5 Guidelines for Mobile Applications and HIPAA. What Healthcare Practices Need to Know
HIPAA was passed in 1996. As of this blog post that was 24 years ago. In those 24 years, a lot has changed with regards to healthcare and technology. That’s not to say there haven’t been updates to HIPAA. There have but nothing that really addresses the infiltration of mobile applications.
There will likely be updates to HIPAA to address rapidly changing technology but it’s hard to imagine any legislation keeping up with tech.
HHS did clarify mobile applications and HIPAA found here and here.
I wrote about and tried to put it in layman’s terms as best as possible. For the purpose of this blog, CE means Covered Entity and BAA means Business Associate Agreement.
5 Guidelines for Mobile Applications and HIPAA
- If a CE develops and maintains the app then they are responsible for protecting PHI. They must comply with the HIPAA Security Rule. The app must be included in the Covered Entity’s Risk Analysis and corresponding plan. If they did not develop the app then they need not worry about PHI within the App. The app developer is responsible for the security of the app and protecting PHI.
- If the CE did not develop and/or does not maintain the app then the Covered Entity is not liable in the event of a breach involving PHI. Once the patient requests their health information be delivered to them via an app in this scenario the healthcare practice is no longer responsible for the healthcare information.
- The same applies to the EHR that a healthcare practice uses. If the patient’s request for their healthcare information is passed to an app developed and maintained by the EHR vendor, the EHR vendor is liable for any breaches under HIPAA. If the app is developed by a third party with no relationship to the EHR vendor then the HER vendor is not liable if a HIPAA breach occurs.
- A covered entity cannot refuse to provide healthcare information as requested by a patient despite concerns over the security of an app.
- A business associate agreement is required if the app creates, maintains, receives or transmits PHI, or if the app was provided to the patient by the covered entity directly or through its EHR. If the app was not provided by the covered entity and does not facilitate the creation, maintenance, receipt or transmission of PHI on behalf of the covered entity then a BAA is not required.
In a nutshell, app developers should utilize security best practices regardless of where they fall under HIPAA.
Patients should be cautious of how their PHI is transmitted regardless of who provided the app. Apps that are not provided by a covered entity are not liable under HIPAA and therefore can “share” PHI. HIPAA does not regulate how an app acting as a designee of the patient and not the covered entity can use the PHI provided by the covered entity.
In other words, if you choose a third-party app not provided by your healthcare provider then you potentially expose your healthcare information, especially if the app includes the right to share in their terms of usage.
If the app is provided or maintained by the healthcare practice (whether developed in house or by their EHR vendor) then the covered entity (healthcare practice) is potentially responsible under HIPAA.
Healthcare providers can express their concerns with a third-party app not provided by the healthcare provider to the patient when a request for the patient’s healthcare records are made. They cannot refuse to deliver those records. Refusing to deliver the ePHI as requested by a patient is a potential HIPAA violation under HIPAA Right of Access
An Example of HIPAA Liability and Mobile Apps:
My children’s pediatrician provided an app to communicate, update and deliver their health information. The app (Follow My Health) is provided through a very commonly used EHR (Allscripts). Since the app is provided by the EHR that the pediatrician uses then the pediatrician Allscripts and Follow My Health.
A HIPAA breach of Follow My Health might mean the pediatrician could be liable as the covered entity in this case.
The HITECH Act and Omnibus rule put more of the onus on Allscripts/Follow My Health as these additions to HIPAA now make business associates liable under HIPAA, but the pediatrician could be (not likely depending on the scenario) liable as well.
If my kid’s pediatrician decided not to provide an app, and I made a request for their healthcare records through another third-party app the pediatrician is off the hook in the event of a HIPAA breach through the app. They should at least warn me of the risk but that is not a requirement. They do have to provide the records under Patients’ Rights to Access but that’s the only requirement in this scenario.