March 4, 2016
Predicting whether the activities of a mobile health application (app) developer trigger legal obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) presents some new challenges – not surprising when 20th century law is extrapolated to apply to 21st century technology. 

In recognition of the complexity introduced by rapidly evolving and innovative digital health technology, the Office for Civil Rights (OCR) on Feb. 11, 2016, issued new guidance on its mHealth Developer Portal (here) titled “Health App Use Scenarios & HIPAA.” OCR released the guidance in hopes that it “will help developers determine how federal regulations might apply to products they are building” and “will reduce some of the uncertainty that can be a barrier to innovation.” 

The new guidance describes six scenarios involving a mobile health app, accompanied by OCR’s analysis and determination under each scenario as to whether the app software developer would be considered a business associate under HIPAA. In each scenario, the app collects, stores, maintains, or transmits health information from the consumer and/or the consumer’s provider. 

To view the full alert, click here.