It is estimated that-by 2022-wearable technology (think smartwatches and fitness trackers) will see 243 million unit sales, becoming a $29 billion (that’s with a “b”) market, growing an average of 20 percent each year between now and then. Concordantly, it is anticipated that the global mobile health applications market will generate around $111.1 billon (there’s another “b”) by 2025.
As this increasing population of consumers find more ways to actively monitor their well-being through tracking their heart rates (expectant mothers can even use certain wearable devices to monitor their babies’ heart rates), daily caloric intakes and levels of physical activity, employers sponsoring group health plans can encourage the use of this technology and these programs for their plan participants. This could lead to better health and awareness of potential health issues which, in turn, could potentially reduce the employers’ health claim exposure.
However, the increase in popularity of these trackers and programs present a corollary rise in the need for employers, plans, and even the health mobile application developers, to understand the extent to which the Health Insurance Portability and Accountability Act (HIPAA) privacy and security laws may apply.
By way of background, HIPAA includes privacy and security rules establishing standards for the protection of individuals’ health information called-you guessed it-Protected Health Information (PHI). Information is classified as PHI if it is individually identifiable. That is, it can be tied back to a specific person by one of a number of unique identifiers, such as a name or Social Security number, and relates to the person’s past, present, or future physical or mental health and is created, received, or maintained by a covered entity or its business associate. For HIPAA purposes, covered entities include, but are not limited to, employer-sponsored group health plans; doctors, hospitals, and pharmacies conducting electronic transactions; and health care clearinghouses.1 Furthermore, with the advent of the Health Information Technology for Economic and Clinical Health Act (HITECH) Final Rule, covered entities became liable for impermissible uses or disclosures of PHI made by their business associates.
In February 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published its “Health App Use Scenarios and HIPAA” guidance (the Scenarios)2 to assist in keeping the various requirements straight with respect to health data potentially collected by wearable technology and mobile health applications. The Scenarios put forth six hypothetical situations involving careful analysis with respect to mobile health applications-specifically those applications that collect, store, manage, organize, or transmit health information-and whether the applications’ developers would be subject to HIPAA. Through the Scenarios, the OCR clarified that health application usage initiated by the consumer (e.g., a consumer voluntarily purchases and downloads a health application through which she monitors a chronic condition) would not create a business associate arrangement with the health application’s developer; the developer would not be subject to HIPAA. However, in instances in which a covered entity contracts directly with a developer for purposes of creating (for example) a health application for patient management services, and the covered entity instructs individuals to use this application to collect and transmit information to the provider, the application’s developer would be a business associate of the covered entity and would be subject to HIPAA.
In April 2019, the OCR released five new Frequently Asked Questions (“Access Right, Apps, And APIs”)3 concerning these health applications, their developers, and-building on the previous guidance-the potential liability of a covered entity with respect to impermissible PHI disclosures involving these health applications.
In these FAQs, the OCR clarifies that the HIPAA Privacy Rule generally obligates a covered entity to disclose an individual’s PHI to a health application of that individual’s selection if the PHI is readily producible in the form and format used by the health application. This is true even if the covered entity has concerns about the particular health application’s security or how it will use or disclose the PHI once it is received. No doubt the app will have already undergone extensive testing during development with the help of solutions available specifically for testing apps’ security; however, the covered entity is encouraged to educate the individual regarding such concerns.
Furthermore, an individual’s information would no longer be subject to the HIPAA Privacy Rule once it is received from a covered entity-at the individual’s instruction-by a third-party health application selected by that individual that is neither a covered entity nor a business associate under HIPAA. As this third-party health application was not “developed for, or provided by or on behalf of the covered entity” and does not create, receive, maintain, or transmit PHI on behalf of a covered entity, the covered entity would not be liable under HIPAA for how that third-party health application subsequently uses or discloses the information it received.
However, it is important to note that-in conjunction with the clarification provided in the Scenarios-the covered entity could be held responsible for impermissible uses or disclosures of PHI received by a health application that was developed to create, receive, maintain, or transmit PHI on behalf of the covered entity for its patients (as this would render the application’s developer a business associate of the covered entity).
Again, understanding these scenarios is important not only for application developers, but for group health plan sponsors when considering how and to what extent HIPAA applies in the mobile application context.
Prompted in part by the wellness program incentives under the Affordable Care Act and HIPAA’s nondiscrimination provisions,4 employers are presented with more opportunities to incorporate wearable technology or health mobile applications into their wellness programs. For example, an employer can offer its participants access to activity trackers that may be paired to a platform or online program compiling and organizing the participants’ information to monitor ongoing corporate-wide wellness goals. In giving employees the tools to monitor (and perhaps improve upon) their own well-being, employers can realize a decrease in health care costs.
However, when considering such a program, employers will need to consider if the information collected by the application or activity tracker is PHI; whether their plan participants are independently selecting and downloading the health applications and, if so, whether the employees control all decisions concerning the transmission of health care data to a covered entity; and whether the health plan has a relationship with or pays directly for the services made available through the application. If so, then it’s likely there is a business associate relationship.
In light of the OCR’s recent FAQs, If the application developer is a business associate of the covered entity, it is essential that the employer group health plan obtains the necessary verification that the developer has its own safeguards in place to protect participant users’ PHI in compliance with HIPAA’s requirements, including, but not limited to, information about the encryption protocols used to protect the security of the electronic PHI and the secure transfer of such data to and from the health mobile application. In addition, the employer group health plan that enters into a business associate agreement with the developer should establish the various permitted and required uses and disclosures of the PHI created, received, or maintained by the health mobile application, the required use of appropriate safeguards to prevent unauthorized access to the PHI, and require the application developer to report any instances of uses or disclosures of PHI not expressly permitted in the agreement. This includes breaches of unsecured PHI as required by HIPAA.
The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.
References:
- CFR § 160 .103
- http://hipaaqsportal.hhs.gov/
- https://www.hhs.gov/hipaa/for-professionals/faq/health-information-technology/index.html#access-right,-apps-and-apis
- http://webapps.dol.gov/federalregister/PdfDisplay.aspx?DocId=26880
