The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently published two guidance documents to aid organizations in complying with HIPAA.
The HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (the “Crosswalk”), developed in connection with the National Institute of Standards and Technology (“NIST”) and the Office of the National Coordinator for Health IT, identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) and the HIPAA Security Rule.
The NIST Cybersecurity Framework, released in February 2014, provides a voluntary, risk-based approach to help organizations in any industry to understand, communicate, and manage cybersecurity risks. At the same time, entities regulated by HIPAA are required to comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit.
The Crosswalk was developed with the recognition that many organizations, including those in the healthcare sector, have voluntarily adopted the standards set forth in the NIST Cybersecurity Framework. The Crosswalk compares these standards to the HIPAA Security Rule, in order to enable organizations to identify potential gaps in their security programs and better ensure compliance with the Security Rule and the ability to secure ePHI from a broad range of threats.
OCR indicated that, while the Security Rule does not require use of the NIST Cybersecurity Framework, and the use of the Framework does not guarantee HIPAA compliance, the Crosswalk provides an informative tool for organizations to use to help them better manage and address security risks in their environments. The Crosswalk reminds covered entities and business associates to perform their own security risk analyses to identify and mitigate threats to ePHI.
Health App Use Scenarios and HIPAA
The second guidance document, Health App Use Scenarios and HIPAA (the “Health App Guidance”), was posted on OCR’s health app developer portal, which we previously covered on our blog. The stated purpose of the Guidance is to provide scenarios in which the HIPAA regulations might apply to mobile health applications.
The Health App Guidance lists several different scenarios, and then analyzes whether, based on the facts presented in each scenario, the app developer is a HIPAA business associate, i.e., an entity that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity or another business associate. For example, when a patient installs a health app at the direction of her doctor and uses it to send diet, exercise and weight reports to the doctor, the developer is not a business associate because it is not creating, receiving, maintaining or transmitting PHI on behalf of a covered entity or another business associate. The Health App Guidance states that, in this scenario, the consumer’s use of an app to transmit data to a covered entity does not, by itself, make the developer a business associate of the covered entity.
The Health App Guidance also advises developers that, if they are only offering services directly to and collecting information for or on behalf of consumers, and not on behalf a healthcare provider, health plan or health care clearinghouse, the developers likely are not subject to HIPAA as either a covered entity or business associate.
The Crosswalk and Health App Guidance should be useful in helping HIPAA covered entities, business associates, and mobile health app developers comply with their respective compliance obligations. HIPAA covered entities simultaneously managing security obligations under non-HIPAA regulatory frameworks may find the Crosswalk useful for coordinating multiple compliance obligations without duplicating efforts. OCR’s Health App Guidance provides clarity to developers that may be unaware of current or potential HIPAA compliance obligations.