Executive Summary - March 2016
To Be or Not to Be: HHS OCR Publishes New Guidance on Business Associate Qualification for App Developers in the Health Care Industry
Rebecca Merrill (Dentons US LLP, Atlanta, GA and Boston, MA)
On February 11, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) published guidance clarifying when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to mobile health application developers. In an effort to address app developer demand for an understanding of when and how HIPAA applies to a developer’s product concept, the new use case guidance issued by OCR provides a deeper look into the issues of patient-generated data and covered entity interactions with app developers. A better understanding of applicable requirements empowers developers to design the security infrastructure of an app product in accordance with HIPAA security requirements, rather than undertaking a redesign of an existing product to overlay the security requirements. This Executive Summary provides a summary of the six use case scenarios and clarity on app developer obligations under HIPAA.
We would like to thank the author for sharing her expertise with her colleagues.