The new world of apps

The rise in consumers who use smartphones and tablets has been accompanied by an increase in the development and use of mobile applications. Better known as “apps,” they help consumers and health care professionals gain access to information when and where they need it.

Increasingly, people are also using apps to help manage their health and wellness. For example, some apps let users monitor the number of steps they take daily and record food intake to determine calorie totals.

The growing trend presents new opportunities for psychologists to connect with patients through mobile apps in ways that could supplement the therapeutic relationship and provide additional support to patients. At the same time, this new world also requires that providers be educated and aware of the rewards and potential problems with using apps.

This article highlights several important considerations. The overarching issue of compliance with the Health Insurance Portability and Accountability Act (HIPAA) is discussed below. Beyond HIPAA, the following questions and answers address additional considerations related to using apps for your practice and with your patients as an adjunct to treatment.

Health care professionals and consumers can go to the “app store” for their specific device and download many apps for free or purchase. When you are looking at apps and before you download one, you often get to see what types of information the app may collect on its own (separate from the data that you or a patient would enter).

When downloading an app on an Android device, a screen will pop up that displays the “permissions” you grant the app when you install it. To complete the download, you must hit OK to accept the permissions. Many apps will display a broad array of permissions, such as “your personal information” or “network communications.” It is important to look at the fine print under these categories to determine the extent of information an app may be able to collect from your smartphone or tablet—such as reading your contact data or your web browser’s history.

While using apps may expose you to potential privacy intrusions, it is important to balance the benefits you may get from the app against the potential privacy risk. It is not logical to avoid downloading apps altogether; however, it is important that you make sure the app truly requires the permissions requested.

For instance, an app that works like a dictionary to provide information on different mental health diagnoses is unlikely to require the ability to send text messages.

If you become concerned about an app you already have downloaded, keep in mind that most devices will allow you to access the permissions areas of your apps through your menu screen. Look at the apps you have downloaded, and if any concerns you, simply uninstall it from your device.

To be user-friendly and convenient, some applications will save your login information so that you do not have to log in to the app every time you want to access it. But this makes it easy for anyone gaining access to your phone or tablet to possibly gain access to HIPAA-protected information.

It is important to make sure that, for any app that may access protected health information (PHI), the settings require you to provide login credentials each time you enter the app. If your app will collect or transmit patient information, the best ways to protect mobile devices from breaches are to have them password-protected and encrypt them in accordance with HIPAA’s technical standards. Under the breach notification rule in HIPAA, if a mobile device’s encryption meets HIPAA standards and is lost or stolen, then there is no breach and the patient(s) do not have to be notified.

Another way to protect mobile devices is to install a remote wiping/disabling program. Such a program allows users to quickly clear and disable a lost or stolen mobile device, which may prevent or reduce the likelihood or magnitude of breaches.

There are countless available apps that may be useful for your practice. Some basic apps that you may want to consider if you are using a smartphone, tablet, or mobile device to send or receive patient PHI are:

• Locator app
  These apps help locate your phone if it is lost or stolen. They can be particularly beneficial if you have lost your phone or tablet in your office or car since these apps can help prevent your having to wipe the phone clear of all data. This functionality could save you considerable time because you will not have to recreate or restore your data later.
• Remote wiping application*
  Many of the phone platforms (Apple and Android) offer some type of remote wiping capability. This kind of application will allow you to remotely delete all information on your phone should it be stolen or lost.
• Encryption application*
  There are many cloud-based applications you can use to encrypt the data that is being transferred to and from your device. Even so, you also need to protect information that is downloaded or resides on your device itself. Using an encryption app can be helpful if you download any PHI to the device itself. The cost associated with encryption apps varies and may involve a one-time or monthly fee.
• Recordkeeping app
  Note-taking or recordkeeping applications that meet HIPAA requirements for encrypted data may be a useful option for many psychologists. These apps allow psychologists to take notes and potentially scan images into files that can be backed up and organized by patient. Such apps can be particularly useful for those psychologists who work in rural areas or those who use tablets in their practices. Many of these applications have a fee associated with them. If you are utilizing an electronic health record (EHR), a separate recordkeeping app is not necessary.
• Apps that connect tablet/smartphone to your EHR or office management software remotely
  Many EHR and office management systems will have an application that can be used in conjunction with the software on your desktop computer or laptop. These applications will allow you to access your EHR or office management software from remote locations if necessary or in emergencies.

Certain apps have been developed for use in conjunction with therapy or treatment with a medical or mental health professional. Two such examples are PTSD Coach and CPT Coach (CPT in this case refers to Cognitive Processing Therapy), both of which were developed by the Department of Veterans Affairs (VA). The VA has been leading the way in developing mobile apps that merge clinical and patient-oriented mobile health.

• PTSD Coach provides the consumer with resources meant to be used together with professional treatment. These resources include information on posttraumatic stress disorder (PTSD) and treatments, tools for the patient to track symptoms, tools to help consumers handle stress symptoms, and links to support. This app and its resources are a supplement to the treatment that the consumer receives from a health care professional and can be valuable when a patient is dealing with symptoms of PTSD but is unable to see his or her psychologist quickly.
• CPT Coach is a mobile app that serves as a companion to CPT therapy and is meant to assist the consumer and provider as they work through the CPT treatment manual. Neither CPT, nor this application, is a self-help tool. CPT Coach is geared toward patients with PTSD and includes features such as the ability to track symptoms of PTSD, tools to keep track of tasks assigned by a psychologist between sessions, homework assignments, and worksheets that can be completed between sessions and a reminder system for appointments.

The National Center for Telehealth and Technology is another source of apps that can supplement the therapeutic relationship. Two examples of apps from this source include:

• T2 Mood Tracker, available through both Apple and Android, includes a full range of mood scales. Consumers can rate their moods and the results will show in graph form. They can also generate a report allowing them to share the results with you.
• Tactical Breather, also available through both the Apple and Android platforms, was developed to help the consumer gain control over psychological and physiological responses to stress.

It is important to note that apps currently on the market are not intended to supplant therapy. Rather, they can be useful tools to supplement the therapeutic relationship and provide extra feedback to the consumer and health care professional about what is happening between treatment sessions.

If a provider wishes to use or recommend any apps to a patient, it is important to try to discern if the app has undergone any specific vetting process.

The use of behavioral health applications as an adjunct to therapy is an emerging field, and there are limited resources that detail the app development and validation processes. The most rigorous of these processes are presently being funded by the federal government (several may be found by searching ClinicalTrials.gov) and undertaken by various research institutions.

Meanwhile, practitioners can talk with colleagues about apps they may use to supplement therapy with their patients, read relevant research about mobile applications and therapy, and research different apps available through app stores to determine if they would be useful for you or your patient.

There are many lists of available apps. For example, the federal government has several different agencies that provide information on mobile applications. Additionally, APA has developed a number of apps that help practitioners access useful research, journals, and articles.

Nielsen data from 2014 shows that U.S. smartphone users 18 and older spend 65% more time using mobile apps than they did two years earlier. The average amount of time spent using apps during a month had increased to just over 30 hours. Adults aged 24 to 44 use the greatest number of apps—29—per month on average. However, 18 to 24-year-olds spend the most time on app—37 hours per month.

Another report by Nielsen indicated that almost one-third of mobile phone users, approximately 46 million people, in the U.S. used fitness and health apps in January 2014.

A threshold question is whether you need to make sure that an app claims to be HIPAA-compliant. When you are learning about new apps, the app store is always a good place to look. There you will find information about how the apps works, what the interface looks like, and if it is HIPAA-compliant—which typically means that the data is encrypted and/or the application locks after a period of inactivity.

As an important rule of thumb, an app should be HIPAA-compliant if you are going to use it in your practice to store or transmit patient PHI. HIPAA defines PHI as information that:

• relates to the physical or mental health condition of a patient, providing health care to a patient, or payment for the patient’s health care
• identifies the patient or could reasonably be used to identify the patient
• is transmitted or maintained in any form or medium

HIPAA applies to covered entities that use or share patients’ PHI. Covered entities include health care providers and health plans that electronically conduct certain transactions such as submitting billing claims. Importantly, HIPAA does not apply to health care consumers. Since patients are not covered, HIPAA compliance is not mandated for apps that a patient uses, even if the patient submits data to the app. However, once a psychologist receives that information from the app, the PHI becomes part of the psychologist’s files and subject to HIPAA protection.

Useful apps might include those that allow patients to record their mood, exercise data, and biometric information; to look up information about illnesses or diseases; and to research medication side effects. Additionally, there are apps that may collect more sensitive information from the patient, such as information on substance use. For example, an app may allow for the patient to input information related to alcohol consumption such as problem drinking behavior triggers (being near a local bar, for example) and send a message through the app to the patient and/or treating provider if the patient is near a trigger area.

Given the sensitivity of information a user may input, practitioners should discuss privacy issues with the patient related to using apps. If a patient wants to utilize an app that asks for sensitive information related to substance abuse, for example, practitioners should consider discussing who may have access to that information and where that information may go. Further, be mindful that many apps that store contact information and photos use cloud-based storage systems which recently have come under scrutiny for not being as secure as they were once considered.

The takeaway

When it comes to apps that store PHI, it is good practice to generally encourage your patients to use only HIPAA-compliant apps. But keep in mind that patients may find it beneficial and worth the potential privacy risk to use certain apps that are not HIPAA-compliant.