There are plenty of obvious compliance issues presented by healthcare’s move toward mobile technology. This recent article from Mobi Health News points out one of the less blatant struggles that any health facilities face.
The [HIPAA] Privacy, Security, and Breach Notification Rules can be a daunting challenge. Sometimes, the biggest question facing mobile application developers is not how to comply with (or make sure users are complying with) HIPAA, but rather whether HIPAA even applies.
It seems that the twisting and complex labyrinth that is HIPAA compliance has more backdoors, pitfalls, and secret exits than anyone could have predicted. The good news is that many mobile software efforts may not even fall under HIPAA’s compliance jurisdiction. The bad news is that it can be very tricky figuring out what side of that line you fall on.
In the article, Adam Greene explains that, “The HIPAA Rules only apply to HIPAA ‘covered entities’ and their ‘business associates.’ They do not apply to health care consumers or to other types of entities.” This means that the people that have access to the software are the first determinate of whether or not HIPAA compliance applies to your software. He explains further that:
A mobile application developer will need to analyze whether the software will be used by a covered entity, such as physician, hospital, or health plan, and whether it will include any protected health information: individually identifiable information about health, health care services, or payment for health care services. An application that assists a physician with following up with patients would need to be designed to allow the physician to comply with HIPAA. Likewise, a mobile application for use by health plan employees to obtain an individual’s enrollment information remotely would need to be designed in accordance with HIPAA.
The take-away here is that health facilities can distribute software that monitors medication schedules, important general health information, and other information, so long as it is not directly linked to any “covered entities.” Obviously, this is a complicated matter that should not be tackled without a lot of thought and research, but it is good to know that – on the surface, anyway – HIPAA is not preventing health facilities from helping the public get the best medical information possible.
Pam Argeris is a thought leader in the Healthcare Industry and possesses extensive, hands-on experience with CMS compliance, and multiple regulatory bodies such as NCQA, JACHO, and DOI. In her role at Merrill Corp., Pam focuses on developing solutions for compliance and quality assurance, delivered in a cost effective manner to improve beneficiary and prospect communications. You can contact Pam at Pamela.Argeris@merrillcorp.com.