Will Apple’s HealthKit turn the grays of HIPAA compliance into black and white? If one thing is clear, it’s that HIPAA compliance is not. But the potential for that to change is upon us. Catalyze’s cofounder Dr. Travis Good explains.
To adhere or not to adhere, that’s the question for today’s health-tech developer when it comes to HIPAA compliance. Shakespearean flair aside, addressing HIPAA has been predominately about marketing position. But with the unveiling of Apple’s HealthKit, answering that question may transform from a developer’s alternative accolade into an imminent imperative for market survival. For as the technological landscape evolves— so does the conversation about what data is deserving of HIPAA protections.
HealthKit is the companion app to Apple’s Health component (a major development of its upcoming iOS 8 release), which will serve as an integrative hub for third-party health and wellness-related apps. Apple is so serious about its entry into the healthcare, it has joined forces with EHR developer Epic and the Mayo Clinic to ensure its putting its best foot forward as it steps into the space, soon enough.
What it promises to bring to the user is a singular interface that aggregates all health-related data captured from various apps and complementary wearables, opening up the possibility to share this relevant and important healthcare information with providers. What that possibility brings to providers is the ability to integrate that data with EHRs and use that data to enhance decision-making when it comes to managing the health of their populations.
What it brings to the health app developers, aside from the opportunity to have those apps serve as tools for health-data collection, however, is the common conundrum of what to do regarding HIPAA compliance. It’s a problem that Catalyze’s Travis Good says didn’t begin with Apple’s HealthKit, but may cause to bring clarity to this often cloudy conversation.
“Developers are already split into two packs,” said Good, cofounder of the Madison, Wisconsin-based software company. “Some are proactive and follow HIPAA from the start, while others avoid it as long as possible. Tradeoffs exist with both choices. I think HealthKit, and similar platforms like the one announced recently by Samsung, are a good thing because they are likely to spur dialogue. One of the challenges with HIPAA, especially when it comes to startups and modern technologies like cloud and APIs, is that it is a very gray space. Much of HIPAA is left to interpretation, and those interpretations vary widely.”
HIPAA Help, Ready Made
Good understands the problems developers face all too well because he has been there himself. He experienced the pains of HIPAA compliance firsthand after developing his own health app. From that burden, however, an idea to aid other developers was born. After all, Good has seen the compliance issue from every angle, from tech consultant and medical student to health-tech developer. As a result, he and his cofounders Mohan Balachandran and Ben Uphoff formed Catalyze last February.
“We wanted to create an easier way for developers and enterprises to build compliant modern software for healthcare,” he said. “Our goal is to make building, running, and scaling HIPAA-compliant technology as easy as building technology for a non-compliant industry. In the process, we wanted to make healthcare more attractive to developers and innovators by solving some of the messy, domain specific problems for them.”
According to Good, he often sees two major obstacles arise for developers. One: A lack of financial resources to build and manage compliant environments. Two: A general lack of understanding of HIPAA and how it relates to modern technologies. It’s that lack of understanding that makes the emergence of HealthKit a hot button topic, as it may force developers to recognize they cannot evade the issue of HIPAA compliance if a platform like HealthKit succeeds.
What may help define the HIPAA compliance quandary is deeper definition of what requires HIPAA protections. To do that, a more expansive classification of what is recognized as personal health information (PHI) may be required. Health and Human Services (HSS) defines PHI as “individually identifiable health information transmitted or maintained in any form or medium by a covered entity or business.” According to HHS, health information includes demographic information relating to an individual’s physical or mental health or provisions of or payment for healthcare, and identifies the individual. Continue reading…
Related: 3 Do’s and Don’ts of Effective HIPAA Compliance for BYOD & mHealth