In February, OCR posted guidance regarding HIPAA applicability to
mobile health apps. OCR published the "Health App Use
Scenarios & HIPAA" guidance to reduce uncertainty related
to health app innovation. The guidance includes six scenarios to
help developers determine when they qualify as a "business
associate," a person or entity who creates, receives,
maintains, or transmits protected health information on behalf of a
covered entity. While such inquiries are fact- and
circumstance-specific, developers are generally not business
associates when a customer must download the app and manually input
or upload protected health information. Such arrangements require
no relationship between the app developer and a covered entity
except for an interoperability arrangement. Importantly, an app
developer who is not a business associate may still be subject to
regulatory authority under the FTC Breach Notification Rule or
under state laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.