HIPAA Compliance for Medical Software Applications
HIPAA compliance for medical software applications can be a complicated issue to understand. Some eHealth and mHealth apps are subject to HIPAA and medical software regulations issued by the FDA. Others are not. This article has been prepared with relevance to HIPAA and medical software. For information about FDA regulations, please visit the FDA´s “Device Advice” web page.
Are the App Subject to HIPAA Compliance for Medical Software Applications?
This will depend on the nature of the app´s function and what its purpose is. If you build an eHealth or mHealth app that collects personal data about the person using it for the exclusive use of the person using it, the app is not subject to HIPAA compliance for medical software applications.
If, however, the personal data collected will be shared with a medical professional or other HIPAA Covered Entity (a healthcare insurance company for example), then the data is considered to be Protected Health Information and the app needs to be HIPAA compliant.
Complication arise between HIPAA and medical software for personal use if the app is providing a service on behalf of a Covered Entity. If, for example, a doctor asks a patient to wear a portable data collecting device, and the data is later to be shared with the doctor, HIPAA applies.
The Terminology of HIPAA and Medical Software Regulations
For a developer building his or her first eHealth app, the terminology of HIPAA and medical safety regulations can be daunting. An explanation of HIPAA and the medical software regulations that might apply can be found in our HIPAA Compliance Guide. Some of the key terminology is explained below:
What is Protected Health Information?
The term Protected Health Information (often abbreviated to PHI, or ePHI when it is stored or transmitted electronically) relates to eighteen specific factors about a person that could be used to determine their identity. These factors are not necessarily related to the person´s health and include their vehicle license plate number and email address. It is important to understand what data is considered to be PHI in order to determine whether or not the app needs to be HIPAA compliant.
What Does HIPAA Compliant Mean?
In relation to medical software applications, the term HIPAA compliant means that the app meets the technical and physical safeguards of the HIPAA Security Rule. In relation to almost any other circumstances, the term HIPAA compliant means you, the tools you use and the premises you work in comply with all the HIPAA Rules contained within our HIPAA Compliance Guide. Please note; hosting an app in a HIPAA-compliant environment does not make the app HIPAA-compliant.
Am I Business Associate?
A Business Associate is a third-party service provider to a HIPAA Covered Entity who has access to PHI. The only circumstances in which a software developer would be classed as a Business Associate (and therefore subject to all the HIPAA Rules) is if he or she is an independent developer who has been contracted by a Covered Entity to develop a HIPAA-compliant app, and the Covered Entity is sharing PHI with them. In this scenario, the developer is required to sign a Business Associate Agreement stipulating permissible uses and disclosures of the PHI. In all other cases, you are not a Business Associate.
It is Important You Are Properly Informed
If you make no effort to find out whether an eHealth or mHealth app you are developing is subject to HIPAA compliance for medical software applications, you could be liable for significant penalties if the use – or misuse – of the app results in an unauthorized disclosure of PHI. The U.S. Department of Health and Human Services´ Office for Civil Rights can impose fines for breaches of PHI, and – in theory – you could be subject to a penalty for the app not being HIPAA-compliant, even if no breach of PHI occurs.
If you are still unsure about whether or not you are subject to HIPAA compliance for medical software applications, you should seek further advice.