Health plans are taking advantage of the digital health trend to promote employees’ active involvement in their own health (and thereby reduce health plan costs). For example, a health plan might recommend use of a health app that offers wellness tools to monitor blood pressure, achieve fitness and nutrition goals, or track overall progress toward improved health. This situation may trigger HIPAA compliance obligations, depending on the specific facts and circumstances. The issue is whether recommending use of an app creates a business associate relationship between the app developer and the health plan. If the health plan pays the app developer for use of the app and directs the app developer to create, receive, maintain, or disclose information related to its health plan participants, the app developer likely is acting as the health plan’s business associate. As a result, HIPAA would protect the health information being created, received, maintained, or transmitted by the app. One of the HHS Scenarios describes a similar fact pattern that involves a doctor as the covered entity, rather than a health plan. In the scenario, a patient downloads an app that is recommended by his doctor to help manage a chronic condition. The patient populates the app and directs it to transmit the information to his doctor’s electronic health record. According to HHS, the information is directed on the consumer’s behalf and this activity does not create a business associate relationship between the app developer and the doctor. A key distinction, which may apply to employer-sponsored health plans, is whether the recommendation to use the app is based on either:
Confidence that the app is a useful tool to assist plan participants in engaging in healthier lifestyles for their independent use.
A paid or contractual relationship between the health plan and app developer, which makes it more likely that the app developer is a HIPAA business associate.