Is My Telehealth App Subject to HIPAA?

15 July 2015 Health Care Law Today Blog

Many telehealth and mHealth app developers are concerned about whether or not their app is a medical device under FDA regulations (and rightfully so), they often pay less attention to the Health Insurance Portability and Accountability Act (“HIPAA”) rules. The developer either mistakenly presumes HIPAA applies to their app or neglects to consider health privacy issues altogether. Addressing privacy and security issues (HIPAA and state law) should be on the “to do” list of any telehealth app developer’s business plan.

In reality, an app developer frequently is not a Covered Entity subject to HIPAA rules, and in many apps, the developer is not a Business Associate either. The specifics, of course, depend on the nature and function of the app itself. But simply because an app collects identifiable, health-related data does not mean the app is subject to HIPAA. A wearable health app used by a consumer is not necessarily subject to HIPAA, nor is a medication-adherence health app for patient self-use. These apps may be subject to Federal Trade Commission oversight and its “unfair acts” power, however.

A more important area of focus for app developers is state law, particularly if the developer intends the app to be used in multiple states across the country (or the world). More and more states have enacted their own state law privacy and security statutes. These state laws apply to a much broader scope of companies than HIPAA. An app developer can easily be subject to state privacy and security laws, even if it is not a Covered Entity or Business Associate and not subject to HIPAA rules.

California is one example. California’s Confidentiality of Medical Information Act (“CMIA”) dictates rules for permissible uses and disclosures of medical information. In the past, the California law applied to the type of companies commonly subject to HIPAA – health care providers, health services plans, and businesses that contract with these entities for work that involves access to medical information. However, the law was recently amended to expand its scope to apply to health app developers, including:

any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or provider of health care for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual.

With these changes, California law now requires health app developers and PHR vendors to “maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.” These safeguards are in addition to any safeguards that the health app developer or PHR vendor is subject to under HIPAA. Failure to comply with the CMIA obligations could result in administrative fines and civil penalties.

Many other states have similar laws and regulations, requiring entities like telehealth app developers to comply with certain privacy and security requirements even if the company is not subject to HIPAA. Other California laws require apps to have “do not track” functionality. Florida overhauled its data security breach reporting law last year and this summer passed a law requiring specific contact information on websites and other online services. These laws have important implications for existing health apps, developers of consumer-facing health tools, and telehealth app offerings. As states continue to expand the scope of state privacy and security laws, it is critical for health app developers to understand the breath of these laws, and ensure they are in compliance.

Want to Learn More About Telehealth Privacy and Security?

For more information on telehealth privacy and security considerations, please register for this August 13, 2015 webinar, Telemedicine Privacy and Security: Safeguarding Protected Health Information and Minimizing Risks of Disclosure. The webinar will provide guidance on the privacy and security requirements and considerations healthcare providers should take into account when providing telemedicine services. The panelists will discuss best practices for protecting patient health information and privacy and minimizing disclosure risks. Key issues will include:

  • What additional privacy and security risks do telemedicine services pose for healthcare providers and business associates?
  • What practices should telemedicine providers employ to ensure HIPAA compliance and minimize the risk of disclosure?

What policies should healthcare entities have in place to safeguard medical information in the telemedicine context?

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.