Healthcare App – Do they need to be compliant?


It’s January 2017 and many consumers like me will be setting New Year’s resolution(s). Why? Because it’s the time of the year when we are at our best. The days from Thanksgiving to the 12 days of Xmas to the last seconds (Times Square, NY City ball drop) before ticking in the new year are the times when we adore it all.

So it’s no surprise when most people are thinking about their own health. For e.g.

  • I got to reduce my AIC
  • I got to change my lifestyle
  • I got to reduce my High Blood Pressure
  • I need to exercise, etc.

So, what do we do, like most people we search on the internet and do some preliminary research and download a healthcare app on our smartphones.

Is this healthcare app subject to HIPAA? Whether this app is creating, receiving, maintaining and transferring PHI to the provider?  Let’s look at 3 scenarios:

  1. People download the app on the smartphones. The app allows to enter the health information and/or eHR downloads
  2. A provider recommends an app to download to monitor patient health
  3. A provider recommends an app to download to monitor patient health and the provider organization or the payer and has contracted with the software company.


There could be many other scenarios, but in general apps that are offered in conjunction with the providers or payer organization are most likely to be HIPAA compliant. Why? Because the software app is creating, receiving and maintaining and/or transmitting health information on behalf of the covered entity – and is more than likely is complying with the HIPAA rules as a Business Associate.


For the consumers like us, what are the laws? and what laws are applicable to mobile health app? Federal Trade Commission has information on its web site providing guidance as to the applicable laws – HIPAA, Food, Drug and Cosmetic Act, FTC, FTC Health breach notification rule. But as a software developer the sound privacy and security practices are key to build confidence with the consumers.


Remember, when we download we hardly read the fine print and we say “I agree”. But when it comes to healthcare app the key is to read the fine print and determine whether the app is HIPAA compliant and then we should make the decision. An oversight or negligence could be the difference in compromising our PHI.


At MindLeaf ( we have been protecting patient privacy by ensuring the developers/providers have the right procedures and policies to be HIPAA compliant. For the providers and the developers, we conduct a breach security survey (with Intel Life Sciences) to gauge their cybersecurity against the industry.


Paresh K. Shah

Labels: HIPAA Privacy