10 min read

Should I be HIPAA compliant?

Should I be HIPAA compliant?

The HIPAA (Health Insurance Portability and Accountability Act) certification is mandatory for web and mobile applications that access, collect, share, and/or use health-related information of individuals, such as diagnosis, treatment, physical condition, well-being, addictions, etc. In this article, we'll guide you through the official test to determine if your business needs to comply with this US federal law.

If the services you offer are listed below, then it's essential to ensure that your entire business production chain adheres to the requirements of the federal law of the United States:

  • Tracking or monitoring of individuals' physical condition, activity, diet, mood, sleep, menstruation, fertility, tobacco, alcohol, or drug use.

  • Utilization and exchange of medical records or health insurance claim data; access to information from doctors, clinics, or health plans.

  • Synchronization with health platforms or devices that track the items mentioned above.

  • Diagnosis or treatment of a disease or health condition, or recording information that could be relevant to reach such conclusions.

In case you're uncertain about your obligation to comply with the HIPAA requirements, we'll provide a detailed step-by-step guide to take the official test of the United States Federal Trade Commission. This will clarify whether your business needs to adhere to all regulations that safeguard the privacy and information of individuals, and avoid paying fines of up to 1.5 million dollars

In this article:

What does HIPAA compliant mean?

What is HIPAA compliance?

Who needs to be HIPAA compliant?

Should I be HIPAA compliant?

What does HIPAA Compliant mean?

Being HIPAA compliant means adhering to the Health Insurance Portability and Accountability Act of the United States, approved in 1996. It obliges companies to protect health information (PHI) and follow physical and digital security measures for all processes.

HIPAA regulations propose a set of standards for the use and disclosure of medical information that, according to U.S. laws, must be protected. The Department of Health & Human Services (HHS) is responsible for regulating the norm, while the Office for Civil Rights (OCR) oversees its compliance.

Any public or private entity that uses medical data or offers healthcare services is subject to HIPAA compliance. This also includes their supplier companies, business partners, or any part of the production chain that may come into contact with patients' information.

What is HIPAA Compliance?

HIPAA compliance involves three main actions regarding the treatment of protected health information (PHI) of patients:

  • Collection: If the digital product collects medical data that allows the identification of individuals, such as symptoms, conditions, treatment, diagnosis, it implies that it collects PHI and it must be ensured that it safely reaches the web server.

  • Storage: Whether on their servers or third-party ones, we must ensure the security of the information they store, complying with HIPAA standards and conducting regular maintenance as technology updates.

  • Transmission: The "journey" of PHI must also be secure and encrypted, whether it's between servers, via email, forms, or any other digital transfer method.

For more detailed information about the Health Insurance Portability and Accountability Act of the United States, you can click here.

Who needs to be HIPAA compliant?

When the Law was introduced in 1996, the measure only applied to "covered entities", which included healthcare professionals, hospitals, pharmacies, health maintenance organizations (HMOs), and insurance companies. These were considered the only individuals and entities that would have access to Protected Health Information (PHI).

In 2013, the regulations were updated, expanding the scope and rigor of HIPAA. It was established that all companies involved in any aspect of transmitting, storing, or receiving PHI data must also comply with HIPAA and were classified as "business associates". This category includes:

  • Medical record transcription services.

  • Software companies that provide online health records for medical purposes.

  • Companies that process and analyze medical data, and generate reports.

Should I be HIPAA compliant?

To determine if your company needs to comply with the HIPAA law, we provide you with the official test from the U.S. Federal Trade Commission. Please read the following questions, answer them, and continue with the form according to the instructions provided on the screen.

  • Does your app collect, share, use, or maintain health information?

    • If your answer is: YES (go to question 2).

    • If your answer is: NO (go to question 11).

      While you may not need to comply with HIPAA, we recommend reviewing the Federal Trade Commission (FTC) law in your jurisdiction, as there may be other regulations you need to adhere to.

  • Does the information the app collects fall within the HIPAA Rules' definition of "individually identifiable health information"?

    • If your answer is: YES (go to question 3).

      This refers to information that, when combined, allows the identification of a person even if the name and insurance number have been removed. For example: age, gender, place of residence, diagnosis, treatment, symptoms.

    • If your answer is: NO (go to question 7).

      We recommend that you seek advice because, in some cases, even if the health information you touch isn’t identifiable, laws like the FD&C Act or the FTC Act may still apply to you.

  • In your business...

    • Do you offer health plans?

      • If your answer is: YES (go to question 4a). You probably need to comply with HIPAA regulations.

      • If your answer is: NO (go to question 3b).

    • Are you a health care provider, such as a doctor, dentist, psychologist, hospital, health care clinic, or pharmacy?

      • If your answer is: YES (go to question 4a). You probably need to comply with HIPAA regulations.

      • If your answer is: NO (go to question 4a).

  • In your business...

    • Do you develop, offer, or sell any certified health information technology?

      • If your answer is: YES (go to question 4b).

      • If your answer is: NO (go to question 4b).

    • Do you enable electronic health information exchange among more than two unaffiliated parties?

      • If your answer is: YES (go to question 5).

      • If your answer is: NO (go to question 5).

  • Do consumers need a prescription to access your app?

    • If your answer is: YES (go to question 7). You probably need to comply with HIPAA regulations.

    • If your answer is: NO (go to question 6).

  • Are you developing, offering, or operating an app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer, or health plan’s wellness program)? Or are you acting as a subcontractor to another entity providing services to a covered entity?

    • If your answer is: YES (go to question 7). You probably are a HIPAA business associate and, therefore, must comply with the regulations.

    • If your answer is: NO (go to question 7).

  • Is your app intended to diagnose diseases or other conditions, to cure, mitigate, treat, or prevent diseases, and/or affect the structure or any function of the body?

    • If your answer is: YES (go to question 8). You may be a HIPAA-covered healthcare provider and, therefore, subject to it.

    • If your answer is: NO (go to question 11).

  • Is your app solely intended for administrative support in a healthcare center, promoting a healthy lifestyle, serving as electronic patient records, transferring, storing, converting formats, or displaying data, and/or providing limited clinical decision support to a healthcare provider?

    • If your answer is: YES (go to question 11). You probably are a HIPAA business associate and, therefore, must comply with its rules.

    • If your answer is: NO (go to question 9).

  • Does your app pose a "low risk" for patients? Helps self-manage a disease or condition or automates simple tasks for healthcare providers.

    • If your answer is: YES (go to question 11). The FDA considers your application low risk and you do not need to comply with HIPAA requirements.

    • If your answer is: NO (go to question 10).

  • Does your app include a device software function that requires FDA supervision?

    • If your answer is: YES (go to question 11). You probably are a healthcare provider or HIPAA business associate and must comply with the regulations.

    • If your answer is: NO (go to question 11). Send an email to digitalhealth@fda.hhs.gov to determine if you must comply with the HIPAA law.

  • Is your app for use by consumers?

    • If your answer is: YES (go to question 12). You probably are a HIPAA business associate and, therefore, must comply with the regulations.

    • If your answer is: NO (go to question 12). You probably do not have to be HIPAA compliant.

  • Does your app collect, receive, or maintain identifiable health information for consumers; access health information in personal health records; send health information to personal health records; offer products or services through the website of an entity that maintains health records for consumers; and/or provide services to an entity that maintains health records for consumers?

    • If your answer is: YES (go to question 13). You may be a "provider" of personal health records (PHR) and must comply with HIPAA regulations.

    • If your answer is: NO (go to question 13).

  • Is your app intended for children?

    • If your answer is: YES (you have completed the form).

      If your target audience is children under 13 years old, then you must comply with the Children's Online Privacy Protection Act (COPPA). For more information about the regulations, send an email to CoppaHotLine@ftc.gov.

    • If your answer is: NO (go to question 14).

  • Does your app use child-oriented activities, incentives, design, music, or the like?

    • If your answer is: YES, you must comply with the Children's Online Privacy Protection Act (COPPA). For more information about the regulations, send an email to CoppaHotLine@ftc.gov. (You have completed the form).

    • If your answer is: NO (go to question 15).

  • Do you have actual knowledge that children are using your app?

    • If your answer is: YES, you must comply with the COPAA privacy protection regulations. (You have completed the form).

    • If your answer is: NO, you have completed the form.