The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently unveiled a new website with updated guidance and resources for mobile health app developers regarding the HIPAA Privacy, Security, and Breach Notification Rules. The new Resources for Mobile Health Apps Developers site replaces OCR’s prior Health App Developer Portal.
The new site’s Health App Use Scenarios & HIPAA guidance explains, among other things, when an app developer may be acting as a business associate of a covered entity under HIPAA. A Mobile Health Apps Interactive Tool, developed by the Federal Trade Commission in conjunction with OCR and other federal agencies, is intended to help developers of mobile health apps understand which federal laws and regulations might apply to them. The site also includes guidance and FAQs regarding cloud computing technologies and cloud service providers, app users’ right of access to their health information, health information technology, and how the HIPAA Rules apply to application programming interfaces (APIs).
OCR previously issued guidance confirming that once a healthcare provider shares a patient’s protected health information with a third-party app that the patient is using, the data will no longer be protected by HIPAA unless the app developer is acting as a business associate of the healthcare provider.