On March 2, 2017, the International Data Corporation published a report indicating 33.9 million smartwatches and fitness trackers were shipped in the fourth quarter of 2016. This wearable technology gives consumers access to an estimated 259,000 different mobile health applications, allowing them to lead healthier lifestyles by monitoring heart rate, daily calorie intake, or physical activity.
Employers sponsoring group health plans, in turn, can potentially reduce their health claim exposure by encouraging the use of this technology and these programs for their participants, which could lead to better health and awareness of health issues. However, the increase in popularity of these trackers and programs present a corollary rise in the need for employers, plans, and even the health mobile application developers to understand the extent to which the Health Insurance Portability and Accountability Act (HIPAA) privacy and security laws may apply.
By way of background, HIPAA includes privacy and security rules establishing standards for the protection of individuals’ health information called–you guessed it—Protected Health Information (PHI). Information is classified as PHI if it is individually identifiable. That is, if it can be tied back to a specific person by one of a number of unique identifiers such as a name or Social Security number, relates to the person’s past, present, or future physical or mental health, and is created, received, or maintained by a covered entity or its business associate. For HIPAA purposes, covered entities include, but are not limited to, employer-sponsored group health plans; doctors, hospitals, and pharmacies conducting electronic transactions; and health care clearinghouses.1
Employers may receive health information that doesn’t fall into the definition of PHI, especially in conjunction with other benefits, such as life insurance benefits or accidental death and dismemberment plans, not maintained by the group health plan and therefore not subject to HIPAA’s privacy rules.
To assist in keeping the various requirements straight with respect to the health data potentially collected by wearable technology and mobile applications, the Department of Health and Human Services’ Office for Civil Rights (OCR) published its Health App Use Scenarios and HIPAA guidance2 (the Scenarios) covering the applicability of HIPAA to such mobile device applications that collect, store, manage, organize, or transmit health information.
While OCR published the Scenarios to assist application developers in obtaining direction and education in the intersection of this growing technology and HIPAA regulations, employers sponsoring group health plans and their business associates can similarly look to this publication for clarification on their employees’ use of health mobile applications and the potential impact of HIPAA’s privacy and administrative simplification requirements.
The Scenarios put forth six hypothetical situations involving health mobile applications and OCR’s guidance as to how it believes HIPAA would apply to the developer in question. The Scenarios highlight the difference between health mobile applications offered directly to consumers for their own use and health information management and those offered on behalf of a covered entity (such as a health plan or provider).
Scenario 1: A consumer voluntarily downloads a health mobile application to her smartphone and enters her health information she gathered herself (such as blood pressure readings). The consumer is using the application to manage her own health information and is neither a covered entity nor a business associate. Because the application developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or business associate, the developer is not subject to HIPAA.
Scenario 2: A consumer voluntarily downloads a health mobile application to her smartphone to help her manage a chronic condition. She uses her health care provider’s patient portal to download her electronic health records (EHR) onto her computer and then uploads it to her smartphone along with her own health information. As before, the consumer is neither a covered entity nor a business associate and is using it for her own purposes to manage her own health information along with EHR received from her doctor. There’s nothing to suggest the doctor hired the developer to provide or facilitate this service. The application developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or business associate and is not subject to HIPAA.
Scenario 3: A doctor recommends a particular health mobile application to a patient to track his physical activity to assist with weight loss. Based on this recommendation, the consumer downloads the application to his smartphone to send summary data to his doctor before his next appointment. Even though the doctor recommended the application, there is no indication she hired the developer to provide or facilitate the handling of patients’ PHI. The patient consumer’s use of the application to transmit data to the doctor (a covered entity) does not by itself make the application developer a business associate of the covered entity and is not subject to HIPAA.
Scenario 4: A consumer downloads a health mobile application to her smartphone to help her manage a chronic condition. The healthcare provider and the application developer have entered into an interoperability agreement at the consumer’s request facilitating the secure exchange of the consumer’s health information between the two parties. The consumer inputs her own information into the application and directs it to transmit the data to the provider’s EHR. She can also use the application to access test results from the provider. The application developer is transmitting data on behalf of the consumer, at her request, to and from the provider and is not a business associate of the covered entity. The developer is not subject to HIPAA.
Scenario 5: A healthcare provider has contracted directly with an application developer for patient management services (such as remote patient health counseling, messaging, EHR integration, and monitoring patients’ physical activity). The doctor instructs the consumer to download the application to her smartphone and the information it collects is automatically transmitted to the provider’s EHR. Because the application developer contracted directly with the provider to create, receive, maintain, and transmit the patient’s PHI on behalf of the covered entity, the application developer is a business associate of the covered entity and is subject to HIPAA.
Scenario 6: A health plan offers a health mobile application that allows participants to download and store their health records, check claim status, and track their progress towards improving their health. The usage data is collected and analyzed by the health plan. The application developer offers a separate version of the application that is available directly to the consumer with the same functionality. Since the health plan is a covered entity and is contracted directly with the application developer to create, receive, maintain, and transmit PHI on behalf of the plan, the application developer is a business associate and is subject to HIPAA with respect to the application offered by the health plan. For the direct-to-consumer version, the application developer is not a business associate provided the information gathered in the direct-to-consumer version is kept separate from the version offered by the plan.
Again, understanding these scenarios is important not only for application developers, but for group health plan sponsors when considering how and to what extent HIPAA applies in the mobile application context.
Prompted in part by the wellness program incentives under the Affordable Care Act and HIPAA’s nondiscrimination provisions,3 employers are presented with more opportunities to incorporate wearable technology or health mobile applications into their wellness programs. For example, an employer can offer its participants access to activity trackers that may be paired to a platform or online program compiling and organizing the participants’ information to monitor ongoing corporate-wide wellness goals. In giving employees the tools to monitor (and perhaps improve upon) their own well-being, employers can realize a decrease in health care costs.
However, when considering such a program, employers will need to consider if the information collected by the application or activity tracker is PHI; whether their plan participants are independently selecting and downloading the health applications and, if so, whether the employees control all decisions concerning the transmission of health care data to a covered entity; and whether the health plan has a relationship with or pays directly for the services made available through the application. If so, then it’s likely there is a business associate relationship.
If the application developer is a business associate of the covered entity, then it is essential the employer group health plan obtains the necessary verification that the developer has its own safeguards in place to protect participant users’ PHI in compliance with HIPAA’s requirements, including, but not limited to, information about the encryption protocols used to protect the security of the electronic PHI and the secure transfer of such data to and from the health mobile application. In addition, the employer group health plan who enters into a business associate agreement with the developer should establish the various permitted and required uses and disclosures of the PHI created, received, or maintained by the health mobile application, the required use of appropriate safeguards to prevent unauthorized access to the PHI, and require the application developer to report any instances of uses or disclosures of PHI not expressly permitted in the agreement. This includes breaches of unsecured PHI as required by HIPAA.
CFR § 160.103
The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.