The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued new advice on HIPAA and software applications that are used by patients to access health information held by their healthcare providers.
Five new Q&As have been added to the HHS website’s Health Information Technology section covering commonly asked questions about software applications and HIPAA compliance. All five Q7As are available in a new section called Access Right, Apps and APIs.
OCR has confirmed that when patients request that their health information be sent to a third-party software application, a HIPAA-covered entity is obliged to honor the patient’s request and send PHI, even if there are concerns about the security of the application.
A HIPAA-covered entity is not permitted to deny a patient access to their health information and the patient has the right to have their health information sent to them electronically to any app of their choosing. OCR suggests that the healthcare provider should explain concerns about the security of the app to the patient prior to any disclosure.
Concern has been raised about a healthcare provider’s liability for any PHI that is disclosed to a patient via a third-party software app. Three of the new Q&As cover the issue of liability.
In cases where the software app has not been developed by the healthcare provider and the app developer is not a business associate of the covered entity, once PHI has been disclosed to the app at the patient’s request, the information is no longer protected by HIPAA Rules and the healthcare provider is no longer liable for any subsequent uses or disclosures of that information. A healthcare provider could, however, be liable if the app was developed for or is used by the covered entity.
The same applies to liability by a healthcare provider’s EHR system developer. If the EHR developer owns the app or has a business associate relationship with the app developer, the EHR developer could be liable if the app impermissibly uses or discloses ePHI. The EHR system developer would not have HIPAA liabilities after PHI has been sent to a third-party app when there is no business associate relationship with the app developer.
A BAA is only required when the app has been developed for the healthcare provider to create, receive, maintain, or transmit ePHI or when the app is used to create, receive, maintain, or transmit ePHI on behalf of the covered entity.
The new Q&As can be viewed on this link.