Is my mobile app required to comply with HIPAA?

Last updated on 01 July 2022 by Sara Pegarella (Law school graduate, B.A. in English/Writing. In-house writer at TermsFeed)

Is my mobile app required to comply with HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act.

This law act began in 1996 with the aim of protecting and keeping private the medical records and personal health information (PHI) of individuals.

"PHI" is defined as information found in a patient's medical record that could possibly be used to identify that individual, and that came about in the course of obtaining a health care service, such as a diagnosis or a treatment.

HIPAA applies to and must be followed by healthcare providers such as doctors, dentists, and pharmacies, as well as health plans such as health insurance companies, government programs, and HMOs, and finally health care clearinghouses such as health information processors.

Mobile apps will also fall under the scope of HIPAA if the app deals with and stores the PHI of a user, and shares this PHI with one of the above covered entities.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your mobile app. Just follow these steps:

  1. At Step 1, select the App option.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your app.
  4. TermsFeed Privacy Policy Generator: Answer questions about Mobile App - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new App Privacy Policy.

Examples of PHI include blood test results and other medical test results, billing information, prescriptions someone is on, etc.

Information that would not count as PHI under the HIPAA purposes include health data such as calories burned, weight loss data, steps taken in a workout, heart rate and blood sugar readings so long as there's no personally identifiable user information attached.

Logo of MyFitnessPal app

For example, the MyFitnessPal app would not fall under the scope of HIPAA because it does not store or transmit PHI.

The mobile app allows users to track fitness data such as calories consumed in a day, and how much cardio exercise has been done. This kind of information is not considered PHI, but is considered to be "Consumer Health Information".

Screenshots of 3 screens from MyFitnessPal

Logo of Wahoo Fitness

Another example of a popular health app that does not fall under the scope of HIPAA is the Wahoo Fitness family of mobile apps. Wahoo apps track how many miles users have cycled, ran, and how much weight users lost along the way.

Like the MyFitnessPal mobile app, this data is not considered PHI for purposes of the HIPAA act.

List apps developed by Wahoo Fitness

Checklist to determine if you need to comply

Here's a quick checklist to determine if your mobile app is required to comply with the HIPAA act:

  1. Does your mobile app collect, store, or share/transmit personally identifiable health information, such as medical test results, pharmaceutical and medicine or treatment information, billing and health insurance information with a health care provider or other HIPAA-covered health entity?

    1. If yes, you'll need to be HIPAA compliant
    2. If no, go to #2 below
  2. Does your mobile app have the capabilities to collect, store, or share personally identifiable health information?

    1. If yes, your mobile app will need to be HIPAA compliant
    2. If no, you do not need to be HIPAA compliant

Examples from health mobile apps

Logo of iTriage

The iTriage health app helps users pinpoint your possible illness and get in touch with the right doctor by asking users a series of questions about their symptoms. This app stores a user's PHI and allows the user to share it with doctors, pharmacists, and others. Appointment and medication information can also be stored and managed through the iTriage app.

Because of this storing and sharing of users' PHI, the iTriage app would fall under the scope of HIPAA.

The Privacy Policy of iTriage includes a number of sections where PHI is mentioned, including the section noted in the image below that mentions HIPAA:

Health Information clause in iTriage Privacy Policy

In the "Choices and Access" section of iTriage's Privacy Policy, users are told that their PHI will not be used or shared for marketing purposes unless they opt-in to this. This lets users know that their PHI is safeguarded and not being shared without their consent:

iTriage Privacy Policy: Choices and Access clause

The "Security" section lets users know that iTriage takes steps to ensure the security of PHI when the data is transmitted or stored on the app or company servers. This is important, as HIPAA was created to protect the security of PHI, and having security in place is a requirement of HIPAA for apps that fall under its scope.

Icon of HealthTap app

The HealthTap app allows users to connect to doctors through the app via texting, video calls, and group forums and allows these users to discuss in-depth health issues and create treatment plans with real doctors, all through the app.

Screenshot from HealthTap website

The HealthTap mobile app falls under the scope of HIPAA because it collects PHI and transmits it directly to a doctor through the app.

While the basic service of the app keeps users' information anonymous and doesn't share any personally identifiable information, the premium services of the app (HealthTap Prime and HealthTap Concierge) are confidential but not anonymous. Doctors will receive access to a user's PHI and other personally identifiable information for treatment purposes.

The Privacy Statement of HealthTap includes sections on anonymity, security, and the use of personally identifiable information.

The "Security" section explicitly mentions HIPAA and lets users know that the app meets "HIPAA security standards for all interactions subject to HIPAA security regulations."

This section goes on to inform users that "HealthTap is a Business Associate of health care professionals under the federal healthcare privacy and security law known as HIPAA."

Security clause section in HealthTap Privacy Policy

"Personally Identifiable Information" is defined for users and detailed information about use and security of this information is outlined:

Personally Identifiable Information section in HealthTap

Icon of DoctorOnDemand app

The Doctor on Demand website and its mobile app lets users have a video appointment with a doctor when they need it, without having to wait for hours in an office waiting room or waiting a week to get an appointment.

Because both the website and the mobile app collects a user's PHI and transmits it directly to a doctor through the app, it falls under the scope of HIPAA.

The Privacy Policy of Doctor on Demand makes it very clear to users by using capital letters and prominent text that the site collects and transmits personal, medical, and health-related information about its users.

Privacy Policy of Doctor On Demand: Collecting health information

There's a separate HIPAA section that lets users know that the service and Privacy Policies are designed to comply with the HIPAA act, and that further information can be found in the "Notice of Privacy Practices" section:

Privacy Policy of Doctor On Demand: HIPAA clause

Within the "Notice of Privacy Practices" section, users are informed of the responsibilities of Doctors on Demand under HIPAA, as well as what the users' rights are under the law:

User Rights in the Doctor On Demand HIPAA Notice

Users are also informed of what types of health information are collected, and how this information is used by the app. Health information such as test results, diagnoses, and medications will be disclosed for treatment. Services and supplies records are used for payment purposes, and other health information can be used to improve customer service and train staff.

How we use your information in the HIPAA Notice of Doctor On Demand

Logo of Strava

In contrast to the apps mentioned above that fall under the scope of HIPAA, the Strava mobile app records users' running and bicycle riding routes with GPS and tracks how far users run or bike.

As a result, Strava mobile app does not fall under the scope of HIPAA.

The Privacy Policy of Strava informs users that personal information is not collected, however, a user can choose to enter information into the app such as what equipment is being used, what bike routes a user wants to map out, and other information such as a name, zip code, and email address.

None of this information qualifies as PHI under HIPAA.

Type of Personal Information Collected by Strava

Strava still has a section on data transmission security ("SSL"), but it deals with the protection of credit card information and protecting home address information rather than keeping PHI secure.

SSL and Security Clause in Strava Privacy Policy

In sum, if your mobile app deals with the collection, use, and storage of personal health information of users, such as medication, results of medical tests, and treatment plans, and transmits this PHI to an entity that falls under HIPAA (such as a doctor, dentist, or insurance company), your business and the mobile app must be HIPAA compliant.

If your mobile app only deals with consumer health information, such as tracking workout progress of calories burned or pounds lost, miles ran, or hours slept, your mobile app will not need to comply with the HIPAA act requirements.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Sara Pegarella

Sara Pegarella

Law school graduate, B.A. in English/Writing. In-house writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.