Health Information Compliance Alert

Reader Question:

Which Apps Must Be HIPAA Compliant?

Question: Our clinicians are using more and more apps for a variety of reasons, including clinical decision-making and prescribing. How can we know which apps must comply with HIPAA and which don’t need to?

AnswerWhether a software application must comply with HIPAA or other federal privacy laws depends on a myriad of factors. Thankfully, you now have a user-friendly tool to help you find the answer.

“Apps are great. They can help with delivering treatment far more efficiently,” said Mary Beth Gettins of Gettins’ Law in an April 22 blog posting. Apps can improve quality of care, communication with patients, education, and tracking and monitoring illnesses.

“However, all the information that we are importing, accessing, and storing is sensitive information,” Gettins noted. “And, at the end of the day, you don’t want it falling in the wrong hands or being used to the patient’s detriment.”

The Federal Trade Commission (FTC) recently designed a new “litmus test” to pinpoint which apps must comply with HIPAA guidelines simply by answering the following 10 questions (see www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool):

  1. Does the app create, receive, maintain, or transmit identifiable health information?
  2. Is the app developer a healthcare provider or health plan?
  3. Do consumers need a prescription to access the app?
  4. Did the developer create the app on behalf of a HIPAA covered entity?
  5. Is the app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease?
  6. Does the app pose “minimal risk” to a user?
  7. Is the app a “mobile medical app?”
  8. Is the app developer a nonprofit organization?
  9. Did the developer create the app as a covered entity?
  10. Does the developer offer health records directly to consumers (or does the developer interact with or offer services to someone who does)?