Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

OCR Releases mHealth Guidance for App Developers

By Marcy Wilder & Madeline Gitomer on March 8, 2016
Email this postTweet this postLike this postShare this post on LinkedIn

shutterstock_134749508-300x232Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights (OCR) has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.

The guidance, titled “Health App Use Scenarios & HIPAA,” builds on the mHealth Developer Portal, which serves as a platform for users to share difficult use cases and best practices. On the portal, developers can also submit questions to OCR that will inform future guidance releases. OCR announced the guidance with a statement that the agency hopes it will help developers determine “how federal regulations might apply to the products they are building” and reduce uncertainty. The guidance offers developers background information on HIPAA and then details various scenarios, identifying when an app developer is—and is not—acting as a business associate.

In scenarios where consumers enter their own health information and a HIPAA covered entity is not involved, the guidance makes clear the developer is not a Business Associate. The guidance also explains that in many cases, where an app developer is not hired by a provider or plan to offer or facilitate the service, they will not be a business associate.

The guidance also runs through scenarios in which developers are acting as business associates—for example, when a provider has contracted with an app developer for patient management services like health counseling, patient messaging, or patient monitoring; or when a health plan offers an app to store and analyze health information.

Finally, the guidance lists key questions for app developers to help them determine if they are a business associate, including:

  • Does your health app create, receive, maintain, or transmit identifiable information?
  • Who are your clients? How are you funded?
  • Is your app independently selected by a consumer?
  • Does the consumer control all decisions about whether to transmit her data to a third party, such as to her health care provider or health plan?

If developers determine they are business associates, certain provisions of the HIPAA Rules will apply, including a requirement to enter into business associate agreements, when appropriate, and comply with their terms.

In addition to using this guidance, developers should consider the following steps to ensure they are aware of all applicable regulations and enforcement.

  • For apps that target international consumers, developers should take care to understand how mHealth is regulated in the EU, including what information is considered personal and/or sensitive data and what the new GDPR means for health data.
  • Regardless of whether HIPAA applies, developers should consider consumer privacy and security in designing an app; the OCR guidance provides FTC resources on app security and marketing as a place to start.
  • Developers that determine they are acting as business associates should take steps to prepare for the upcoming HIPAA audits, which will target business associates for the first time.
  • Posted in:
    Communications, Media & Entertainment, Featured Posts
  • Blog:
    Global Media and Communications Watch
  • Organization:
    Hogan Lovells
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo