Anyone involved in healthcare in any capacity is familiar with the Health Insurance Portability and Accountability Act, more commonly known as HIPAA. Designed to protect patient privacy and keep medical and health information secure, the HIPAA Privacy Rule sets the standards as to how covered entities ? including providers, facilities, systems, insurers, and others ? and their business associates must maintain patient privacy.

And as anyone who has worked within the scope of HIPAA rules can attest, the restrictions can be complex and far reaching. Even seemingly small interactions and everyday actions, like calling a patient into an exam room, are governed by HIPAA rules. Yet for all the complexities in the application of the rules, HIPAA is actually quite straightforward in terms of who is covered and when. This is important for anyone involved with the development of healthcare applications to understand, because there may be times when an app and its developers fall under the HIPAA umbrella.

CEs and BAs: The Basics

The foundation of HIPAA rests on the concept of covered entities, or CEs. CEs are those individuals or companies that collect, use, and store information regarding individual patients and their health and medical care. This includes healthcare providers, clearinghouses, and payers / plans. Essentially, these CEs are required to adhere to all HIPAA standards for the protection of patient information, and cannot share any patient information without direct written authorization of the patient or his or her authorized representative.

Because CEs are not the only ones involved in the collection, storage, and transfer of protected health information, HIPAA also applies to entities known as Business Associates. In the simplest of terms, a BA is a service provider for a CE (for example, a sales agent for an insurance company, or a cloud service provider for a hospital), who has access to personal health information on behalf of the CE.

If you are not a CE, then the most important three words in that definition are ?on behalf of,? especially when you are involved in a healthcare app build.

Who?s in Charge?

According to recent guidance from the Department of Health and Human Services (HHS), what determines whether an app developer is bound to HIPAA rules is whether the developer qualifies as a BA. HHS offers a series of questions to ascertain whether you are a BA:

1. Does your health app create, receive, maintain, or transmit identifiable patient information?
2. Did a covered entity (or a business associate acting on its behalf) direct you to create, receive, maintain, or disclose information related to a patient or health plan member?

If you answer yes to both questions, then you are considered a BA and must adhere to the guidelines as such. If you answer yes to the first question, but no to the second, then you most likely do not qualify as a BA.

NEED HELP NAVIGATING HIPAA COMPLIANCE?

LEARN MORE ABOUT OUR PRIVACY & SECURITY?OFFERINGS HERE.

A Few Scenarios

Again, because the term ?on behalf of? is the key distinction when it comes to application development and HIPAA, there may be situations in which you might think that HIPAA applies, but it doesn?t.

For instance, if you are developing an app in which all the Personal Health Information (PHI) is entered directly by an individual, then HIPAA will not apply. Healthcare providers are not involved, even if the patient shares the information with his or her provider, and therefore the developer is not a BA.

In some cases, even if an app uses information from a patient?s electronic health record, it may not be covered by HIPAA. If a patient downloads an app to help manage a chronic condition, for example, and uploads information she acquired from her EHR into the app, along with additional data, the app is still not covered by HIPAA ? again because of the ?on the behalf of? clause. Even if a physician recommends the app, if the physician is not involved with the development of the app and using it to transmit data, it?s not covered by HIPAA.

For those apps that are covered by HIPAA rules, the consequences for noncompliance are severe. HHS fines for noncompliance range from $100 to $50,000 per incident, and if the agency can prove willful neglect of the rules, you may face criminal charges or even jail time.

The bottom line? If you are building an app on behalf of a covered entity that will be used to create, receive, maintain, or transmit identifiable information, then it is covered by HIPAA. Even if you are not covered by those rules, though, your app must adhere to other standards, including those set by the FTC and any other specific industry regulations. In fact, because app privacy and security have become a greater priority for many users, it?s important to focus on creating an app that is as secure as possible to prevent costly data breaches, and ensure that users and their data are kept safe.

Are you in need of a technology partner who can help you design and develop an app or enterprise solution with HIPAA compliance in mind? We can help.

To connect with one of PointClear Solutions’ technology experts, or to learn more about this blog topic (or our digital strategy, design, development, and/or management services),?Contact Us. (And don’t forget to follow us on?LinkedIn?for more great content!)