I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions.
We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would be free to the patient, is produced by a 3rd party, and has an accompanying app in which the patient consents to share the data back with the provider. We in-turn consume the data from the 3rd party and report it back to the physician and his EHR.
I have been in contact with one large manufacturer who insists that a BAA is not required as the patient is consenting for the data to be shared.
I believe since the provider is giving the device to the patient, and we (a Business Associate) will be consuming the data, HIPAA applies and that manufacturer would be a Business Associate. Is that correct? Or if the patient consents, would it not be PHI until the physician receives it?
At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoringof patients' food and exercise, patient messaging, EHRintegration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR.
Yes, the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting PHI, and the app is a means for providing those services.