The Health Insurance Portability and Accountability Act (HIPAA) is complicated, and comes with hefty penalties for violations. As developers build more and more apps that leverage users’ personal and health data, they need to understand how this law works.
HIPAA protects personal health data during transactions between entities such as insurance companies, hospitals and doctors. It was amended last year to require those covered entities to also vouch for the privacy and security practices of their business associates: companies that also handle their healthcare data, such as billing subcontractors, data analysts, vendors, and, yes, mobile app developers.
The Office for Civil Rights, which enforces HIPAA compliance within the U.S. Department of Health and Human Services, has been levying hefty fines for HIPAA violations: nine settlements since June 2013 have totaled more than $10 million. And an HHS attorney has recently said those high-profile cases will “pale in comparison” to the fines coming in the next year.
So healthcare organizations are pretty leery of exposing themselves to risk from startup partners who don’t take privacy and security seriously.
HIPAA’s one-size-fits-all approach, however, is one of app developers’ biggest frustrations, according to Chas Ballew, co-founder of Aptible, a private-cloud deployment platform to automate HIPAA compliance for developers. “It’s designed for the smallest doctor’s office all the way up to the biggest insurance companies,” he said. “So for one regulation to cover all of them, it needs to be flexible and scalable. And HHS has done that. But it’s also ambiguous; it can be confusing. The guidance, especially for technical implementation, is non-existent.”
That has ACT | The App Association, which represents more than 5,000 mobile app companies, pressing for updated HIPAA guidance. It notes that HHS last updated its HIPAA document “Remote Use” in 2006, while the first iPhone came out in 2007.
But the regulation isn’t necessarily focused on the type of personal information collected by your smartphone, smartwatch, or other mobile device. “You personally can, every day, check your blood pressure, check your own glucose—you can do all sorts of things with your medical data, but if you’re not giving it to a covered entity, this is not about HIPAA,” said Morgan Reed, executive director of The App Association.
There’s a difference between data on a device that a doctor sends home with you to help him better monitor your health and data that you, as a consumer, input into an app you’ve downloaded from the Internet and then offer to share with your doctor, explained Deven McGraw, a partner in the Washington, D.C., law firm Manatt, Phelps & Phillips and longtime member of the Health IT Policy Committee within HHS: “It’s really about who’s in control of the data on that device, on whose behalf is the device operating?”
If the consumer device sends data into the doctor’s electronic medical record system, the information is covered by HIPAA; if the data stays on the consumer’s watch or phone, it’s not. In most cases, data used with the Apple Watch or other consumer products will not be covered by HIPAA, McGraw added.
Or as Reed put it: “If all you’re doing is taking data from somebody’s scale and combining it with how many steps they walked and a calorie tracker, that doesn’t need HIPAA, there’s no covered entity involved.”
At the same time, however, other consumer-privacy regulations covering the data might apply.
- Do Mobile App Developers Need a Lawyer?
- Apple Watch: Worth Your Development Hours?
- How Wearable Electronics Could Change Your Life