers, it's probably safe unless it receives data directly from a HIPAA-covered entity and signed a BAA. The fact that your company has health information does not subject it to HIPAA, unless the information was obtained from a HIPAA-covered entity. Health information volunteered by consumers using the app is certainly sensitive, but it does not qualify for HIPAA protection.

If your company's mobile application is targeted at healthcare providers or other HIPAA-covered entities, that's a different story. Congratulations, your company fits into the legal gray area that is worrying many in the mobile medical industry! If the app deals with protected health information, covered entities will likely request that your company signs a BAA, and then it is legally bound to comply with the provisions of HIPAA related to security, privacy and breach notification. Under the recent omnibus rule, your company carries the same liability for HIPAA compliance as the covered entity itself. What does this mean for the app? Read my article on the provisions of the HIPAA omnibus rule to learn more.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

The FDA takes a step back from mobile device data systems management.

This was last published in March 2015

Dig Deeper on HIPAA