In February 2016, the Department of Health and Human Services (HHS) issued guidance in the form of “Health App Use Scenarios”
(HHS Scenarios) addressing how HIPAA applies to health information that is created, managed, or organized through the use of a health app, including limited guidance applicable to health plans. (HHS Office for Civil Rights, Health App Scenarios & HIPAA (2016).)
The HHS Scenarios were intended to assist an app developer in determining when it may be required to comply with HIPAA. However, the HHS Scenarios may be instructive for employers that sponsor group health plans and wellness programs in determining whether and when the use of health apps by their employees requires compliance with HIPAA’s administrative simplification provisions (see Practice Note, Wellness Programs (6-518-5321)). (As background, HIPAA’s administrative simplification provisions include privacy, security, and breach notification requirements, as well as standards for transactions and code sets used in electronic transactions. For more information on these HIPAA compliance obligations, see the HIPAA Toolkit (7-502-6708).)