25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Compliance for Medical Software Applications

Posted By on Feb 28, 2024

HIPAA compliance for medical software applications can be a complicated issue to understand. Some eHealth and mHealth apps are subject to HIPAA and medical software regulations issued by the FDA. Others are not. This article has been prepared with relevance to HIPAA and medical software. For information about FDA regulations, please visit the FDA´s “Device Advice” web page.

Are the Apps Subject to HIPAA Compliance for Medical Software Applications?

This will depend on the nature of the app´s function and what its purpose is. If you build an eHealth or mHealth app that collects personal data about the person using it for the exclusive use of the person using it, the app is not subject to HIPAA compliance for medical software applications.

If, however, the personal data collected will be shared with a medical professional or other HIPAA Covered Entity (a healthcare insurance company for example), then the data is considered to be Protected Health Information and the app needs to be HIPAA compliant.

FREE BUYER'S GUIDE
How To Choose Compliance Software

Get our comprehensive buyer's guide to purchasing HIPAA compliance software for your organization

A link to our free buyer's guide will be sent to your email address

Your Privacy Respected

HIPAA Journal Privacy Policy

Complications can arise between HIPAA and medical software for personal use if the app is providing a service on behalf of a Covered Entity. If, for example, a doctor asks a patient to wear a portable data-collecting device, and the data is later to be shared with the doctor, HIPAA applies.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Terminology of HIPAA and Medical Software Regulations

What is Protected Health Information?

The term Protected Health Information (often abbreviated to PHI, or ePHI when it is stored or transmitted electronically) is defined as any individually identifiable health information relating to an individual´s past, present, or future health, treatment, or payment for treatment that can be used to identify the individual. When stored with other “non-health” identifying information (name, email address, age, etc.) the “non-health” identifying information assumes the same protections as the health information.

What Does HIPAA Compliant Mean?

In relation to medical software applications, the term HIPAA compliant means that the app meets the technical and physical safeguards of the HIPAA Security Rule and that uses or disclosures of Protected Health Information are limited to only those permitted by the HIPAA Privacy Rule. Please note; in most circumstances, permissible uses and disclosures to a third party are only permissible when a Business Associate Agreement is in place. Additionally, hosting an app in a HIPAA-compliant environment does not make the app HIPAA-compliant.

Am I a Business Associate?

A Business Associate is a third-party service provider to a HIPAA Covered Entity that has access to PHI. Circumstances in which a software developer would be classed as a Business Associate (and therefore subject to the HIPAA Rules) include if he or she is an independent developer who has been contracted by a Covered Entity to develop a HIPAA-compliant app, and the Covered Entity is sharing PHI with them during the development process. In this scenario, the developer is required to sign a Business Associate Agreement stipulating permissible uses and disclosures of the PHI.

It is Important You Are Properly Informed

If you make no effort to find out whether an eHealth or mHealth app you are developing is subject to HIPAA compliance for medical software applications, you could be liable for significant penalties if the use – or misuse – of the app results in an unauthorized disclosure of PHI. The U.S. Department of Health and Human Services´ Office for Civil Rights, the Federal Trade Commission, and State Attorneys General can impose fines for breaches of PHI, and – in theory – you could be subject to a penalty for the app not being HIPAA-compliant, even if no breach of PHI occurs.

If you are still unsure about whether or not you are subject to HIPAA compliance for medical software applications, you should seek further advice.

HIPAA Compliance for Medical Software Applications: FAQs

What difference does it make that data is shared?

One of the reasons why medical software apps have to be HIPAA-compliant when data is shared is that, under HIPAA, the creator, receiver, maintainer, or transmitter of Protected Health Information has to stipulate permissible uses and disclosures in a Business Associate Agreement so it is possible to maintain an audit trail of the data.

What if data is shared with a third party not covered by HIPAA?

This depends on if the app meets the definition of a medical device under §201(h) of the Food, Drug, and Cosmetic Act. If so, although data will not be subject to the protections of HIPAA, it will likely be protected by FDA Rules. If not, the app will be subject to the requirements of the Federal Trade Commission Act §5. It is important developers know which rules apply in which circumstances.

If an app is developed in-house, is a Business Associate Agreement necessary?

If a member of a Covered Entity´s IT team builds a medical software application, and the application is only used to communicate data to or from a patient of the Covered Entity, no Business Associate Agreement is required. However, it may be necessary to advise the patient of what data is being transmitted and how it is being maintained and used.

What are the penalties for an app not being HIPAA compliant?

The penalties vary depending on the nature of the issue, the impact it has on privacy and/or security, and the reason for the issue (lack of knowledge, lack of oversight, willful neglect, etc.). In most cases, the investigating agency (HHS, FDA, or FTC) will offer technical assistance or impose a corrective action plan, but all three agencies have the authority to issue substantial fines.

FREE BUYER'S GUIDE
How To Choose Compliance Software

Get our comprehensive buyer's guide to purchasing HIPAA compliance software for your organization

A link to our free buyer's guide will be sent to your email address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist