HIPAA compliance for medical software applications can be a complicated issue to comprehend. Some eHealth and mHealth apps are subject to HIPAA and medical software regulations released by the FDA, unlike others. This article has been written with relevance to HIPAA and medical software. For information about FDA regulations, please see the FDA´s “Device Advice” blog post.
Apps & HIPAA Compliance for Medical Software Applications?
This will depend on the nature of the app’s function and what its aim is. If you build an eHealth or mHealth app that gathers personal data about the person using it for the exclusive use of the person using it, the application is not subject to HIPAA compliance for medical software applications.
If, however, the personal data is gathered and shared with a medical professional or other HIPAA Covered Entity (a healthcare insurance firm for example), then the data is considered to be Protected Health Information and the application needs to be HIPAA compliant.
Complications when considering HIPAA and medical software for personal use if the app is providing a service on behalf of a Covered Entity. If, for instance, a doctor asks a patient to wear a portable data collecting device, and the data is later to be sent to the doctor, HIPAA is applicable.
Medical Software Regulations & the Terminology of HIPAA
What is Protected Health Information?
Protected Health Information (often shortened to PHI, or ePHI when it is stored or transmitted electronically) relates to 18 specific factors about a person that could be used to determine their identity. These factors are not necessarily linked to the person´s health and include their vehicle license plate number and email address. It is important to know what data is considered to be PHI in order to determine whether or not the app needs to be HIPAA compliant.
What Does HIPAA Compliant Refer to?
In relation to medical software applications, the term HIPAA compliant means that the app is compliant with the technical and physical safeguards of the HIPAA Security Rule. In relation to almost any other event, the term HIPAA compliant means you, the tools you use and the premises you work in adhering with all the HIPAA Rules contained within our HIPAA Compliance Guide. Please note; hosting an app in a HIPAA-compliant environment does not make the app HIPAA-compliant.
What is a Business Associate?
A Business Associate is a third-party service company from a HIPAA Covered Entity who has access to PHI. The only times in which a software developer would be classed as a Business Associate (and therefore subject to all the HIPAA Rules) is if he or she is an independent developer who has been hired by a Covered Entity to develop a HIPAA-compliant app, and the Covered Entity is sharing PHI with them. In this case, the developer is required to sign a Business Associate Agreement stipulating permissible uses and disclosures of the PHI. In all other cases, you are not a Business Associate.
If you do not try to find out whether an eHealth or mHealth app you are creating is subject to HIPAA compliance for medical software applications, you could be liable for significant fines if the use – or misuse – of the app leads to a unauthorized disclosure of PHI. The U.S. Department of Health and Human Services´ Office for Civil Rights can impose fines for breaches of PHI, and – in theory – you could be subject to a penalty for the app not being HIPAA-compliant, even if no breach of PHI takes place.