Is your healthcare app subject to HIPAA?
With more and more organizations offering healthcare apps to their employees to promote health and wellness, protecting the privacy of employee data is becoming increasingly important. As a result, employers need to understand both when the Health Insurance Portability and Accountability Act applies and, where required, ensure that app developers they do business with are compliant with the legislation.
Stefano Quintini is a partner in the technology transfers practice of Fenwick & West LLP in Mountain View, Calif. He talked to EBN about when healthcare apps are subject to HIPAA and the implications of these rules for employers, insurance companies and other healthcare vendors.
EBN: What is the Health Insurance Portability and Accountability Act and how might it impact developers of healthcare apps?
Quintini: HIPAA became effective in 2003. With the move to mandatory electronic health care billing came the realization that there ought to be national standards in place that apply to healthcare providers who bill electronically using the standard electronic transactions, i.e., health insurers and healthcare clearinghouses, collectively known as covered entities, to protect the privacy and security of health information.
Those standards were also made part of HIPAA and are known as the privacy rule and the security rule. Within the past few years HIPAA has been modified so that the security rule and the newer breach notification standards, now apply to business associates [who are] some of the vendors and subcontractors of covered Entities. While not all healthcare apps will fall under the jurisdiction of HIPAA, those offered by developers in conjunction with healthcare providers or health insurers may be impacted.
EBN: Why are apps offered directly to consumers for them to use in tracking their fitness activities, blood pressure levels, glucose levels, etc. not required to comply with HIPAA?
Quintini: HIPAA applies only to certain healthcare providers, health insurers, healthcare clearinghouses, and some of the subcontractors and vendors of those entities. Healthcare apps developed and offered directly to consumers independent of HIPAA covered entities and their business associates are not required to comply because they fall outside of HIPAA’s jurisdiction. However, there may be other state laws regarding the protection of personally identifiable information with which they have to comply.
EBN: You suggest that apps offered in conjunction with a covered healthcare provider or a health plan are more likely to be candidates for HIPAA compliance. Can you give me examples of that type of app and the kind of data that would typically be collected and transmitted?
Quintini: Here is one example of an app that must be HIPPA compliant: A healthcare insurance plan offers blood glucose level tracking and recording of insulin medication, along with access to a health coach app to members enrolled in its diabetes management program. The app allows members to record their daily blood glucose levels and the frequency and dosage of their insulin medication.
Information input by the member – along with the individual’s name, member ID number and other demographic information that was provided by the member upon registration for the app – is transmitted directly from the app to the health plan and to health coaches so that the plan can keep track of those measures and the coaches can provide feedback/guidance directly to the member regarding tips for diet and exercise to help manage those glucose levels.
EBN: If an app is subject to HIPAA, what does that mean? What standards or rules will the developer have to follow in order to avoid being found offside?
Quintini: If an app developer is subject to HIPAA compliance, it will be as a business associate of the covered entity. As such, the developer would need to comply with all of the standards imposed by the security rule, the breach notification rule and any of the privacy rule obligations that the covered entity delegates to it contractually.
The security rule contains a host of physical, administrative and technical safeguards – those safeguards are either “required” or “addressable.” The security rules’ standards are technologically agnostic and are meant to be flexible and scalable to the app developer’s operations.
EBN: What are the implications of these rules for insurance companies and other healthcare vendors? What kind of questions should they be asking app developers they do business with?
Quintini: The guidance issued by the Office for Civil Rights doesn’t really change the kinds of questions covered entities [should] ask app developers. If anything, it should underscore the fact that covered entities should be asking app developers the same questions and getting the same types of assurances regarding the app developers’ abilities to safeguard their patients’ and enrolled employees’ data, prior to doing business with them.
EBN: What if any are the implications of these rules for employer-sponsored group benefit plans? What kind of questions should they be asking the vendors and app developers they do business with?
Quintini: For employer-sponsored group benefit plans, it depends on whether the employer plans to offer the app as part of the group health benefits, or whether it will be offered as a wellness benefit to all employees.
If the employer offers the app as part of its plan’s health benefit, then the app developer would be considered a business associate and HIPAA would apply. The employer should ensure that the app developer has the necessary safeguards to protect any health data that will be shared with or maintained by the app developer.
If, however, the employer is offering the app as a wellness benefit to all of its employees – regardless of whether they are enrollees in the employer’s health care plan – then HIPAA will not be implicated.
EBN: What are the privacy and insurability implications of healthcare apps that transmit data to employers, insurance companies and other vendors? How can employees and employers be sure that their health information is not sold to businesses for dubious purposes, such as insurance companies that might deny applicants coverage or charge steeper premiums based on information collected through health apps?
Quintini: At a federal level, both HIPAA and ERISA contain provisions that restrict the health-related data that can be transferred from an employer-sponsored health plan to the employer. The Fair Credit Reporting Act also contains provisions regarding the use of information to engage in activities such as underwriting insurance policies or screening high-risk applicants. Employers should also consider imposing contractual restrictions on the ways health information can be used/shared.
EBN: Can developers be certified as HIPAA compliant?
Quintini: The is no HIPAA “certification” that’s sanctioned or overseen by the Office of Civil Rights, although there are many companies out there claiming to be HIPAA compliant. Employers should be checking and ensuring that all of their vendors/subcontractors that handle personal health information have:
- Implemented reasonable safeguards to protect health care data.
- Created a set of HIPAA security policies and procedures.
- Provide evidence they have trained their workforce members on those policies and procedures.
- Completed the Security Risk Assessment required by HIPAA.
- Appointed a security officer.
- Implemented current business associate agreements with all of their covered entity or business associate customers.
EBN: What other federal or state laws may govern privacy relating to data collected via healthcare apps and transmission of that data employers should be aware of?
Quintini: The FTC enforces the privacy guidelines directed towards companies that collect the personally identifiable information of their customers and employees. Any healthcare apps should contain both privacy-notice and terms-of-use documents that clearly detail the ways in which those healthcare apps will be collecting, using and disclosing personal information.
In California, the California Online Privacy Protection Act (CalOPPA) also regulates how businesses can collect, use and disclose personal information. Several other statutes may apply as well, depending on the type of information collected and/or its uses.