Wellness apps and personal health records are growing in popularity among healthcare organizations and patients but determining when these services fall under the Federal Trade Commission's privacy regulations or the stricter HIPAA requirements can be a compliance minefield.
This is an excerpt from an article originally published on Revenue Cycle Advisor on July 3.
Consumer-facing health apps and personal health records are booming, and some covered entities (CE) such as health plans or clinics leverage these services to help patients. Health apps and similar services and products are still a new frontier for CEs. Some might not be certain whether HIPAA applies to app vendors. But a business associate (BA) is a BA, and the same method can be used to determine whether a vendor is a BA regardless of the product or service, says Reece Hirsch, Esq., partner and co-head of the privacy and cybersecurity practice at Morgan Lewis in San Francisco. OCR published a number of health app FAQs offering specific guidance on when HIPAA applies to these vendors. Generally, if an individual purchases an app or other digital service directly from the vendor, HIPAA doesn’t apply. The vendor is, instead, required to comply with the Federal Trade Commission’s (FTC) privacy regulations under Section 5 of the FTC act.
However, if a CE purchases a health app and makes it available to its patients or plan members, the vendor is a BA under HIPAA and a business associate agreement (BAA) is required, Hirsch says. Although that’s simple enough for a CE familiar with the ins and outs of HIPAA, it can be confusing for a vendor.
“You have a lot of companies out there that are dealing with a bifurcated compliance model, where they have some operations that are outside of HIPAA and are just governed by their privacy policy,” Hirsch says. “Then they have other operations that are subject to all the restrictions of BAAs.”
OCR’s health app guidance includes several questions that CEs and potential BAs can ask to determine whether they need a BAA:
- Does the app create, receive, maintain, or transmit identifiable information?
- Is the health app selected independently by the consumer, or does the CE dictate the choice?
- Are all decisions to transmit data to the third party controlled by the individual or by the CE?
- Does the app developer have any relationships (contractual or otherwise) with third-party entities besides interoperability agreements?
Not all relationships between CEs and digital service vendors will require a BAA. In some cases, the CE may have a business relationship with a health app vendor or developer that supports information exchange without exchanging PHI with the vendor or developer. “You can have an agreement between a mobile app developer and a CE that just relates to interoperability to facilitate transmission of data,” Hirsch says. “That alone doesn’t make you a BA.”
Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.