HHS Releases New FAQs Related to Health IT and ePHI

April 19, 2019
On Thursday, April 18, HHS released several new FAQs around health information technology and electronic protection patient information (ePHI)

On Thursday, April 18, the Department of Health and Human Services (HHS) released several new sets of FAQs (frequently asked questions, with answers), related to health information technology and to provisions of HIPAA (the Health Insurance Portability and Accountability Act of 1996) around ePHI (electronic protected health information). They were appended to FAQs posted in December 2018.

The first new FAQ involved the following question: “What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?”

And the answer was, “Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel.  See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii).  For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience.  In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app.  With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.”

The second new FAQ involved the question, “Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?” And the answer began, “The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI.” The full answer can be found here.

The third question: “Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?” The response? “The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI.  The full answer can be found here.

The fourth question: “Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?” The answer begins, “No.  The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app.” The full answer can be found here.

The fifth question: “Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?” The answer begins, “It depends on the relationship between the app developer, and the covered entity and/or its EHR system developer.” The full answer can be found here.

Sponsored Recommendations

Improving Workplace Safety and Patient Care in Behavioral Health

In 2023, Vail Health enhanced safety in their behavioral health clinic, but the impact went beyond their expectations. Read their case study to see how prioritizing workplace ...

Transforming Hospital Capacity Through Smarter Patient Progression Strategies

Helping patients move seamlessly through every stage of their care, from admission to discharge, is critical to ensuring patient safety, improving outcomes, and optimizing capacity...

Beyond the AI Buzz: How Clinicians Can Leverage AI for Value-Based Success

Watch on-demand to explore the impact of implementing AI in primary care settings to reduce burnout and thrive in value-based care. Including practical takeaways on driving clinician...

Building the Connected Hospital: Bridging Operational Gaps Through Technology

Join industry leaders to explore how advanced technologies like RFID, AI, EMR, and ERP systems are transforming hospitals into connected ecosystems that enhance efficiency, streamline...