The Department of Health and Human Services just launched a new website, according to Healthcare IT News. It’s goal is to increase awareness of HIPAA regulations. But the site isn’t aimed at doctors or insurers. Instead, it’s for health app developers.
That’s right – mobile app developers.
Why? Consider that HIPAA (the Health Insurance Portability and Accountability Act) passed way back in 1996. That’s way before we had thoughts of mobile computers, smartphones and tablets. Mobile tech does have a way of changing everything it touches.
How does the Age of Mobility impact our compliance with HIPAA’s privacy mandates?
A quick HIPAA refresher
When HIPAA was first passed, it had two broad goals. The first was to guarantee workers could keep their health insurance if they lose or change jobs. Along with the Affordable Care Act (ACA), that goal is close to fulfillment.
The second pushed for a national standard for exchanging health data. It prohibited careless and haphazard handling of such data. After all, that could lead to patient discrimination – including denial of coverage. Patients could name service providers allowed data access, and then limit access to “need to know.”
Electronic health records and privacy continue to be a hot topic. As more health data is shared between providers, leak prevention is more important than ever. And HIPAA non-compliance can have stiff legal and financial consequences.
Mobility + HIPAA: Is there an app for that, too?
Today, anyone with an Internet connection can access their own health records. Patients can see doctor appointments, test results, prescriptions, claims and payments… And they find it empowering.
Providers, though, find it daunting. That’s because it requires giving up control of some of that data to third parties. It also means trusting that those parties are in compliance with privacy regulations.
Why? Not every provider is a large hospital, a pharmacy chain, or a big health insurer. If they were, they’d have an IT staff and budget, so they could process, store and secure patient data themselves. Not to mention develop secure mobile apps for the patients.
But even the large players can’t do it all. Most clinics don’t have pharmacies or labs these days, nor do they process claims or payments. Yet patients expect all this information together in one place – in the palm of their hands.
How do you gather all this fragmented data, and present it in a secure, user-friendly app? Thus we turn to third-party developers.
HIPAA awareness is for app developers, too
What’s this got to do with that new website from the Office of Civil Rights (OCR)?
HIPAA compliance makes us nervous, but we can insist that our business partners comply. Doctors, labs, hospitals, pharmacies, even clearinghouses… Most health-related businesses can provide policies and reports to guarantee their compliance efforts.
But app developers – individuals, software companies, or IT departments? They aren’t healthcare providers. Are they “covered entities” when it comes to HIPAA compliance? How do they know which data is Protect Health Information (PHI), or what their apps can do with it?
- Can developers store patient data, and if so, where? In the device, the cloud, a database?
- Is patient-entered data from a mobile app considered PHI?
- Who is responsible for data sent upstream from the app?
- Do third-party APIs and their providers have to be compliant?
- How do we prevent storing data outside the app, even inadvertently?
Often the answers are still unknown. But we have to ask them, especially if we hire a third party to create our patients’ app.
Stay tuned as new guidelines develop
HIPAA passed almost 20 years ago. At the time, today’s mobile technology was still the stuff of science fiction. For HIPAA to fit into the mobile age, we need new guidelines and definitions. That is exactly why the OCR create the new website, but it will take some time.
If you are developing mobile apps for your patients, ask us for a HIPAA compliance checkup. Meanwhile, insist that your developers bookmark this link. It might help your compliance officer sleep better.
Are you in a healthcare-related industry? If so, do you provide mobile apps to allow patients access to their information? Tell us about it in the Comments section.