What physicians should know before recommending apps

Although the department of Health and Human Services (HHS) has provided guidance for app developers working with providers, there may still be some confusion surrounding the issue. The uses of apps and the extent to which they must adhere to HIPAA vary widely. For example, simple calorie and activity trackers for patients who would like to lose weight are not required to be HIPAA compliant.  The same is true for apps that help patients remember when to take medications.

However, things become more complex when an app performs a calculation to determine what dosage of medication a patient should take, or when information the app collects is recorded in the patient’s electronic health record (EHR). Physicians should evaluate the apps they recommend to patients to determine whether or not they must comply with HIPAA regulations, and when working directly with developers, physicians must ascertain how whether or not the developer understands HIPAA requirements. 

The questions to ask will vary, depending on the situation. In cases of recommending an off-the-shelf app, the evaluation process should be fairly simple. If the data collected is for the patient’s personal use and will not be transmitted to their EHR, there are no worries. 

If a physician decides to work directly with a developer to create an app for a specific patient population, the necessity for HIPAA compliance is greater. A good place to start is with the recent guidance from HHS. Whether or not the developer is familiar with it may serve as a sort of gauge as to whether or not the developer is a professional working within the healthcare space.

“I think the first question a physician should ask is whether the developer has taken the recent [HHS Office of Civil Rights (OCR)] guidance into account,” says Scott Chase, an attorney who is board certified in health law in Texas, with Farrow-Gillespie & Heath, LLP. If the developer has not taken the guidance into consideration, “the physician may want to re-think the professionalism of the developer,” he adds.

Whether or not any app must be HIPAA compliant hinges on how personal health information (PHI), is used. According to HHS, PHI is defined as “individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.”

Regardless of the intended use of the app in question, Chase adds that encryption should be part of the conversation. If a developer or physician makes a mistake in determining whether or not an app should comply with HIPAA, he says “HIPAA-compliant encryption could save them from a HIPAA complaint, in case of a breach of PHI.”

In other words, regardless of whether or not the developer has taken HIPAA into consideration in the process of creating an app, if patients’ PHI is properly encrypted, the physician who suggests patients use the app has a layer of protection in the event of a complaint.