In recent FAQs, the Department of Health and Human Services (HHS) provided additional guidance on covered entities HIPAA obligations amid the growing wellness trend of utilizing health applications and fitness trackers to monitor health trends and progress.Forbes reports that “worldwide wearables sales will grow by an average of 20 percent each year over the next five years, becoming a $29 billion market with 243 million unit sales by 2022.” Likewise, a 2012 Pew Research Center Mobile Health Report found that one in three cellphone owners used their phones to look for health information while one in five smartphone owners downloaded a health app, with exercise, diet, and weight apps being the most popular. By 2015, a national survey showed as much as 58% of mobile phone users had downloaded a health-related mobile app, but that nearly half of the users had stopped using the apps partly because of the high data entry burden.
To ease their manual data entry burden, many covered individuals are requesting that the covered entity (the health plan or health care provider), provide their electronic protected health information (ePHI) directly to the third-party app. For covered entities that must ensure it has appropriate measures in place to protect its covered individuals’ ePHI, these apps and trackers can pose unique challenges when trying to balance HIPAA obligations to protect data and avoid a breach, and the covered individual’s right to access their ePHI.
HHS HIPAA Professional FAQs 3009, 3010, 3011, 3012, and 3013 provide important insight into what liability the covered entity has for the app’s use or disclosure of ePHI, whether the covered entity is liable for sending ePHI to an app using an unsecured method, and if a covered entity can refuse to disclose ePHI to an app based on concerns about how the app will use or disclose the ePHI. Additionally, HHS provides guidance on the relationship between the covered entity and the app developer, including which entity is liable under HIPAA and when a business associate agreement is required. Download the InfoBrief for a summary of the guidance and frequently asked questions.
DOWNLOAD THE INFOBRIEF: How Health Apps and Fitness Trackers Impact Employer HIPAA Compliance
For the latest in benefits regulations and healthcare updates, visit OneDigital’s Compliance Confidence blog.