Is HIPAA Omnibus Good for mHealth Developers?


This is a really good question. If you’re not sure of HIPAA omnibus, you might check out this video where Rita Bowen discusses HIPAA Omnibus.

The article linked above suggests that HIPAA omnibus is good because it narrows when you have to disclose of a possible breach (ie. lost or stolen laptop that was encrypted wouldn’t need disclosure probably) and that PHR software doesn’t fall under HIPAA unless it’s run by a health plan or healthcare provider.

I guess I agree that in some limited ways this is helpful for mobile health developers. However, the implications of business associates is the big part of HIPAA omnibus that should have many mobile health developers concerned. Before HIPAA omnibus, the covered entity (a healthcare provider) held liability for any breach. Hover, under HIPAA omnibus, the business associate shares that liability.

While it’s true that some mobile health applications won’t be considered a business associate, many more will be considered a business associate. If this is the case for your application, you better make sure you’re compliant with HIPAA or you’re subject to any fines or penalties for HIPAA violations just like the provider was previously.

The good thing is that all of this is sketched out. Being HIPAA compliant is doable for a mobile health developer, but I’m afraid that many aren’t taking it seriously. The nice thing is that there are HIPAA training courses out there to help. I really fear for those mHealth companies that choose to do nothing.