Will federal privacy rules afflict Apple’s new iOS HealthKit?

Sharing your iPhone photos with others is one thing. But sharing medical information, via the new HealthKit framework for iOS 8, is a completely other thing.

In some cases, iOS developers working with HealthKit to transfer medical and fitness data to and from Apple’s companion Health app may find themselves having to cope with the strict privacy, data protection, and security breach mandates of the federal Health Insurance Portability and Accountability Act (HIPAA).

One question still unanswered is what role, if any, Apple and the iTunes App Store might have with regard to publishing apps that would fall under HIPAA coverage. Apple PR had not replied at the time of this posting to a Network World email query about this topic.

+ Also on NetworkWorld: +

Apple announced the beta release of iOS 8 this week. One key theme is a more open mobile platform that can connect easily and securely to the world around end users. [See our slideshow, ”] The new Health app is intended to act as a “dashboard” that can collect, summarize and display a variety of fitness and health data from other on-board apps and from Bluetooth-enabled third-party fitness or health devices, such as blood pressure or glucose monitors or various fitness trackers.

HealthKit is the software framework that lets apps for health and fitness share their data with the Health app and with each other. According to Apple, in one of the few HealthKit details apparently in the public domain, the iOS user “decides which data should be shared with your app.” Via HealthKit, an app can access health-related information for the user and provide information about the user without having to know details about specific, different third-party devices. Developers will have a wide range of control over these interactions. One example cited by Apple: “you could request that your app be notified whenever the user takes his or her blood pressure, or be notified only when a measurement shows that the user’s blood pressure is too high.”

Mobile devices and apps are being embraced at all levels in medicine and healthcare. HIPAA rules deal with a certain subset of these entities and with certain kinds of data shared by them. Developers specializing in apps for medical staff and healthcare institutions are already familiar with HIPAA security, privacy and data protection mandates. And in many cases, iOS developers building health-related apps for use solely by end users won’t have to worry about HIPAA.

If the data simply resides on your phone, it remains your personal data, outside of HIPAA’s purview, says Jason Wang, co-founder and CEO of TrueVault, a San Francisco startup that offers a HIPAA-compliant data storage service and application development platform. But if any of that data can be classified as “protected health information” (or PHI), then it may fall under HIPAA when it is transmitted from your iPhone or iPad to what HIPAA calls a “covered entity” — your primary care physician, a hospital or health plan – or to their “business associates” – any organization handling PHI on behalf of a covered entity, such as a pharmacy benefit manager operating a health plan’s prescription benefit.

Developers will need to ask and answer two questions, says Adam Greene, co-chair of the health information practice for Davis Wright Tremaine LLP, a national law firm, based in Washington, D.C., that specializes in business and litigation law. First, who will be using the application, and second, what information will be on the application?

“The question would be whether the app is being used by a doctor or other health care provider. For example, is it on their tablet or smartphone?” Greene says. “Where the app is used by a patient, even to share information with a doctor, it generally will not fall under HIPAA. Where the app is used on behalf of a health care provider or health plan, it generally would fall under HIPAA.”

“Protected health information” refers to information that “identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services,” Greene has written. “There are exceptions for employment records and records of educational institutions.”

Among other things, PHI can include a mobile email, text or voice message sent to patients to remind them of an upcoming appointment or test.

According to Greene, an application designed for end users is exempt from HIPAA. “[A]n application on a person’s smartphone that assists the user with following a medication schedule would not fall under HIPAA because there is no covered entity involved,” he writes. “Even if the application permitted the user to send information to her physician, the application would not be subject to HIPAA, although the information would become subject to HIPAA once the HIPAA-covered physician received it.”

[See this online version of Greene’s “HIPAA Requirements and Mobile Apps,” presented a year ago at the annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference, co-hosted by the federal HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST).]

TrueVault’s database is hosted on Amazon Web Services for redundancy and high availability. It encrypts incoming “objects” – in this case PHI data — and then periodically re-encrypts them, according to CEO Wang. Developers can simply design and build their apps as they usually do and TrueVault’s backend data protection and other features make the TrueVault-based app HIPAA secure, according to Wang.

To get an idea of how complex and extensive is HIPAA’s reach, take a look at one mobile app aimed at doctors: DocbookMD, a HIPAA-secure messaging application for Android and iOS devices and, via the Web, for Microsoft Windows PCs and OS X Macs. It creates a “secure community” of doctors, allowing them to share patient information and collaborate with colleagues.

Among other things, DocbookMD goes to great lengths to authenticate the message recipient. And the app doesn’t simply display the information on-screen, where anyone might be able to see it: instead, the doctor/user gets an alert that a new message has arrived. “Once the DocbookMD app is opened (and you have the choice to password protect your phone and the app itself), you can read the message – which never rests on the device,” according to the vendor’s website.

Here’s a summary, for the DocbookMD website of some of the other features that characterize this HIPAA-secure app:

• 256-Bit encryption, exceeding current HIPAA compliance requirements.
• All DocbookMD users are required to sign a HIPAA business agreement prior to activation.
• Sensitive content such as patient details and photos reside on DocbookMD servers, not the user’s device.
• Remote disabling of a device if it were lost or stolen.
• All messages are saved for ten years, in keeping with the recommendations of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.

Even applications used by covered entities, such as doctors and nurses at a hospital, might not be subject to HIPAA rules, if they’re not using protected health information. Greene’s example: HIPAA would not cover a mobile application that gives a nurse aggregate statistics on trends in the hospital’s influenza patients, because the statistical data has been “de-identified.” If the app let the nurse add patient-specific details, then that patient information would be covered by HIPAA rules.

IOS developers writing HIPAA-covered health apps also will have to keep abreast of changes in HIPAA and in related statues such as HITECH. Just over a year ago, the U.S. Department of Health and Human Services (HHS) announced a series of major changes to HIPAA. Among the key changes, according to this summary by Health Care Practice Group of the Atlanta-based law firm Miller & Martin:

+ Improper use or disclosure of PHI now is presumed to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised.”

+ The definition of “business associate” under HIPAA now applies to a whole new group of entities that will all need to be compliant, for example, any subcontractor of a business associate that handles PHI.

+ Certain HIPAA privacy, security, and enforcement regulations now apply directly to business associates: any violations of these means the business associate “is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH.”

Apple HealthKit promises to interconnect iOS users with a wider world of specialized, highly personal data and new applications that can use that data in new ways. But it also means that iOS developers will have to be aware of the new privacy and security rules intended to protect that data.