Why App Developers Need to Understand HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is complicated, and comes with hefty penalties for violations. As developers build more and more apps that leverage users’ personal and health data, they need to understand how this law works.

Apple Health AppHIPAA protects personal health data during transactions between entities such as insurance companies, hospitals and doctors. It was amended last year to require those covered entities to also vouch for the privacy and security practices of their business associates: companies that also handle their healthcare data, such as billing subcontractors, data analysts, vendors, and, yes, mobile app developers.

Click here to find wearable electronics-related jobs.

The Office for Civil Rights, which enforces HIPAA compliance within the U.S. Department of Health and Human Services, has been levying hefty fines for HIPAA violations: nine settlements since June 2013 have totaled more than $10 million. And an HHS attorney has recently said those high-profile cases will “pale in comparison” to the fines coming in the next year.

So healthcare organizations are pretty leery of exposing themselves to risk from startup partners who don’t take privacy and security seriously.

HIPAA’s one-size-fits-all approach, however, is one of app developers’ biggest frustrations, according to Chas Ballew, co-founder of Aptible, a private-cloud deployment platform to automate HIPAA compliance for developers. “It’s designed for the smallest doctor’s office all the way up to the biggest insurance companies,” he said. “So for one regulation to cover all of them, it needs to be flexible and scalable. And HHS has done that. But it’s also ambiguous; it can be confusing. The guidance, especially for technical implementation, is non-existent.”

That has ACT | The App Association, which represents more than 5,000 mobile app companies, pressing for updated HIPAA guidance. It notes that HHS last updated its HIPAA document “Remote Use” in 2006, while the first iPhone came out in 2007.

But the regulation isn’t necessarily focused on the type of personal information collected by your smartphone, smartwatch, or other mobile device. “You personally can, every day, check your blood pressure, check your own glucose—you can do all sorts of things with your medical data, but if you’re not giving it to a covered entity, this is not about HIPAA,” said Morgan Reed, executive director of The App Association.

Upload Your ResumeEmployers want candidates like you. Upload your resume. Show them you’re awesome.

There’s a difference between data on a device that a doctor sends home with you to help him better monitor your health and data that you, as a consumer, input into an app you’ve downloaded from the Internet and then offer to share with your doctor, explained Deven McGraw, a partner in the Washington, D.C., law firm Manatt, Phelps & Phillips and longtime member of the Health IT Policy Committee within HHS: “It’s really about who’s in control of the data on that device, on whose behalf is the device operating?”

If the consumer device sends data into the doctor’s electronic medical record system, the information is covered by HIPAA; if the data stays on the consumer’s watch or phone, it’s not. In most cases, data used with the Apple Watch or other consumer products will not be covered by HIPAA, McGraw added.

Or as Reed put it: “If all you’re doing is taking data from somebody’s scale and combining it with how many steps they walked and a calorie tracker, that doesn’t need HIPAA, there’s no covered entity involved.”

At the same time, however, other consumer-privacy regulations covering the data might apply.

Related Articles

Image: Apple

One Response to “Why App Developers Need to Understand HIPAA”

  1. The jury is still out as to whether much of the new data gathered by wearables will be identified as PHI. Chances are data stored locally on the device will not be under HIPAA.

    But most digital health app developers will likely use a cloud-based datastore, much like their colleagues in adjacent industries. As soon as the data is sent elsewhere, whether it’s to a traditional vendor like Parse or something home-brewed, it will be PHI that will be under HIPAA.

    To combat that, developers will need to consider HIPAA compliant Backend as a Service vendors.

    Aptible, mentioned in the story, is a good PaaS vendor, and there are a few others out there too.

    Check out Catalyze.io — they provide both a backend as a service datastore like a Parse, as well as a HIPAA compliant platform like a Heroku. Plus, they handle HL7 managed integration so if you do want your data to go to any external source, like an EHR, you can accommodate industry standards.