Resources for Mobile Health Apps Developers

Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.  OCR offers guidance to mobile health (mHealth) developers and others interested in the intersection of health information technology and HIPAA privacy and security protections.

  • Health App Use Scenarios & HIPAA - This guidance details various use scenarios for mHealth applications, and explains when an app developer may be acting as a business associate under the HIPAA Rules.
  • Mobile Health Apps Interactive Tool - The Federal Trade Commission (FTC), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), created a web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them. The guidance tool asks developers a series of questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on a developer’s answers to those questions, the guidance tool points the app developer toward detailed information about certain federal laws that might apply. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) Rules, and the Federal Food, Drug and Cosmetics Act (FD&C Act).
  • Access Right, Apps, and APIs - View frequently asked questions about how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps, and application programming interface (APIs).
  • Health Information Technology - View frequently asked questions on HIPAA and health IT.
  • Guidance on HIPAA & Cloud Computing - OCR developed guidance to assist HIPAA covered entities and business associates, including cloud services providers (CSPs), in understanding how they can use cloud computing technologies while complying with their HIPAA obligations.
Content created by Office for Civil Rights (OCR)
Content last reviewed on September 1, 2020