As federal and state governments struggle to address future healthcare regulation, demand for healthcare that is cheaper, better and faster continues to surge. Every day, new healthcare apps are being developed to respond creatively to this demand. But pitfalls may await unsuspecting app developers where the lightning-fast technology sector meets the highly-regulated healthcare industry. Failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) is one such pitfall.
In this update, we highlight several HIPAA issues that all developers in the healthcare app field should consider, as well as healthcare plans, insurers and others parties contracting with developers.
Issue #1: HIPAA applies to more than healthcare providers.
HIPAA applies to “covered entities” and their “business associates.” Covered entities include health plans, healthcare providers that engage in certain electronic transactions and healthcare clearinghouses. A “business associate” is a person or entity providing services to a covered entity where such services involve the use or disclosure of protected health information or “PHI.” In addition, subcontractors of business associates are directly subject to HIPAA and can be affected by the HIPAA obligations of their upstream business associates.
This means that an app developer that creates a product designed to provide, for example, a platform for consumers (patients) to access or provide health information about themselves may be considered a “business associate” of the associated healthcare provider. In that case, the app developer will be subject to HIPAA and its regulations, which limit how PHI can be used and disclosed and impose numerous requirements on those handling such information.
The following questions should be considered when determining whether a healthcare app developer is a business associate of a covered entity or a subcontractor to a business associate:
- Does the healthcare app create, receive, maintain, or transmit personally identifiable health information?
If the answer is yes, the developer could be a business associate. More information would be needed about the developer’s customer to confirm.
- Will covered entities, such as healthcare providers or health plans, create, receive, maintain, or transmit PHI in connection with the app?
If the answer is yes, the developer is more than likely a business associate subject to HIPPA.
- Will the app be used by business associates of other covered entities?
If the answer is yes, there should be a determination of whether the app involves PHI. If so, the developer is more than likely a subcontractor to a business associate.
- How will the app generate revenue?
Whether HIPAA applies to the developer will depend in part on understanding the role of the customer paying for the app—particularly in areas that may be gray, such as service relationships that involve third-party data.
- From whom will the developer be gathering data? A customer or consumer?
Consumer-facing products that are not made available on behalf of a covered entity or business associate generally will not be subject to HIPAA, but may be subject to stringent privacy and security requirements under the Federal Trade Commission Act and state law. Products created for a covered entity or business associate customer that gather data from or provide data to consumers, however, may cause the developer to be subject to HIPAA.
Issue #2: Compliance with HIPAA requires more than simply executing a business associate agreement (BAA).
Many of the terms in a BAA rely on the underlying assumption that the business associate is already in compliance with HIPAA privacy and security regulations governing use and disclosure of PHI and other requirements, and that the business associate has policies and procedures in place documenting such compliance.
Business associates that are not in compliance with a BAA’s terms are not only at risk of incurring substantial penalties imposed by the Office for Civil Rights, which enforces HIPAA under the Department of Health and Human Services, but also for breach of contract claims. We do not recommend signing a BAA unless the developer is certain it is a business associate, making the BAA required, and prepared to fully comply with HIPAA.
Issue #3: HIPAA applies to more than medical records.
The term “PHI” is broadly defined to include any information that involves an individual’s medical condition, healthcare, or payment of healthcare services and that can be used to identify the individual if it is held by either a covered entity, a business associate, or a subcontractor to a business associate. Some courts have determined that PHI includes an individual’s name and address along with the name of a healthcare provider—even without any medical records involved. Understanding where the information used by a healthcare app originates is important to any analysis of HIPAA’s application.
Issue #4: HIPAA noncompliance can be costly.
Failure to comply with HIPAA can result in large penalties or negotiated settlements, as highlighted in a prior update. Moreover, the civil penalties that apply directly to covered entities and to business associates with respect to HIPAA violations were increased this year, up to a maximum penalty of $1,677,299 for identical violations in a calendar year. HIPAA also provides for criminal penalties in certain circumstances. Potential damage to reputation and related business impact should also be part of any risk evaluation.
For covered entities and their business associates (and those that subcontract with business associates), compliance with HIPAA is not optional. Although there are investment costs in implementing procedures and systems responsive to HIPAA, these costs are likely less than the costs that could result in the event of a HIPAA enforcement action. Healthcare app developers should investigate early in the development process whether HIPAA will play a role, so that HIPAA requirements can be properly addressed during feasibility studies, all the way through app launch and after. To avoid these and other potential HIPAA pitfalls, please contact counsel experienced with HIPAA compliance in the digital space.
© 2017 Perkins Coie LLP