With over 300,000 published mHealth apps on the market, many Americans are using mobile devices to track and share information about their health and fitness. While some of this data qualifies as protected health information (PHI), not all mHealth apps are HIPAA compliant. This raises an important questions for physicians and other health care providers: Are mHealth apps covered by HIPAA?
Are mHealth apps covered by HIPAA?
The short answer is, “it depends.” mHealth apps is a broad term referring to any health-related software that runs on smartphones or tablets. Mobile health apps include everything from fitnesses trackers to software that allows physicians to access the EHR from their smartphone. It is therefore helpful to distinguish between mHealth apps for consumers versus providers.
mHealth apps for consumers
Most mHealth apps on Google Play or the App Store don’t fall under HIPAA because they are intended for a patient’s personal use. These include fitness trackers, heart rate monitors, weight management programs, mindfulness apps, and much more.
But many consumer apps connect patients to health care providers and health plans. These apps are subject to HIPAA rules if they handle patient health data. Consumers should thoroughly research apps and be aware of their data protection rights. However, app developers and providers should ultimately be responsible for making sure their software is HIPAA compliant.
mHealth apps for providers
“As a provider, HIPAA compliance should be your litmus test for bringing an app in to your practice.”
HIPAA applies to covered entities and their business partners, which includes healthcare providers, health plans, and health clearinghouses. That means HIPAA covers software and apps developed for use by doctors, clinics, nursing homes, pharmacies, health insurance companies, and related government programs.
As a provider, you’re already familiar with HIPAA, or the Health Insurance Portability and Accountability Act. This is the 1996 legislation that provides data privacy and security provisions to safeguard medical information.
You may also know that the 2009 HITECH Act extended HIPAA’s privacy and security rules more directly to business associates. This means that software developers, banks, billing firms, and health information exchanges are held to the same standards as hospitals and physicians when it comes to handling PHI.
Any software that handles PHI needs to be HIPAA compliant. As a provider, HIPAA compliance should be your litmus test for bringing an app in to your practice.
What makes an mHealth app HIPAA compliant?
When a software developer says they’re HIPAA compliant, it means they’ve satisfied four main requirements. They have:
- Put safeguards in place to protect PHI.
- Limited use and sharing of PHI to the minimum necessary to accomplish the apps function.
- Set up data security agreements with connected service providers that interact with PHI through the app.
- Established procedures to limit who can access PHI and trained their employees about how to protect PHI.
It’s important to remember that there is no certification process for HIPAA. It is up to the software developer to ensure that their administrative, technical and physical safeguards meet HIPAA compliance requirements.
Additionally apps that are serious about data security will often work with an external auditor to assess their compliance. Look for apps that have been audited by an independent third party.