Practical mHealth HIPAA Advice: At Long Last

finger-769300_1920The Office for Civil Rights (“OCR”) at the Department of Health and Human Services, the Office of the National Coordinator of HealthIT (“ONC”) and others are becoming prolific in the amount of HIPAA guidance being issued. ONC is in the midst of a blog series entitled “The Real HIPAA” that is exploring common misunderstandings. Of focus in this article is guidance from OCR on health apps and when HIPAA applies.

Over the summer, OCR launched an mHealth Developer question and answer portal to theoretically begin addressing these issues. The portal was intended to enable industry folks to post questions and receive responses from OCR or others in the government. Users can vote on questions to hopefully move them up the answer queue. However, not much activity has occurred on the portal, At least until February 11th when OCR posted a fair amount of information directed at app developers.

The most important component of the guidance was a list of scenarios when HIPAA applies to app developers as well as a series of questions to consider in assessing the application of HIPAA. The scenarios are instructive because concrete examples are identified along with a supporting explanation as to why HIPAA applies in the scenario or not. The common theme that emerges is to focus on the intended user and for whom an app is developed. If the end user is the target, it is more likely than not that HIPAA will not apply. While the guidance is not necessarily groundbreaking (since it is consistent with good legal advice), the clear statements that can be used by the mHealth industry are a positive development.

Additionally, OCR prepared a list of threshold questions for app developers to consider when trying to figure out if a proposed app is governed by HIPAA.  The list of questions includes:

  • Does the health app create, receive, maintain, or transmit PHI?
  • Who are the clients? Are the clients covered entities, business associates, or consumers?
  • Who is providing funding for the creation of the app? Is a covered entity or a consumer paying?
  • Is the app independently selected by a consumer? What role does a physician or covered entity play in selection?
  • Who controls decisions about where data are transmitted? If data are transmitted to a healthcare provider or health plan, who makes the decision to make the transmission?

As indicated, the questions help guide an app developer through a basic HIPAA analysis. If the analysis leads the app developer down a path where a covered entity is playing a primary role, then HIPAA compliance should be built in. Being able to make the determination early in the development process will only help all connected to the potential app.

The common complaint and danger is that an app is nearing a go-live date or is in use and then questions are raised about HIPAA. This can stop all use of the app or greatly reduce the manner in which it is used. mHealth solutions are clearly growing and ensuring appropriate compliance is a worthy goal. The new guidance from OCR is the first largely public step in that direction.

It is not too surprising that the seeming flood of guidance is coming on the eve of the HIMSS Annual conference. A large portion of the HealthIT and mHealth fields will be there as well as representatives from OCR and ONC. The convergence of all of these interests offers a perfect opportunity to promote compliance and understanding, both of which have been sorely lacking when it comes to HIPAA.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, Health IT, HIPAA and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s