US Regulatory Considerations Applicable to Digital Health Providers and Suppliers

US Regulatory Considerations Applicable to Digital Health Providers and Suppliers

October 18, 2021 Off By administrator

In Part I, we provided a high-level overview of Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its provisions. In Part II, we discuss how HIPAA is applied to mobile health (mHealth) application developers, as well as examine additional privacy issues and considerations that non-US companies should keep in mind.



If a Covered Entity is the developer of a mobile application (“app”) and the app uses Protected Health Information (PHI), HIPAA will apply and will govern the creation, receipt, maintenance and transmission of PHI by the app (unless the PHI was acquired pursuant to a HIPAA-compliant patient authorization specifically releasing the data to the app developer).a

If the app developer is not a Covered Entity, a key consideration is if the developer is acting as a Business Associate of a Covered Entity or is a subcontractor of a Business Associate. In other words, does the app developer create, receive, maintain or transmit PHI on behalf of a Covered Entity or Business Associate?

Key Questions

  • Does the mHealth app create, receive, maintain or transmit PHI?

  • What types of entities or individuals are the ultimate users of the app?

  • Who are the app developer’s clients? How is the app funded?

    • Are the app developer’s clients Covered Entities, such as hospitals, physician practices, clinics, urgent care facilities, pharmacies, clinical or diagnostic laboratories or other health care providers?

    • Are the app developer’s clients’ health plans, health insurance carriers or health or wellness programs related to an employer-sponsored health plan?

    • Was the app developer hired by, or paid for services or products by, a Covered Entity, or by another entity that has contracted with a Covered Entity?

  • Does an entity with whom the app developer is contracting direct the developer to create, receive, maintain or disclose PHI?

Direct-to-Consumer (DTC) Applications

If the app developer is offering services directly to consumers and collecting health information from consumers or on their behalf, i.e., DTC, and not on behalf of a Covered Entity or other healthcare provider, the app is likely not subject to HIPAA.

Key Questions

  • Is the app independently selected by a consumer?

  • Does the consumer control all decisions about whether to transmit his or her health information to a third-party, such as to a healthcare provider or health plan?

  • Does the developer have any relationship with a healthcare provider, health plan or other Covered Entity (other than an interoperability relationship)?


If the mHealth app is developed by or for a Covered Entity, the mHealth app developer may be required to comply with HIPAA’s Privacy, Security and Breach Notification Rules.

Privacy Rule

A Covered Entity is permitted, but not required, to use and disclose PHI without patient…

(Excerpt) To read the full article , click here
Image credit: source