Canadian healthcare providers have often asked, do health applications advertised as “HIPAA-compliant” offer some legal assurance? Often, the answer is no. The Health Insurance Portability and Accountability Act, the main US law governing privacy and information security in healthcare, does not apply to technological applications as such. Rather, it governs personal health information managed by covered entities such as hospitals, physicians, pharmacies, and health insurance companies. Health applications managed by covered entities are subject to HIPAA rules. Consumer health applications managed by private businesses or independent developers are not.
What developers of health applications likely mean, when they advertise themselves as “HIPAA-compliant,” is that their solution aligns with HIPAA standards, and that they are willing to sign Business Associate Agreements (BAA) with healthcare organizations. A BAA makes a service provider to a healthcare organization directly liable under HIPAA rules. Canadian healthcare organizations can obtain some legal protection by signing a BAA with a U.S.-based information service provider.
HIPAA definitely does not apply to consumer health applications, such as mobile apps and wearable devices that collect health information for an individual’s use (e.g., monitoring one’s exercise habits or diet), but do not share this information with a healthcare provider. Healthcare providers who wish to recommend these applications to patients should be aware that Canadians have few legal avenues to enforce their privacy rights with respect to consumer applications.