Q- Does HIPAA apply to Remote Patient Monitoring?
- HIPAA does not apply to all health data. It depends on who collects or maintains the data and the relationships with HIPAA covered entities or business associates. Generally, HIPAA applies to health data collected or maintained by those in the traditional health care space, including health plans and most health care providers (such as doctors, hospitals, pharmacies, and labs) and those doing business on behalf of these entities (such as a billing company or a cloud storage provider (CSP). However, if the same data is held by the consumer or by a product or company that has a relationship only with the consumer, then it is not covered by HIPAA, although other federal laws may apply. Typically, technology companies will be business associates working with clients that are covered by health care providers or health plans. The same product may require HIPAA compliance in some circumstances and not in others.
- Example 1, a company that is collecting health data through a remote patient monitoring device will have to comply with HIPAA if it is providing the service for a doctor or hospital, but not if it is collecting it for the patient for her own use. If the service allows the data to be shared with a doctor or nurse because it will depend on the arrangement and the relationship between the technology company and the health care provider.
- Example 2, if a patient collects her blood pressure information and notices an aberration that she wants to share with her doctor, the fact that the technology enables this communication to occur does not, in and of itself, trigger HIPAA compliance. The analysis can get complicated when technology companies sit in between the health care provider or health plan and the consumer. There is guidance on mobile apps that provides some clarity; however, the lines are not clear and it is wise to have an expert help you determine if and how HIPAA is triggered.
Even technology companies not solely operating in the health care space may be required to comply with HIPAA. There has been recent HIPAA cloud computing guidance explaining that when an entity that is required to comply with HIPAA engages the services of a cloud storage provider (CSP) to create, receive, maintain, or transmit identifiable health information on its behalf, the CSP is a business associate under HIPAA with compliance obligations. This is true even if the CSP processes or stores only encrypted health information and lacks an encryption key for the data.