HIPAA stands for the Health Insurance Portability and Accountability Act.
This law act began in 1996 with the aim of protecting and keeping private the medical records and personal health information (PHI) of individuals.
"PHI" is defined as information found in a patient’s medical record that could possibly be used to identify that individual, and that came about in the course of obtaining a health care service, such as a diagnosis or a treatment.
HIPAA applies to and must be followed by healthcare providers such as doctors, dentists, and pharmacies, as well as health plans such as health insurance companies, government programs, and HMOs, and finally health care clearinghouses such as health information processors.
Mobile apps will also fall under the scope of HIPAA if the app deals with and stores the PHI of a user, and shares this PHI with one of the above covered entities.
Examples of PHI include blood test results and other medical test results, billing information, prescriptions someone is on, etc.
Information that would not count as PHI under the HIPAA purposes include health data such as calories burned, weight loss data, steps taken in a workout, heart rate and blood sugar readings so long as there's no personally identifiable user information attached.
For example, the MyFitnessPal app would not fall under the scope of HIPAA because it does not store or transmit PHI.
The mobile app allows users to track fitness data such as calories consumed in a day, and how much cardio exercise has been done. This kind of information is not considered PHI, but is considered to be "Consumer Health Information".
Another example of a popular health app that does not fall under the scope of HIPAA is the Wahoo Fitness family of mobile apps. Wahoo apps track how many miles users have cycled, ran, and how much weight users lost along the way.
Like the MyFitnessPal mobile app, this data is not considered PHI for purposes of the HIPAA act.
Checklist to determine if you need to comply
Here's a quick checklist to determine if your mobile app is required to comply with the HIPAA act:
- Does your mobile app collect, store, or share/transmit personally identifiable health information, such as medical test results, pharmaceutical and medicine or treatment information, billing and health insurance information with a health care provider or other HIPAA-covered health entity?
- If yes, you'll need to be HIPAA compliant
- If no, go to #2 below
- Does your mobile app have the capabilities to collect, store, or share personally identifiable health information?
- If yes, your mobile app will need to be HIPAA compliant
- If no, you do not need to be HIPAA compliant
Examples from health mobile apps
The iTriage health app helps users pinpoint your possible illness and get in touch with the right doctor by asking users a series of questions about their symptoms. This app stores a user's PHI and allows the user to share it with doctors, pharmacists, and others. Appointment and medication information can also be stored and managed through the iTriage app.
Because of this storing and sharing of users' PHI, the iTriage app would fall under the scope of HIPAA.
The Privacy Policy of iTriage includes a number of sections where PHI is mentioned, including the section noted in the image below that mentions HIPAA:
In the "Choices and Access" section of iTriage's Privacy Policy, users are told that their PHI will not be used or shared for marketing purposes unless they opt-in to this. This lets users know that their PHI is safeguarded and not being shared without their consent:
The "Security" section lets users know that iTriage takes steps to ensure the security of PHI when the data is transmitted or stored on the app or company servers. This is important, as HIPAA was created to protect the security of PHI, and having security in place is a requirement of HIPAA for apps that fall under its scope.
The HealthTap app allows users to connect to doctors through the app via texting, video calls, and group forums and allows these users to discuss in-depth health issues and create treatment plans with real doctors, all through the app.
The HealthTap mobile app falls under the scope of HIPAA because it collects PHI and transmits it directly to a doctor through the app.
While the basic service of the app keeps users' information anonymous and doesn’t share any personally identifiable information, the premium services of the app (HealthTap Prime and HealthTap Concierge) are confidential but not anonymous. Doctors will receive access to a user's PHI and other personally identifiable information for treatment purposes.
The Privacy Statement of HealthTap includes sections on anonymity, security, and the use of personally identifiable information.
The "Security" section explicitly mentions HIPAA and lets users know that the app meets "HIPAA security standards for all interactions subject to HIPAA security regulations."
This section goes on to inform users that "HealthTap is a Business Associate of health care professionals under the federal healthcare privacy and security law known as HIPAA."
"Personally Identifiable Information" is defined for users and detailed information about use and security of this information is outlined:
The Doctor on Demand website and its mobile app lets users have a video appointment with a doctor when they need it, without having to wait for hours in an office waiting room or waiting a week to get an appointment.
Because both the website and the mobile app collects a user's PHI and transmits it directly to a doctor through the app, it falls under the scope of HIPAA.
The Privacy Policy of Doctor on Demand makes it very clear to users by using capital letters and prominent text that the site collects and transmits personal, medical, and health-related information about its users.
There's a separate HIPAA section that lets users know that the service and Privacy Policies are designed to comply with the HIPAA act, and that further information can be found in the "Notice of Privacy Practices" section:
Within the "Notice of Privacy Practices" section, users are informed of the responsibilities of Doctors on Demand under HIPAA, as well as what the users' rights are under the law:
Users are also informed of what types of health information are collected, and how this information is used by the app. Health information such as test results, diagnoses, and medications will be disclosed for treatment. Services and supplies records are used for payment purposes, and other health information can be used to improve customer service and train staff.
In contrast to the apps mentioned above that fall under the scope of HIPAA, the Strava mobile app records users' running and bicycle riding routes with GPS and tracks how far users run or bike.
As a result, Strava mobile app does not fall under the scope of HIPAA.
The Privacy Policy of Strava informs users that personal information is not collected, however, a user can choose to enter information into the app such as what equipment is being used, what bike routes a user wants to map out, and other information such as a name, zip code, and email address.
None of this information qualifies as PHI under HIPAA.
Strava still has a section on data transmission security ("SSL"), but it deals with the protection of credit card information and protecting home address information rather than keeping PHI secure.
In sum, if your mobile app deals with the collection, use, and storage of personal health information of users, such as medication, results of medical tests, and treatment plans, and transmits this PHI to an entity that falls under HIPAA (such as a doctor, dentist, or insurance company), your business and the mobile app must be HIPAA compliant.
If your mobile app only deals with consumer health information, such as tracking workout progress of calories burned or pounds lost, miles ran, or hours slept, your mobile app will not need to comply with the HIPAA act requirements.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.