HHS Releases New FAQs Related to Health IT and ePHI

April 19, 2019
On Thursday, April 18, HHS released several new FAQs around health information technology and electronic protection patient information (ePHI)

On Thursday, April 18, the Department of Health and Human Services (HHS) released several new sets of FAQs (frequently asked questions, with answers), related to health information technology and to provisions of HIPAA (the Health Insurance Portability and Accountability Act of 1996) around ePHI (electronic protected health information). They were appended to FAQs posted in December 2018.

The first new FAQ involved the following question: “What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?”

And the answer was, “Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel.  See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii).  For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience.  In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app.  With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.”

The second new FAQ involved the question, “Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?” And the answer began, “The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI.” The full answer can be found here.

The third question: “Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?” The response? “The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI.  The full answer can be found here.

The fourth question: “Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?” The answer begins, “No.  The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app.” The full answer can be found here.

The fifth question: “Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?” The answer begins, “It depends on the relationship between the app developer, and the covered entity and/or its EHR system developer.” The full answer can be found here.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?