HIPAA and mHealth: OCR unveils new guidance on role of developers

The federal government is continuing its push to help those in the healthcare industry better understand HIPAA regulations--most recently releasing guidance focusing on mHealth.

The new guidance examines six scenarios overall focusing on two questions that deal with health apps and HIPAA:

  • How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
  • When might an app developer need to comply with the HIPAA Rules?

The scenarios provided address whether an app developer would be considered a HIPAA business associate (BA). However, the report's authors add that covered entities that transmit private health information also must apply safeguards.

One case where a developer would not be seen as such would be if a physician suggests a patient download an app to track diet and exercise and the patient sends the info to the doctor. Another instance would be if a patient downloads an app to manage a chronic condition and the provider and developer enter into an interoperability agreement at the patient's request so information can be seamlessly shared.

As for when a developer would be seen as a BA, that could include if a patient downloads an app for which the provider "has contracted with [the] app developer for patient management services, including remote patient health counseling, monitoring of patients' food and exercise."

In addition, a developer would be a BA if patient data from the app is automatically incorporated into the provider's electronic health record.

The authors also say that even if a developer determines it is not a covered entity, patient data protection and privacy is still of utmost importance.

Other guidance both OCR and the Office of the National Coordinator for Health IT have released includes HIPAA and interoperability, as well as patient data rights under HIPAA.

To learn more:
- here's the guidance (.pdf)

Read more on