Deven McGraw: Not all app uses subject to HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) does not cover all health information, and sometimes--but not always--applies to health apps exchanging data with electronic health records, Devin McGraw clarified last week.

"Whether a new tech tool is covered by HIPAA is based on facts and circumstance," said McGraw, deputy director of health information privacy for the Health and Human Services Department's Office for Civil Rights (OCR), speaking at the American Bar Association Health Law Section's Annual Emerging Issues in Healthcare Law conference in San Diego on March 3. "It's not necessarily the product itself but who it was sold to, who pays for it, and who it's used by," she said.

Healthcare-oriented apps are becoming increasingly popular, but there's significant confusion as to whether and when they're subject to HIPAA's privacy and security requirements. OCR released guidance last month to attempt to educate developers and others and unveiled a portal so that they can ask questions anonymously.  HIPAA applies when an app or other personal health tool is used by a covered entity or a business associate on behalf of a covered entity; in those situations, the parties need to execute a business associate agreement, McGraw explained.

For instance, if a patient downloads data from a doctor's EHR through a patient portal and downloads a health app, and puts the data together, that is not subject to HIPAA because the patient downloaded the data. HIPAA also is not involved if the doctor recommends an app to a patient and the patient downloads it and uses it to send information to the doctor.

Moreover, if the only relationship between the app and the provider is connectability in an "interoperability arrangement" to the provider's EHR so the patient can obtain information, but it's still not on behalf of the doctor, it is not subject to HIPAA.

"HIPAA does not apply where it's consumer facing and direct to consumer," McGraw said.  

But if the provider has contracted with an app developer for services, and the information the patient inputs is automatically loaded into the provider's EHR, then the developer is acting on behalf of the provider and a business associate agreement is needed, even though the patient has some choice as to what to upload.

OCR and the Office of the National Coordinator for Health IT have released several guidance documents in recent months to reduce confusion about HIPAA, including fact sheets clarifying how HIPAA relates to EHRs and supports interoperability.

Read more on