Are mHealth Apps Covered by HIPAA?

The number of mHealth apps has exploded in recent years, in part due to the extremely low barriers to creating simple apps and distributing them widely. Such apps often deal with data that would be carefully secured in most other settings—protected health information (PHI), defined as information regarding a patient’s health, care provided, payments, or even patient status at a facility, if it is individually identifiable. This is designed to be broad-reaching; even a treatment date more specific than a year is sufficient for records to be considered identifiable.

The security of PHI is controlled by strict guidelines under the Health Insurance Portability and Privacy Act (HIPAA) of 1996 and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009—yet not all apps follow these rules or are required to do so.

Current mHealth Privacy Practices

A 2013 report from Privacy Rights Clearinghouse examining 43 popular health and fitness apps found disturbingly lax privacy practices. Only 43% of these apps offered links to their privacy policies, and roughly half of the publicly available policies were inaccurate with regard to the technical processes used to secure users’ information.

On many apps, particularly free apps, private information was transmitted without encryption or was provided to third parties without the users’ knowledge. As free apps are usually supported through advertising, their developers have a clear conflict of interest between users’ privacy and the increased ad revenue from specific audience data and targeting.

What HIPAA Covers

These apps would clearly not be in compliance with HIPAA standards, but HIPAA doesn’t apply to most mHealth apps. Rather, security is the developers’ prerogative. HIPAA covers devices and software only if they are used by healthcare providers, health insurance companies, and healthcare clearinghouses—a group collectively referred to as “covered entities”—and their “business associates.”

As a result, HIPAA does not apply to PHI on an app used privately by a patient. Even an app that can be used by a patient to transmit PHI to a doctor or other covered entity is not required to be HIPAA compliant, according to Mobi Health News. Once the information reaches the doctor it is then covered, and the doctor cannot reply through a non-compliant app.

Though privacy is among the most serious challenges for mHealth, many professionally developed apps meet or exceed HIPAA regulations. Ideally, future regulations would offer more clear guidance as to which apps are HIPAA compliant. For now, patients need to protect themselves by researching any app that uses information they wish to keep private.