5 Need to Know Guidelines for Mobile Applications & HIPAA FB

5 Guidelines for Mobile Applications and HIPAA. What Healthcare Practices Need to Know

HIPAA was passed in 1996.  As of this blog post that was 24 years ago.  In those 24 years, a lot has changed with regards to healthcare and technology.  That’s not to say there haven’t been updates to HIPAA.  There have but nothing that really addresses the infiltration of mobile applications.

There will likely be updates to HIPAA to address rapidly changing technology but it’s hard to imagine any legislation keeping up with tech.

HHS did clarify mobile applications and HIPAA found here and here.

I wrote about and tried to put it in layman’s terms as best as possible.  For the purpose of this blog, CE means Covered Entity and BAA means Business Associate Agreement.

mobile apps and HIPAA5 Guidelines for Mobile Applications and HIPAA

  1. If a CE develops and maintains the app then they are responsible for protecting PHI. They must comply with the HIPAA Security Rule.  The app must be included in the Covered Entity’s Risk Analysis and corresponding plan. If they did not develop the app then they need not worry about PHI within the App.  The app developer is responsible for the security of the app and protecting PHI.
  2. If the CE did not develop and/or does not maintain the app then the Covered Entity is not liable in the event of a breach involving PHI. Once the patient requests their health information be delivered to them via an app in this scenario the healthcare practice is no longer responsible for the healthcare information.
  3. The same applies to the EHR that a healthcare practice uses. If the patient’s request for their healthcare information is passed to an app developed and maintained by the EHR vendor, the EHR vendor is liable for any breaches under HIPAA. If the app is developed by a third party with no relationship to the EHR vendor then the HER vendor is not liable if a HIPAA breach occurs.
  4. A covered entity cannot refuse to provide healthcare information as requested by a patient despite concerns over the security of an app.
  5. A business associate agreement is required if the app creates, maintains, receives or transmits PHI, or if the app was provided to the patient by the covered entity directly or through its EHR. If the app was not provided by the covered entity and does not facilitate the creation, maintenance, receipt or transmission of PHI on behalf of the covered entity then a BAA is not required.

In a nutshell, app developers should utilize security best practices regardless of where they fall under HIPAA.

Patients should be cautious of how their PHI is transmitted regardless of who provided the app.  Apps that are not provided by a covered entity are not liable under HIPAA and therefore can “share” PHI.  HIPAA does not regulate how an app acting as a designee of the patient and not the covered entity can use the PHI provided by the covered entity.

In other words, if you choose a third-party app not provided by your healthcare provider then you potentially expose your healthcare information, especially if the app includes the right to share in their terms of usage.

If the app is provided or maintained by the healthcare practice (whether developed in house or by their EHR vendor) then the covered entity (healthcare practice) is potentially responsible under HIPAA.

Healthcare providers can express their concerns with a third-party app not provided by the healthcare provider to the patient when a request for the patient’s healthcare records are made.  They cannot refuse to deliver those records.  Refusing to deliver the ePHI as requested by a patient is a potential HIPAA violation under HIPAA Right of Access

HIPAA and appsAn Example of HIPAA Liability and Mobile Apps:

My children’s pediatrician provided an app to communicate, update and deliver their health information.  The app (Follow My Health) is provided through a very commonly used EHR (Allscripts).  Since the app is provided by the EHR that the pediatrician uses then the pediatrician Allscripts and Follow My Health.

A HIPAA breach of Follow My Health might mean the pediatrician could be liable as the covered entity in this case.

The HITECH Act and Omnibus rule put more of the onus on Allscripts/Follow My Health as these additions to HIPAA now make business associates liable under HIPAA, but the pediatrician could be (not likely depending on the scenario) liable as well.

If my kid’s pediatrician decided not to provide an app, and I made a request for their healthcare records through another third-party app the pediatrician is off the hook in the event of a HIPAA breach through the app.  They should at least warn me of the risk but that is not a requirement.  They do have to provide the records under Patients’ Rights to Access but that’s the only requirement in this scenario.

5 Need to Know Guidelines for Mobile Applications & HIPAA PIN

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Join the discussion 13 Comments

  • Jenn says:

    I worked in the insurance industry for a few years right after HIPPA was instituted. It was a complete mess trying to put all the new guidelines in place for the safety and security of our client’s information. It seems at this point, that our information is more vulnerable then ever with most healthcare providers going all digital. It’s good to know that people are working on creating a safer environment to help keep important medical information safe.

  • This is really helpful and I so much appreciate you sharing this information with us. Thanks so much for sharing this with all of us!

  • Nina says:

    Interesting to know about the security and data analysis use of the app, i was unware of this before !

  • Natalia says:

    I’ve never been well acquainted with technology. I’m not sure if we have something like HIPAA in Poland. Although we can deal with more and more things related to healthcare by using apps.

  • I have to say I kind of expected that all apps would have to be compliant and that we wouldn’t have to be checking on anything to make sure they were. Eek. Now I know differently. I will need to be more cautious before I take advantage of whatever is thrown at me.

  • Great read! It’s definitely educative and informative. I had no idea that mobile apps could bring that problem. I’ll keep that in mind from now on.

  • Laura G says:

    Scott, your articles are so informative and well written. I love learning from you. Thank you!

  • Norma says:

    Wow what great info. I didn’t know that those apps could bring problems. You better believe that I will remember this when installing other apps.

  • Nyxie says:

    Excellent information. I wasn’t aware of the issues with these sorts of apps. I rarely download new apps, but will keep this in mind the next time I do.

  • I usually dont download new apps on my phone, but when I do, atleast now I know what to look out for. Thanks for sharing.

  • I have definitely had a false sense of security when it comes to medical apps and my data. This was definitely enlightening.

  • Chloé Arnold says:

    All things insurance are so overwhelming for me. I didn’t realize so many things could happen from an app. Thank you for sharing this with us!!!

  • silvia says:

    Very helpful information. I actually feel very uneasy using my phone for a lot of delicate matters, including medical.

Leave a Reply