HIPAA and mHealth Apps 2013

There are nearly 6000 health apps in the marketplace today.  Most are not HIPAA compliant, but if you are a healthcare provider or health plan and intend to use one in the care of your patients, HIPAA compliance is likely required.

HIPAA compliance assures that patient health information is only available to those who are entitled to access it. But more than that, it implies an organizational culture that considers patient privacy at every level of its operations.  

padlocked files

If you are considering implementing a smartphone technology into your patient engagement strategy and you choose to engage with a third party to provide this solution (buy vs build), you will need to have your vendor sign a Business Associates Agreement that extends the standards on which you operate to your technology partner.  Beyond that, do your homework and ask some additional questions during your evaluation:

1.  Do you have a documented Privacy Policy and your Privacy Standard Operating Procedures?

2.  Who is your Security Officer and Compliance Officer?

3.  What are the sources of ePHI in your solution?

4.  Who has access to this ePHI in your organization?

5.  What is the privacy training history of these persons?

All of these items are required to be documented.  As the HIPAA Final Rule published in January made some significant modifications to the regulatory scheme especially around an expanded definition of business associate and the reporting requirement for certain suspected breach events, Covered Entities and Business Associates must not only follow the letter of the law, but also the spirit of it.  According to Patricia Shea of K&L Gates, “Breaches will happen, the regulators acknowledge this.  But the subsequent fines and penalties will be influenced by the documentation maintained by the breaching party.  Those parties that are able to “Show Us Your Work” will be treated much more favorably by the enforcement officials.”

Find partners who have embraced patient privacy as part of their corporate culture and have an active Privacy and Security program that provides the paper trail supporting compliance.  Then determine which ones offer applications that will engage your patients in a meaningful way, ways that will lower avoidable readmissions and raise HCAHPS scores.