The department of Health and Human Services (HHS) has released some examples from its Office of Civil Rights (OCR) about when mHealth developers need to consider HIPAA. The guidance provides six examples, two of which trigger HIPAA requirements and four do not. Below is a very abbreviated list of these examples, see the full guidance for full details.
- Patient uses 3rd party app without prompting: No.
- Patient loads EHR data into a 3rd party app without prompting: No.
- HCP counsels patient to use a health app and report data: No.
- Provider and app developer share data, patient uses app: No. (surprising -Ed.)
- Provider contracts with app developer for integrated mHealth tool: Yes. (aha! -Ed.)
- Patient downloads PHR app offered by her health plan: Yes.
In the examples we see that the provider organization actually has to pay the application developer to trigger HIPAA, even data sharing agreements aren’t enough. Interesting read for anyone building out an mHealth app who is considering whether HIPAA applies.
This story first appeared in the Klick Wire, delivered 7AM every Monday. Sign up to get the Wire today!