How HIPAA applies to the burgeoning world of mobile health
The federal regulatory environment has not kept pace with the progress of mobile health. Mobile health is driven by consumers who expect to have all sorts of information, including health data, on their phones, said Jeffrey Dunifon, an associate attorney at Baker & McKenzie who previously was an investigator at the Department of Health and Human Services Office for Civil Rights.
To help healthcare provider organizations and mobile developers navigate the HIPAA waters, Dunifon points to the HIPAA Questions Portal at hipaaqsportal.hhs.gov, which was launched by HHS. Providers and developers ask questions, HHS provides answers, said Dunifon, who spoke today at the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles during a session entitled "HIPAA and mHealth: Key Challenges and Solutions."
"Key issues covered on the site include businesses regulated by HIPAA, information covered by HIPAA, and HIPAA compliance measures," Dunifon said.
When it comes to mobile health, or mHealth, it's important to fully understand the entities covered by HIPAA. These include healthcare providers, health plans and clearinghouses.
"Less clear, though, is when a company becomes a business associate under HIPAA," Dunifon explained. "A business associate is any entity that accesses or discloses protected health information for or on behalf of a covered entity or another business associate. This is very relevant in the developer environment."
Examples of businesses and tools that could require a business associate agreement, according to Dunifon, include:
- A cloud services vendor that hosts PHI. "OCR has said in no uncertain terms that if an organization is using a cloud services vendor to host PHI, it needs a business associate agreement," Dunifon said.
- An electronic health record developer that accesses PHI to help troubleshoot technical issues. "This is more on the routine side of the business associate definition, a company that has routine, ongoing access," he said.
- A live translation mobile app used between healthcare providers and patients. "If an organization is using an iPhone or iPad on a live basis to have conversations between patients and providers discussing PHI, that needs to be covered by a business associate agreement," Dunifon said.
- A patient appointment scheduling and payment mobile app. "If a provider offers to let patients schedule an appointment or pay for an appointment, that app developer needs to be covered by a business associate agreement," he said. "That can be a little confusing sometimes because there's not a clear health element to it."
- Remote medical devices or apps sharing health indicators. "If you have a medical device someone is wearing that's sending information to an app, which is sharing that with the healthcare provider, and the app company is playing a role in transmitting or maintaining that information, that may be PHI covered by HIPAA," Dunifon said.
"In mobile health, if a consumer is paying for a product, it might not be PHI," he added. "But if it is being tracked by a covered entity, then it may be PHI."
Dunifon pointed conference attendees to a variety of resources to help with HIPAA compliance and mHealth, including the National Institute of Standards and Technology's Special Publications, the HHS Office for Civil Rights, HIMSS and Baker & McKenzie.