OCR Updates HIPAA Resource for mHealth Apps, Cloud Computing
The update to OCR’s former Health App Developer Portal provides healthcare entities and mobile health app developers with HIPAA resources regarding health apps, APIs, and cloud computing.
The Department of Health and Human Services Office for Civil Rights updated and renamed its former Health App Developer Portal as a HIPAA resource page for mobile health apps, APIs, and cloud computing, designed to support covered entities and mobile health app developers.
The new webpage provides entities with guidance on how and when HIPAA regulations apply to various mobile health applications, including health app use scenarios, HIPAA Right of Access and APIs, and an interactive tool for mobile health apps.
The update is just the latest OCR effort designed to provide covered entities and business associates better understand how and when HIPAA is applied, to essentially expand a patient’s right of access and ensure patient privacy is maintained under HIPAA.
As noted by OCR in 2019, HIPAA is limited in its regulations for third-party health apps chosen by patients and not connected to or developed by their primary care physician.
“Once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA-covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate,” officials explained at the time.
Further, HIPAA liability is directly determined by the covered entity and their relationship to the health app. If a patient decides to send their health information to a provider using an app that doesn’t fall under HIPAA, the patient health data is not subject to HIPAA regulations.
As the US continues its push to adopt contact tracing apps that may fall outside of HIPAA, industry stakeholders have stressed patient privacy may be at risk.
The OCR health app site update will address privacy concerns raised by these types of health apps, while providing HIPAA covered entities and developers with insights into compliance issues and questions about HIPAA regulations.
“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” officials explained. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”
“Only health plans, health care clearinghouses and most healthcare providers are covered entities under HIPAA,” they added. “If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules.”
These entities can refer to the resource page to find guidance on use case scenarios for mHealth applications, including when an app developer may be acting as a business associate.
As such, the guide addresses two common scenarios: how HIPAA applies to health information created, managed, or organized by the patient through a chosen health app and when an app developer may need to comply with HIPAA.
Developers can also leverage the mobile health app interactive tool created in collaboration between the Federal Trade Commission, HHS Office of the National Coordinator, and the Food and Drug Administration to better understand what laws and regulations apply to them, by answering a series of questions about the nature of the app, its function, collected data, and the like.
There is also a section on the resource page dedicated to cloud computing and cloud service providers and how to comply with HIPAA when using these technologies.