By Adam H. Greene, JD, MPH, former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, now a partner in the Health IT/HIPAA practice of Davis Wright Tremaine.
Once you have established that your mobile application is going to be subject to HIPAA, the next step is making sure that it allows its users (HIPAA covered entities or business associates) to fully comply with the HIPAA Privacy, Security, and Breach Notification Rules. You will need to focus on how your application shares protected health information, what security measures are in place, and how a user can tell if the information has been breached.
First, your application must allow the covered entity to comply with the HIPAA Privacy Rule. Generally, this means that the application does not make any uses or disclosures of “protected health information” that are not permitted by the Privacy Rule. If your application sends patient zip codes to you or a third party for the purpose of market research or for another impermissible purpose, then this would cause the covered entity to violate the Privacy Rule (unless the covered entity has obtained the patient’s authorization). Presumably, you are not interested in exposing your users to millions of dollars of potential HIPAA liability. Accordingly, you should avoid altogether having your software make any disclosures of protected health information that are not permitted under HIPAA -- even if you have received the covered entity’s or business associate’s consent (they may be unaware that they are getting themselves into hot water by agreeing).
If your application uses protected health information and is used by the covered entity to make treatment or payment decisions about the individual, then it may be part of the covered entity’s “designated record set.” An individual has a number of HIPAA privacy rights with respect to information in their designated record set (such as medical and billing records). This includes the right to see a copy of the designated record set and to request a correction of any information. Accordingly, if your application is part of the designated record set (because it is used for purposes of treatment or payment decisions), then you should think about how the user can provide a copy of the patient information to the patient upon request. Additionally, if the patient believes information is incorrect, can the user reflect this in the application? Can the application allow the user to modify the information or to add a note reflecting the patient’s disagreement?
Second, you must ensure that your application is reasonably secure. Ideally, the user, as a covered entity or business associate, should include your application in the user’s overall HIPAA Security Rule risk analysis, identifying potential threats and vulnerabilities to protected health information. You can greatly assist the user by also conducting your own risk analysis, employing appropriate safeguards, and making this information readily available to the user. Is it reasonable for your application to encrypt patient or enrollee information to protect against loss of the mobile device? If your application transmits protected health information to an electronic health record system or patient/enrollee, is it reasonable to encrypt the information in transit to protect against the threat of interception? Whether safeguards such as encryption are appropriate may vary based on a number of factors, such as the type of information and the availability of other safeguards (such as general controls). Whatever determination you make should be readily available to the user, such as “the application does not encrypt information because … , so you may want to turn on the encryption feature of your mobile device.”
Another security issue to consider is user authentication. If your application allows the user to remotely access a covered entity’s protected health information, does the application include a reasonable means for the covered entity to verify the identity of the user? The limitations of the mobile device may be an issue, such as when the covered entity uses multifactor authentication (e.g., a physical token and a password or PIN) for remote access to an electronic health record, but the smartphone does not support such an authentication scheme. Ideally, your application should also include an access log to the extent that information is stored locally on the device, so that the covered entity’s records can reflect when a patient’s or enrollee’s protected health information has been accessed.
Third, the HIPAA Breach Notification Rule requires covered entities to report breaches of protected health information (currently defined as impermissible uses or disclosures that create a significant risk of financial, reputational, or other harm to the individual). Covered entities are expected to report breaches that they discover, or through reasonable diligence would have discovered. Accordingly, you may want to consider how your application fits into the covered entity’s or business associate’s breach detection program. If your application is compromised, is there any way for the user to be alerted?
Finally, while the above recommendations are focused on ensuring that your users are able to comply with HIPAA, there may be circumstances where you must comply as well. If you have access to protected health information (such as through the installation or support of your application), then you may be a business associate of the covered entity or business associate who is the user. In such circumstances, you will need to enter into a business associate agreement with the user. In addition, you will be required to limit your uses and disclosures of protected health information in accordance with the Privacy Rule, comply with all requirements of the Security Rule, and notify the covered entity or business associate of any breaches of the protected health information in accordance with the Breach Notification Rule. As a business associate, a failure to follow the Breach Notification Rule is currently subject to civil money penalties, and a failure to follow the Privacy and Security Rules will be subject to penalties in the near future (rulemaking on business associate liability has not yet been finalized).
Adam H. Greene previously served as the Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, and now is a partner in the Health IT/HIPAA practice of Davis Wright Tremaine. Mr. Greene’s full bio is available at here.