As a business associate, the app developer has regulatory obligations
and is directly liable under HIPAA if it uses or discloses PHI in
a manner not authorized by the business associate agreement,
required by law, or otherwise permitted under the HIPAA privacy
rule. The app developer also is directly liable if it fails to either:
Safeguard electronic PHI under the HIPAA security rule (see
Practice Note, HIPAA Security Rule (5-502-1269)). Notify the group health plan of the discovery of a breach of
unsecured PHI (see Practice Note, HIPAA Breach Notification Rules
for Group Health Plans (1-532-2085)).
Under HIPAA’s regulations, an employer group health plan also
has its own HIPAA compliance and breach notification obligations.
However, before entering into a business associate agreement
with a health app developer, it is best practice for the group health
plan to conduct due diligence to ensure that the app developer
has mechanisms in place to protect participants’ PHI consistent
with HIPAA. For example, this may include requesting the health
app developer’s most recent risk analysis and risk management
plan conducted under HIPAA’s administrative safeguards and
implementation specifications (under 45 C.F.R. Section 164.308).
The plan also may request information about the encryption
mechanisms used by the health app developer to protect the
security of electronic data and secure transfer of health planrelated
data (see Practice Note, HIPAA Enforcement and Group
Health Plans: Penalties and Investigations: Examples of Resolution
Agreements (2-519-1055)).
Additionally, a group health plan should consider including in
the business associate agreement an audit provision giving it the
right to review or request proof of ongoing HIPAA compliance
mechanisms (see Standard Document, HIPAA Business Associate
Agreement (3-501-6706)). These steps will help ensure the security
of electronic PHI, prevent breaches, and avoid potentially expensive
enforcement settlements following an HHS investigation.
