A threshold question is whether you need to make sure that an app claims to be HIPAA-compliant. When you are learning about new apps, the app store is always a good place to look. There you will find information about how the apps works, what the interface looks like, and if it is HIPAA-compliant—which typically means that the data is encrypted and/or the application locks after a period of inactivity.
As an important rule of thumb, an app should be HIPAA-compliant if you are going to use it in your practice to store or transmit patient PHI. HIPAA defines PHI as information that:
- relates to the physical or mental health condition of a patient, providing health care to a patient, or payment for the patient’s health care
- identifies the patient or could reasonably be used to identify the patient
- is transmitted or maintained in any form or medium
HIPAA applies to covered entities that use or share patients’ PHI. Covered entities include health care providers and health plans that electronically conduct certain transactions such as submitting billing claims. Importantly, HIPAA does not apply to health care consumers. Since patients are not covered, HIPAA compliance is not mandated for apps that a patient uses, even if the patient submits data to the app. However, once a psychologist receives that information from the app, the PHI becomes part of the psychologist’s files and subject to HIPAA protection.
Useful apps might include those that allow patients to record their mood, exercise data, and biometric information; to look up information about illnesses or diseases; and to research medication side effects. Additionally, there are apps that may collect more sensitive information from the patient, such as information on substance use. For example, an app may allow for the patient to input information related to alcohol consumption such as problem drinking behavior triggers (being near a local bar, for example) and send a message through the app to the patient and/or treating provider if the patient is near a trigger area.
Given the sensitivity of information a user may input, practitioners should discuss privacy issues with the patient related to using apps. If a patient wants to utilize an app that asks for sensitive information related to substance abuse, for example, practitioners should consider discussing who may have access to that information and where that information may go. Further, be mindful that many apps that store contact information and photos use cloud-based storage systems which recently have come under scrutiny for not being as secure as they were once considered.
When it comes to apps that store PHI, it is good practice to generally encourage your patients to use only HIPAA-compliant apps. But keep in mind that patients may find it beneficial and worth the potential privacy risk to use certain apps that are not HIPAA-compliant.