I found a great article from HHS on applications for healthcare. It’s always been somewhat of a gray area when it comes to following HIPAA guidelines when dealing with various applications for healthcare. I hope you find it useful.

Health App Use Scenarios & HIPAA

These scenarios address two questions under the Health Information Portability and Accountability Act (HIPAA):
1. How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
2. When might an app developer need to comply with the HIPAA Rules?
The answers to these questions are fact and circumstance specific. Each scenario below is based on a specific set of facts. Please keep this in mind as you review a scenario and apply it to your own circumstances. Change in a scenario may change the analysis and, as a result, change the determination of whether the app developer is required to comply with HIPAA. We hope this will help you identify the particular aspects to explore in your own analysis.

Background

Only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA. If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules. For extensive information on the requirements of the HIPAA rules and how to comply with them, please see https://www.hhs.gov/hipaa/index.html

However, even if you are not a covered entity, you may be a business associate if you are creating or offering the app on behalf of a covered entity (or one of the covered entity’s contractors) – and in that case you are required to comply with certain provisions of the HIPAA Rules. In general, a business associate is a person [or entity] who creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity or another business associate. PHI is defined in the HIPAA regulations, and, in general, is identifiable health information. So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates. For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.

Note that the scenarios below address the application of HIPAA to the app developer. In all cases in which a covered entity is transmitting PHI, either itself or using a business associate, it must apply reasonable safeguards to protect the information and nothing in the analyses below relieves covered entities (e.g., providers) of their own, independent obligation to comply with HIPAA.

Click here to access HIPAA scenarios as it relates to applications for healthcare.