Predicting whether the activities of a mobile health application (app) developer trigger legal obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) presents some new challenges – not surprising when 20th century law is extrapolated to apply to 21st century technology.
In recognition of the complexity introduced by rapidly evolving and innovative digital health technology, the Office for Civil Rights (OCR) on Feb. 11, 2016, issued new guidance on its mHealth Developer Portal (here) titled “Health App Use Scenarios & HIPAA.” OCR released the guidance in hopes that it “will help developers determine how federal regulations might apply to products they are building” and “will reduce some of the uncertainty that can be a barrier to innovation.”
The new guidance describes six scenarios involving a mobile health app, accompanied by OCR’s analysis and determination under each scenario as to whether the app software developer would be considered a business associate under HIPAA. In each scenario, the app collects, stores, maintains, or transmits health information from the consumer and/or the consumer’s provider.
The apps in these various scenarios range in function from tracking the user’s diet, exercise, and weight; enabling the user to enter certain health metrics collected by other devices (e.g., blood glucose levels and blood pressure readings obtained using home health equipment); helping users manage chronic conditions; to providing users with a mobile version of their Personal Health Records (PHRs), as offered by the users’ health plan.
The new guidance provides insight into OCR’s approach that attempts to strike a balance between protecting consumer health information and minimizing uncertainty that can stifle innovation. While app developers may be able to navigate HIPAA more clearly, they will still have to navigate other potentially applicable federal laws and state privacy laws.