As detailed in a recent issue of DecisionHealth® Part B News, healthcare-oriented personal digital tools are soaring in popularity. As patients increase their use of personal health gadgets, healthcare providers need to understand when HIPAA applies to the information patients are carrying around on their phones and tablets and around their wrists.
Personal health information is no longer just in the possession of healthcare providers. It is now often in the hands of patients themselves via a personal digital tool such as a mobile app or a wearable device. The government’s Health and Human Services Office for Civil Rights (OCR) recently released educational material addressing the applicability of HIPAA to apps and digital tools, as well as a portal for the public to ask questions on the subject anonymously.
Deven McGraw, the OCR’s Deputy Director of Health Information Privacy, recently said: “HIPAA does not cover all health information. Whether a new tech tool is covered by HIPAA is based on facts and circumstances. It’s not necessarily the product itself but who it was sold to, who pays for it, and who it is used by.”
A recent survey showed the number of Americans using wearables and mobile apps to manage their health has doubled in the past two years. One third of those surveyed use mobile health apps, and more than one fifth use a wearable. And the people using personal health tools are sharing their information with their doctors: 40% discussed or shared app data with their doctor in the past year, and 90% said that they would be willing to do so. Some doctors are not only recommending that patients use particular apps, but they are even prescribing them, such as diabetes control monitors.
Wondering whether this information sharing is subject to HIPAA’s privacy and security requirements leads to provider confusion. The OCR’s McGraw said: “HIPAA does not apply where it’s consumer facing and direct to consumer.” For example: if the relationship between an app and the provider serves only to connect a patient to the provider’s electronic health record so the patient can obtain or share information, but it’s not on behalf of the doctor, the app is not a business associate of the doctor and HIPAA does not apply.
These three situations demonstrate when a business associate agreement with the app vendor is not required because HIPAA does not apply:
- A patient downloads an app recommended by the doctor and uses it to send information to the doctor.
- A patient downloads an app to her phone and populates it with her personal health information. The consumer is using the app to manage her information, but it is not subject to HIPAA because the data is not in the possession of a provider, health plan, or clearinghouse.
- A patient downloads a health app, downloads data from a doctor’s EHR system through a patient portal, and puts the data together. This also is not subject to HIPAA because the patient downloaded the data.
Once data is in the hands of a doctor it is subject to HIPAA. Privacy and security rules apply when a personal health tool is used by a covered entity or a business associate on behalf of a covered entity. When a business associate is involved, the parties need to execute a business associate agreement.
An app developer enters HIPAA territory when a provider:
- Hires the app vendor
- Pays for the vendor’s services
- Directs the vendor to handle patient information for the provider
An example: If a provider contracts with an app developer for vital sign monitoring and transfer of information from the patient to the doctor, then not only is the data subject to HIPAA when the doctor receives it, but the developer also is acting on behalf of the doctor so a business associate agreement is required.
SOURCES:
www.hhs.gov/blog/2016/02/11/ocr-adds-new-health-app-use-scenarios-to-developer-portal.html
http://hipaaqsportal.hhs.gov/a/ideas/top/campaign-filter/active