Are the Apple Health and Google Fit APIs HIPAA-compliant?
Disclaimer: This is not intended to be legal advice. Please consult an attorney prior to making any decisions related to HIPAA.
While Apple Health and Google Fit may appear to have some similarities, there are some important differences to consider for developers of medical apps.
First, who is required to comply with HIPAA?
If you are a part of a Covered Entity operating in the United States then you are required to comply with HIPAA. If you are a Business Associate operating under the direction of a Covered Entity then you are also required to comply with HIPAA.
This may lead you to wonder, "What is a Covered Entity?" A covered entity is essentially any organization that is a component of the person's professional medical care. Generally speaking this can be either a Health Care Provider, a Health Plan, or a Health Care Clearinghouse.
For more information on these definitions we recommend seeing the HHS website.
If you are building a general wellness or fitness for a direct-to-consumer application then there is a chance that you may not be covered by HIPAA.
Okay, so what about Apple Health and Google Fit?
Google Fit's policy explicitly prohibits using the Google Fit APIs to store or forward Protected Health Information (PHI). Their policy states, "Do not use Google Fit APIs for any purpose or in any manner involving Protected Health Information, as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) unless you receive prior written approval to such use from Google."
Apple Health does have a HIPAA compliant option. Apple supports Business Associate Agreements (BAAs) with some partners. Generally speaking, data must be shared through an EHR that is supported by Apple. Right now, those EHRs include:
- athenahealth
- Cerner Millennium
- SPSI Evident Thrive
- DrChrono
- MEDITECH Expanse
What does this mean?
At this point, it's generally not a good idea for most companies to rely upon Google Fit or Apple Health to bring connected device data into their applications. An exception may be for developers at health systems that are operating on one of the compatible EHRs. However, this may still result in a smaller number of patients able to use the platform, because they would be limited to Apple devices at this time.
