In February, OCR posted guidance regarding HIPAA applicability to mobile health apps. OCR published the "Health App Use Scenarios & HIPAA" guidance to reduce uncertainty related to health app innovation. The guidance includes six scenarios to help developers determine when they qualify as a "business associate," a person or entity who creates, receives, maintains, or transmits protected health information on behalf of a covered entity. While such inquiries are fact- and circumstance-specific, developers are generally not business associates when a customer must download the app and manually input or upload protected health information. Such arrangements require no relationship between the app developer and a covered entity except for an interoperability arrangement. Importantly, an app developer who is not a business associate may still be subject to regulatory authority under the FTC Breach Notification Rule or under state laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.