On Thursday, April 18, the Department of Health and Human Services (HHS) released several new sets of FAQs (frequently asked questions, with answers), related to health information technology and to provisions of HIPAA (the Health Insurance Portability and Accountability Act of 1996) around ePHI (electronic protected health information). They were appended to FAQs posted in December 2018.
The first new FAQ involved the following question: “What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?”
And the answer was, “Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.”
The second new FAQ involved the question, “Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?” And the answer began, “The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI.” The full answer can be found here.
The third question: “Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?” The response? “The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. The full answer can be found here.
The fourth question: “Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?” The answer begins, “No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app.” The full answer can be found here.
The fifth question: “Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?” The answer begins, “It depends on the relationship between the app developer, and the covered entity and/or its EHR system developer.” The full answer can be found here.