HIPAA in the Real World (Part 3): Telemedicine & HIPAA

So, to give you an example, I have a client who is involved in a telemedicine practice. What they’re doing is they’re creating a mobile app that connects doctors with their patients. In order to do this they want to have secure HIPAA-compliant communications between the docs and the patients.  Now, in order to do that they have to hire subcontractors.

Now, let’s think about it for a minute. The person developing the telemedicine mobile app is between you, the doc, and the patient. So, they’re really a business associate of the physician, who is a covered entity.

So, you need to have a business associate agreement in place between the physician, the covered entity, and my client, who is the mobile app developer. But, the mobile app developer then has to subcontract all of the computer coding for the app to other people. It’s going to have a variety of different subcontractors. One might do the email chat. One might do a web chat. One might do some other interface when it’s going to be the host. Each of those people has to be compliant under the security rule, or liability can be transferred upstream.

So, we have to make sure that each of those persons really is doing secure coding and putting in all of the safeguards that a security rule requires.