All of us have encountered the Health Insurance Portability and Accountability Act (HIPAA) in some capacity, whether through our employment for a health care provider or as a health care consumer. Even though many of us can recognize HIPAA, and know that HIPAA applies to health information, it’s still not always easy to determine when, and if, HIPAA applies in certain circumstances.

What is HIPAA?

In general, HIPAA created certain obligations and requirements for health care providers, health insurers and sponsors of group health plans relating to privacy and a consumer’s right to access their health information.

The Health Information Technology for Economic and Clinical Health Act (HITECH) applied HIPAA’s requirements to protected health information (PHI) stored electronically. These protections are not, however, absolute or all-inclusive protection for all medical, health, or wellness information. HIPAA applies to specifically defined covered entities, such as a group health plan, and their business associates, including third-party claims administrators, regarding specific types of transactions.

Digital implications surrounding HIPAA.

When HIPAA was passed in 1996, the internet was already rapidly evolving, however, that was still the time of dial in modems and the beginning of instant messaging. The thought of accessing our health records online may not have even crossed our minds. Today, you can instantly access information on your smartphone and many doctor offices are now pairing with electronic partners to easily connect patients with their health information using mobile apps.

With PHI so easily available, it makes you wonder how HIPAA applies–if at all–once that information makes its way onto our smartphones.  Earlier this year, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released FAQs explaining how and when HIPAA applies to mobile apps storing health information.

The answer? It depends. In the FAQs, OCR:

  • Underscored that an individual’s right to access their PHI will generally obligate a covered entity, such as a group health plan or insurance carrier, to send PHI to an app, even if the covered entity is concerned about the app’s security or how the app will subsequently use or disclose the PHI (although the covered entity may want to counsel the individual regarding the security risks involved in the disclosure).

    So, for example, if an individual uses a smart fitness tracker or a smartphone health or wellness app and requests that their group health plan disclose information to the device or the app, then the plan can disclose or share health care information without violating HIPAA. That is, the individual doesn’t have any HIPAA privacy protections and the app developer can readily share that data with third parties, including marketing and analytics companies, such as Google and Facebook.
     
  • Explained that a covered entity, such as a group health plan or insurance carrier, wouldn’t be liable under HIPAA for an app’s subsequent use or disclosure of PHI sent to the app at the direction of an individual, unless the app was “developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity.”

    So, by contrast with the example above, if a mobile app has a sufficient relationship with a covered entity (ex. was created for or provided by a health insurance carrier for use in submitting a health care claim on behalf of a plan participant), then the HIPAA rules will apply and the carrier (and app developer) must follow HIPAA procedures when transmitting information to the app. That is, the app and any use of the information provided by an individual through the app would be subject to HIPAA’s protections.

To learn more about the recent FAQs, click here.