The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects working Americans and their family members with medical problems in terms of getting medical coverage. A final Privacy Rule was published in December 2000, and later modified in August 2002, and this is the portion that most people think of when they hear the term HIPAA. The Rule set national standards for the protection of an individual’s health information with regard to health plans, health care clearinghouses, and health care providers mandating that medical records be kept under lock and key and are available only on a need-to-know basis. It also gave patients greater access to their own medical records
The U.S. Department of Health and Human Services (HHS) also published a final Security Rule in February 2003 setting national standards for protecting the confidentiality and availability of electronic protected health information. HHS also enacted a final Omnibus rule that implements a number of provisions of the HITECH Act.
As access to healthcare information becomes necessary to feed mobile healthcare applications (apps), HIPAA privacy needs to be embraced by app developers. In February of 2016, HHS released “Health App Use Scenarios & HIPAA” which states that while only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA, even if a person or entity is not a covered entity, he/she may be a business associate if they create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity or another business associate. And in that case he/she is required to comply with certain provisions of the HIPAA Rules.
“Even if an app touches an EHR or interfaces with a covered entity, if the app is not commissioned by or funded by or it’s not built on behalf of a covered entity, then based on the guidance given by HHS, it doesn’t fall under HIPAA because the customer’s the one downloading it,” said Jason Wang, founder and CEO at Truevault, a HIPAA-compliant API and cloud data store for healthcare software applications.