Digital health applications have transformed how individuals track, manage, and engage with their personal health information. For digital health app companies, understanding whether HIPAA (Health Insurance Portability and Accountability Act) regulations apply to your mobile/website application is essential for both compliance and business planning.
This post addresses when digital health apps fall outside HIPAA's regulatory scope and what that means for your digital health app.
Understanding HIPAA's Scope
HIPAA regulations primarily govern "covered entities" and their "business associates." For digital health companies, understanding these distinctions is crucial for product strategy and development.
Covered entities include healthcare providers, health plans, and healthcare clearinghouses that engage in specific electronic transactions.
Business associates are organizations that perform certain functions or activities on behalf of covered entities that involve protected health information (PHI).
When Digital Health Apps Fall Outside HIPAA
When your health app collects information directly from consumers, rather than through or on behalf of covered entities or business associates of covered entities, it generally falls outside HIPAA's regulatory framework. The Department of Health and Human Services (HHS) has provided clarity on this distinction, noting that health apps consumers use to track their own health information operate outside HIPAA unless they're created for or provided by covered entities.
Some example scenarios where a health app likely operates outside HIPAA are:
A wellness app where users track their daily health metrics
A nutrition planning app where users log their dietary choices
A mental health app providing guided meditation and mood tracking where users record their emotional sate and meditation practice
A sleep tracking app that monitors sleep patters and provide analytics based on user-input data and device sensors
A symptom tracking app for chronic conditions where users log their symptoms, trigger, and treatment responses without connecting to health providers or pharmacies
The key determining factor of whether HIPAA applies to your health app is the source and flow of consumers’ health information. When your health app collects information directly from consumers, rather than through or on behalf of covered entities or their business associates, it generally falls outside HIPAA's regulatory framework. The Department of Health and Human Services (HHS) has provided clarity on this distinction, noting that consumers who input and track their own health information on digital health apps operate outside HIPAA unless they're created for or provided by covered entities.
Accordingly, if your health app collects health information directly from users, does not connect with healthcare providers, insurers, or other covered entities, or business associates of covered entities, and does not transmit information to covered entities or business associates as part of its core functionality, then it likely operates outside HIPAA's regulatory framework.
Other Privacy Obligations
While your health mobile app, website, Internet-connected device or similar technology that receives, sends and holds consumers’ health information may not be subject to HIPAA, other privacy obligations apply.
FTC Oversight
The Federal Trade Commission (FTC) regulates privacy and security practices for digital health applications through Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. Such prohibited practices include failing to implement appropriate security measures to protect consumers’ health data and misleading consumers about your data handling practices.
The FTC has issued several enforcement actions against digital health companies for privacy violations, emphasizing the importance of transparent privacy policies, accurate representations about data usage, use of reasonable security measures and user consent for data sharing. For example, the FTC took enforcement action GoodRx, a Telehealth and prescription drug discount provider, for failing to notify its consumers of its unauthorized disclosures of their personal health information to Facebook, Google, and other companies. In another case, the FTC took action against a developer of a period and fertility-tracking app for sharing its users’ health information with outside analytics providers after promising it would keep their information private.
In addition, health applications are subject to the FTC’s Health Breach Notification Rule. This rule requires companies that experience a breach of consumers’ identifying health information to notify affected consumers without reasonable day, but not later than 60 calendar days after the breach was discovered. If the breach involves 500 people or less, companies must notify the FTC within 60 calendar days following the end of the calendar. If that number exceeds 500, notice must be delivered to the FTC at the same time that notices were sent to affected consumers. Furthermore, notice to the media may also be required.
Accordingly, your business strategy must account for compliance with the FTC's privacy and security requirements.
State Privacy Laws
Many states have enacted comprehensive privacy laws that may apply to health apps. For instance, California, Colorado, Delaware, Nevada, Virginia, and Washington each impose specific obligations regarding the collection and use of personal health-related data by digital health companies not governed by HIPAA.
In the case of Florida, while Florida’s Information Protection Act doesn’t expressly address digital health apps, it requires implementing appropriate security measures for the collection and handling of personal health-related data.
Building a Security and Privacy Framework for Your Digital Health App
Protecting user health information requires a multi-layered approach that addresses every aspect of your business operation. While many companies focus primarily on technical security measures, a comprehensive security and privacy framework must also include administrative, physical, and technical safeguards working in concert. This three-pillared approach ensures that your health app not only implements strong technical protections but also maintains the organizational structure and physical security measures necessary to protect sensitive health information throughout its lifecycle.
What are Administrative Safeguards?
Administrative safeguards form the foundation of any comprehensive privacy and security program for digital health applications. These safeguards encompass the policies, procedures, and organizational structures that govern how your company protects user data. While technical controls provide the mechanisms for security, administrative safeguards ensure these controls are properly implemented, maintained, and evolved over time.
For digital health companies, implementing appropriate administrative safeguards is particularly essential as your organization scales. These measures help create a culture of security awareness and establish clear accountability for protecting sensitive health information. They also demonstrate to users and stakeholders that your organization takes data protection seriously, which can be a significant competitive advantage in the healthcare technology market.
The key to successful administrative safeguards lies in their systematic implementation and regular review. Rather than viewing them as a one-time effort, it should an ongoing process that evolves with your organization's growth and changing security landscape. Some essential components for a solid administrative safeguard framework include governance and policies, employee training, vendor management, and incident response planning.
What are Physical Safeguards?
Physical safeguards are a critical yet often overlooked component of data protection in digital health applications. While many companies focus primarily on cybersecurity measures, physical security controls play an equally important role in protecting sensitive health information. These safeguards encompass all physical measures, policies, and procedures to protect your electronic information systems, related buildings, and equipment from natural and environmental hazards, as well as unauthorized intrusion.
In a hybrid work environment, physical safeguards extend beyond traditional office spaces to include remote work locations and mobile devices. For digital health companies, particularly those operating in a cloud-first environment, physical security might seem less relevant. However, the distributed nature of modern workforces actually makes physical safeguards more complex. Whether your team works from a central office, co-working space, or home office, maintaining consistent physical security standards is essential to protect user data.
Effective physical safeguards require a comprehensive approach that considers all potential physical access points to sensitive information, from server rooms to employee laptops. They should be designed to protect against both intentional threats (such as theft or unauthorized access) and unintentional risks (such as equipment failure or natural disasters). The goal is to create multiple layers of physical security that work together to protect your users' sensitive information throughout its entire lifecycle.
What are Technical Safeguards?
Technical safeguards represent the technological architecture and security controls that protect sensitive health information within your digital application. While administrative and physical safeguards create the framework for security, technical safeguards provide the actual mechanisms that prevent, detect, and respond to potential data breaches and security incidents.
For digital health companies, implementing robust technical safeguards is particularly critical as they form the primary defense against cyber threats and unauthorized access to user data. They must be both comprehensive and adaptable to address current security challenges while also being flexible enough to respond to emerging threats.
The implementation of technical safeguards requires a balanced approach between security and usability. While robust security measures are essential, they shouldn’t create significant friction in the user experience. The goal is to implement strong security controls that protect user data while maintaining the accessibility and efficiency that makes your application valuable to users. This requires careful consideration of each security measure's impact on both security posture and user experience.
Some fundamental components of a technical safeguard framework include:
Working with certified cloud service providers (e.g., SOC 2 Type II, ISO 27001 or HITRUST)
Implementing strict controls over cloud environment access
Implementing strong authentication mechanisms (e.g., multi-factor authentication, role-based access control, etc.)
Data encryption at rest and in transit
Regular security testing (e.g., penetration testing, vulnerability assessments, etc.)
Monitoring and audit logging
Data backup and recovery
Written security policies and procedures
As your health app evolves and adds new features, your technical safeguards should be evaluated and enhanced to ensure they continue to provide appropriate protection for all aspects of your application system.
Closing Remarks
While operating outside HIPAA's direct oversight may offer more flexibility, it doesn't diminish the legal and regulatory obligations of digital health companies to protect user health-related information. Privacy and security must be viewed as core elements of daily business operations and to comply with applicable data protection laws.
The information contained in this post is for general informational purposes only and is not and should not be construed as legal advice or opinion for any individual matter. You should consult your own attorney for any legal advice you may require.
If you would like to explore how Venus Caruso can assist you, reach out to schedule a free consultation using the contact form or by emailing venus@carusolawoffice.com.
