Back to Forum Back to Top


When does HIPAA Apply

EMA / Ecological Momentary Assessment

Back to Forum

Browsing: When does HIPAA Apply

John Torous

Posts: 14

What is the line between an app collecting wellness data and health data and when does use become with a healthcare provider vs coach. Is it enough to state that the app is not collecting health data even if it is acting like such and doing such?

Rubi Linares-Orozco

Posts: 33

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

“Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

HIPAA is a federal regulation, and therefore applies to anyone operating under a covered entity or a business associate under US restriction.

The easiest way I like to explain it, if you are either accessing, extracting, or contributing the the patient/subjects medical record HIPAA applies.
Keep in mind that CA Law has a wider defintion of "Medical Information" (CMIA) and also has specific rules for the use of PII.

So while you may not be obtaining/ or attributing the information to the medical record, you may still be required to comply with CA Law on Medical Information and PII.- If you are operating in a different state, you may want to check your state laws.


Camille Nebeker

Posts: 56
posted in reply to john torous


Not sure I understand your question. Can you provide additional detail/context?

My take ... a commercial or research grade app can be used to gather personal health data that can be used for clinical and/or research purposes. For example, a wearable device or app can measure a persons active vs sedintary behavior. A researcher could then use that information to intervene with the research participant to either increase activity or decrease sedentariness and, subsequently evaluate whether the intervention was effective. A clinician may use an app to obtain data that they can then use to advise a patient. Is your question about what is consider wellness vs personal health data that would be regulated under HIPAA?


Rubi Linares-Orozco

Posts: 33

If you plan on exchanging or interacting with covered entities (such as a doctor's office), then you need to be HIPAA compliant. mHealth application that are going to track, transmit, or store PHI need to be HIPAA compliant.

If you are building an application to track, store or manage non-personally identifiable information, or are not going to be sharing the information with a covered entity, then you do not need to be HIPAA compliant.

Consider Data De-Identification which involves separating out Protected Health Information (names, email addresses, physical addresses, health information, and other identifying information) and storing that data (and only that data) in a separate HIPAA-compliant data store. This frees you to host your application, and store the rest of the de-identified data, in an environment not subject to HIPAA. Data De-Identification allows you to remove the majority of your data from the scope of HIPAA. You can read more on this process here:

Hope this information helps.