“Health Apps: To BAA Or Not To BAA, That Is The Question. OCR Issues Guidance to Help Determine When App Vendors are Subject to HIPAA”
Safe and Sound 03/15/16 By Kerry L. Moskol and Leah M. McNeely
Are you a covered entity that is trying determine whether your health app vendor is your business associate? Are you a vendor trying to decide whether your product and services subject you to HIPAA? You are in luck! OCR recently issued guidance that includes specific scenarios in which health apps would become subject to HIPAA requirements. Although Congress would like OCR to issue more robust guidance on mobile technologies (see our blog post), we believe it is well worth the read to help address some common areas of confusion in the industry. Here is a quick and dirty synopsis.
Health app vendors will be business associates when the app creates, receives, maintains, or transmits PHI on behalf of a covered entity or a business associate of a covered entity. Health apps that are provided solely on behalf of the patient would not likely be a business associate and, thus, would not be subject to HIPAA. The key is knowing on whose behalf the app vendor is providing the services:
- If you are an app vendor whose product is provided as a service on behalf of the consumer and not as a service provided on behalf of a covered entity, then the app vendor is not a business associate.
- If you are an app vendor and all you do is sell a product to a covered entity (with no additional services provided to the covered entity), you are not a business associate.
- If you are an app vendor hired by a covered entity to develop or manage a health app for the covered entity’s use, you are a business associate.
- If you are an app vendor whose application is used by both the patient and the covered entity, but you are hired by the covered entity and your services are ultimately performed on behalf of the covered entity, you are a business associate.
For additional scenarios, we recommend reading the guidance, which is available here.