The US Department of Health and Human Services (HHS) recently released guidance on what providers should know about HIPAA compliance and apps. According to a report by Iqvia Institute for Human Data Science, more than 318,000 health apps are available worldwide and about 350 consumer wearables on the market. The report also found about 26% of providers have adopted the use of an app for patient wellness and 13% for condition management.
But what liability do apps potentially pose for practices? If an app is developed on behalf of a doctor’s office and given to patients or used in-house, the practice can be liable for breached information. There would be no liability for a practice, say, if a patient with diabetes asks a doctor for ideas on how to lose weight and the doctor recommends a step tracker and calorie counter app that can be downloaded to the patient’s phone. But liability could result if a doctor recommends an app created for the practice that winds up exposing PHI.
“It’s like hiring someone as a business associate to do something with data,” Brian Reed, Chief Marketing Officer of the Chicago-based app security testing firm NowSecure. “If you are sharing data with someone else you have hired and paid for services, that makes them a business associate.”
With any apps used within a practice or given to patients, business associate agreements should be put in place with the supplying vendor, he said.
From the courts
In January, HHS offered guidance based on a Washington DC court case that dealt in part with the question of whether a HIPAA-covered entity must give PHI to a third-party app upon a patient’s request. The answer was yes. Generally, if a patient requests that a provider send information to an app – even if the doctor does not know if the app is secure – the practice is required to send it. A practice also has to send the information even if the patient requests it in an unsecured method, like personal email. Although this may cause trepidation among providers, HHS does give some reassurance. If the request is made by the patient, it is no longer subject to HIPAA regulations once it leaves the practice, the department said.
Even if a physician is not liable, it is good practice to caution patients on the risks of sending PHI to unsecured apps, according to HHS and some experts. Robert Grant, chief compliance officer and co-founder of the Compliancy Group in Greenlawn, New York, advises providers not to encourage patients to use apps that may not be secure. “The physician has enough to worry about with protections inside their own house,” he said. “They don’t need to worry about what someone else is doing with their technology.”
But doctors’ use of in-office apps can result in liability if that use results in a breach of PHI. Many apps that providers use within a practice to obtain information or access health records are secure, Reed said. These apps seldom become infected with malware so breaches are unlikely, but he cautions physicians never to transmit PHI on public apps such as Evernote or Google Docs.
“When you look at the 4 million-plus apps in app stores, about 70% leak personal information,” Reed said. “That may be a user ID or password or other unique information, or it could be a patient account number or credit card number.”
Some of this data leakage could violate HIPAA. If providers want to use an app like Slack or WeChat that is not designed for a medical setting, they need to have documentation from vendors that the app is safe to use in a practice.
As with any Web software a practice puts in place, providers need to verify as best they can that apps they are using or offering patients are HIPAA compliant. The absence of a central registry that can tell providers if an app is HIPAA compliant remains a challenge, Reed said. “The first thing to know is, don’t assume apps are safe and certified unless they are labeled that way,” Reed said.
Healthcare delivery apps should be certified by a vendor, but if doubts remain about the ability an app to keep PHI safe, a security and privacy audit by a third party should be performed to ensure the app is not “leaking data,” Reed said.