Physicians should note recent HIPAA guidelines for apps

The Department of Health and Human Services (HHS) recently released guidance for developers working on healthcare applications with physicians who may need to follow HIPAA guidelines. Rather than a list of rules, the document consists of six scenarios with comments about whether or not the developer in each case must abide by HIPAA.

Although the document is intended for those who work directly with technology, it is important for physicians to understand as well, in order to help patients make choices, be clear about the role they are required to play in the process of choosing and using health-related apps, and to be aware of what developers may or may not know about HIPAA.

Any time there are multiple stakeholders, there is the potential for complexity. Although many apps could improve health and may help those with chronic conditions enjoy a higher quality of life, regulations and precedents are still being established. The scenarios HHS offered as guidance may seem like common sense, however, they are useful in clarifying possible situations for people who are unlikely to be familiar with HIPAA ̶ such as an app developer with a background in computer science, not healthcare.

Here is one of the scenarios included in the guidelines:

“At direction of her provider, patient downloads a health app to her smartphone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR. ”

And the guidance that accompanies the scenario:

“Yes, the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintain and transmitting PHI, and the app is a means for providing those services.”

For someone who is familiar with HIPAA and the idea of covered entities and business associates within the context of healthcare law, the scenario is probably pretty clear. However, according to Jeff Drummond, a partner specializing in health care law Jackson Walker, LLP, in Dallas, Texas, it would be possible for a person without a background to read the scenario and think that even though the doctor is paying, the app will be used by the patient and so there is no worry about HIPAA.

“It helps for the developer to have really clear cut examples. It explains how HIPAA works to someone who doesn’t know how it works at all,” says Drummond.

Another important point for care providers to keep in mind when it comes to apps is that there are actually three different agencies and sets of rules regarding privacy that app developers must follow. First, there is HIPAA, which is regulated by HHS. In addition, the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA) both play roles, as well.  

Drummond offers the following examples:  “Some apps will read blood pressure or glucose levels and then will communicate those readings to the provider. An app connected to an insulin pump is obviously a medical device. It’s going to be considered a medical device and need full blown approval from the FDA.” However, more commonplace apps used for calorie-tracking or measuring movement collect data solely for the individual’s use and is bound by the regulations issued by the FTC designed to protect consumers.

No matter your profession, it is easy to forget that people outside your industry aren’t always familiar with things that seem commonplace to you.

“Doctors need to understand that the app developer may tell them something, but be totally wrong, because they don’t know what they are talking about,” Drummond notes.