The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Issues Further Guidance on Health App Use

Posted By on Feb 12, 2016

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate.

Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers.

The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked.

There has been some confusion as to how HIPAA applies to mobile health apps, which are commonly used by healthcare patients to monitor their own health.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The apps often record data that is classed as Protected Health Information (PHI) under HIPAA Rules, although that does not necessarily mean that HIPAA rules must be followed by the app developer.

A number of healthcare providers have instructed patients to use mobile apps to monitor their vital signs, food intake, and exercise levels. Some healthcare providers use mobile apps to communicate with patients; for appointment scheduling for example.

The new guidance aims to answer two key questions. How HIPAA rules apply to data that is created by a patient directly when it is entered into or recorded by a health app, and when a mobile health app developer must comply with HIPAA Rules.

The new guidance explains when a mobile app developer would be classed as a business associate and offers a number of different scenarios to explain when HIPAA rules apply and when they do not.

The new guidance can be downloaded on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist