Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of dataincluding highly sensitive informationto flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk. It's mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as "privacy by design") because it is cheaper to build it in than it is to remediate.
(Note: This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)
The primary federal law of concern to health app developers is the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). To determine whether HIPAA applies, developers need to first understand the nature and the source of the personal data associated with their app. HIPAA only applies to protected health information ("PHI") which is broadly defined as information that:
is created or received by a covered entity (i.e., a health care provider, health plan or health clearinghouse); and which relates to the past, present or future mental or physical health of an individual; and that identifies the individual. Some apps will avoid HIPAA by virtue of the app not interacting with data that is created or received by a provider, plan or clearinghouse. For example, apps that require end users to input their own health information may not have to comply with HIPAA. However, other developers providing apps on behalf of covered entities are not so lucky. In these cases, the developer is likely to be considered a "business associate" of the covered entity. A business associate is broadly defined as anyone who stores, collects, maintains, or transmits PHI on behalf of a covered entity. Again, context is crucial when determining whether a developer is a business associate. A developer offering a diabetes app on behalf of an insurer, and using PHI of the insurer, would be considered a business associate, but a developer independently offering the same exact app to the general public, and using health information volunteered by the public, would not. These distinctions can be subtle, and developers should take time to determine their position within this framework before marketingand ideally before developingtheir...