SOS Answered: New Guidance on HIPAA for App Developers

April 12, 2016 | By Lawrence J. Tabas

Amidst criticism that the Health Insurance Portability and Accountability Act (“HIPAA”) lags behind technological innovation, the Office for Civil Rights (“OCR”) released new guidance to aid app developers in determining how HIPAA may apply to the products they are building and developing. OCR explained that the guidance is intended to “reduce some of the uncertainty that can be a barrier to innovation.”

OCR’s guidance walks through how an app developer could be required to comply with HIPAA. The guidance explains that app developers who work for a covered entity (meaning a health plan, a health care clearinghouse, or health care providers) and, as part of their jobs, are developing an app that involves the use or disclosure of protected health information (“PHI”) are covered by HIPAA. The guidance explains that HIPAA also covers app developers who are business associates of covered entities if they are creating or offering an app on behalf of a covered entity or one of the covered entities’ contractors.

To reduce confusion, OCR’s guidance provides a number of scenarios that address two important questions under HIPAA. First, how does HIPAA apply to health information that a patient creates, manages, or organizes through the use of a health app? And second, when might an app developer need to comply with HIPAA?

For example, the OCR guidance presents a situation in which a patient downloads a health app to her smart phone at the direction of her provider. The provider has contracted with the app developer for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, and EHR integration and application interfaces. The patient inputs information that is automatically incorporated into the provider’s EHR. In this scenario, does HIPAA apply to the health information managed by the app? Does this app developer need to comply with HIPAA?

In this case, the developer is a business associate of the provider because the developer is creating, receiving, maintaining, and transmitting PHI on behalf of the provider (a covered entity). The provider contracts with the app developer for patient management services that involve creating, receiving, maintaining, and transmitting PHI. The app is a means of providing patient management services.

To further aid app developers in determining whether they are a business associate and therefore within the purview of HIPAA, the OCR guidance offers a number of key questions for an app developer to consider, including:

  • Does your health app create, receive, maintain, or transmit identifiable information?
  • Who are your clients? How are you funded?
  • Were you hired by, or are you paid for your service or product by, a covered entity? Or another business contracted to a covered entity?
  • Does a covered entity (or business associate acting on its behalf) direct you to create, receive, maintain or disclose information related to a patient or health plan member?

In addition, the OCR guidance allows developers and members of the general public to submit questions, offer comments on other submissions, or vote on the relevancy of questions posted by others. All questions and comments can be submitted to OCR anonymously.

To read more information about OCR’s guidance, click here.

To review all of OCR’s example scenarios, click here.

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author