For a time, it was easier to control what was considered PHI because of the limited electronic means of transmission. But when wearable and application technology abound via the proliferation of mobile devices, what is now considered PHI? Is going for a three-mile run consider PHI? What about a blood pressure reading done at home? Perhaps, if it’s a part of a disease management or prevention tactic?
Furthermore, when do these types of data sources require HIPAA protection? Apple’s Health will communicate with providers, but if not all apps are used for those communications, does it still require HIPAA compliance if it is simply only integrated via the same interface? What if a provider receives information but does not transmit information via the same application? Does it truly require HIPAA compliance in those cases? These are the questions that will have to be answered from HealthKit and platforms just like it.
It’s hard to imagine data being collected by an app called ‘HealthKit’ being something other than ‘health information,’ said Good. “Additionally, Apple is partnering with Epic, an EHR vendor that is a business associate that works with PHI. Based on that, Apple will definitely be delving into PHI when it ‘transmits’ or ‘maintains’ health data for providers such as Mayo.”
Good explained that in this capacity, Apple is acting as a business associate, and as such, should be required to sign business associate agreements with covered entities: “Depending on the form of the relationship between Apple and Epic, Apple may also be a subcontractor of Epic. At that point, Epic should require a business associate agreement from Apple; a subcontractor is basically a business associate of a business associate. Subcontractors were defined as a part of the HIPAA Omnibus Rule included in the HITECH Act, which went into effect last September,” he said.
As a result, developers that want to leverage the advantages of HealthKit will have to think long and hard about HIPAA compliance, because it will be up to the discretion of covered entities as to who has to follow HIPAA and who doesn’t. If they want to take part, it may become an imperative depending upon the use and popularity of these platforms by providers.
In Apple We Trust
While this change could dishearten some developers, Good does admit that it’s too early to say if HealthKit will succeed or not. It has to face some of the same obstacles that platforms like Microsoft Health Vault and Google Health both faced and subsequently failed as a result. Consumer trust, for example, was an issue with the prior platforms. But Good says that Apple’s “Trust me; we’re Apple approach,” will help with convincing, along with its timing.
After all, a lot’s changed in the last two or three years, and Apple is approaching one billion active consumer accounts that have current payment methods attached and stored. Google, Twitter, and Facebook struggle more than Apple with storage of sensitive data as their business models rely on leveraging that data for marketing.
Even if Apple succeeds in gaining consumer trust, its consumer usage will most likely determine if it truly has use for providers, and thus, further cause for app developers to design products that are HIPAA compliant. For there is criticism that only the generally healthy are using or interested in health apps, which does little to serve population health management (PHM) when it comes to disease management and prevention. It’s true that Apple products are generally used by wealthier, more educated and less minority populations,” said Good. “An Apple-only strategy in healthcare misses a huge swath of the population that cannot be missed.”
Despite all that, Good thinks that Apple’s partnering with Epic and Mayo will help give it some serious clout. However, when it comes to HIPAA compliance, it will be interesting to see if HealthKit gets a “pass” from covered entities. Regardless, he sees Apple’s presence with HealthKit as a timely turning point in the conversation about compliance. “Hopefully a part of the lessons relate to expanding our definition of ‘health data’ and understanding that modern technologies, including mobile, can be both compliant and secure,” he concluded.