Medicare Compliance & Reimbursement

Industry Note:

Phone App Developers Could Be Considered Business Associates in Certain Instances

Phone apps go beyond Angry Birds and Pandora these days — and some are so advanced that they can even fall under the HIPAA privacy laws.

The HHS Office of Civil Rights (OCR) released a report this week demonstrating just how a phone app can be subject to the HIPAA laws. According to the document, entitled “Health App Use Scenarios & HIPAA,” phone apps are not considered covered entities under HIPAA, but under some circumstances they could be considered “business associates,” which would require them to comply with some aspects of the HIPAA Rules.

For example, suppose the physician tells the patient to download a health app to her phone, and the physician contracts with the app developer for patient management services such as remote patient health monitoring. The information that the patient enters into the app then populates the physician’s EHR automatically. In this case, “the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity,” the OCR says in the document.

Likewise, if a health plan offers members an app to request, download and store health plan records and check claims status or coverage decisions, the app developer is considered a business associate.

To read more about how the HIPAA laws cover app developers, visit the HHS website at http://hipaaqsportal.hhs.gov/community-library/accounts/92/925889/OCR-health-app-developer-scenarios-2-2016.pdf.