OCR Issues New Advice on HIPAA and Software Applications Used by Patients to Access PHI

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued new advice on HIPAA and software applications that are used by patients to access health information held by their healthcare providers.

Five new Q&As have been added to the HHS website’s Health Information Technology section covering commonly asked questions about software applications and HIPAA compliance. All five Q7As are available in a new section called Access Right, Apps and APIs.

OCR has confirmed that when patients request that their health information be sent to a third-party software application, a HIPAA-covered entity is obliged to honor the patient’s request and send PHI, even if there are concerns about the security of the application.

A HIPAA-covered entity is not permitted to deny a patient access to their health information and the patient has the right to have their health information sent to them electronically to any app of their choosing. OCR suggests that the healthcare provider should explain concerns about the security of the app to the patient prior to any disclosure.

Concern has been raised about a healthcare provider’s liability for any PHI that is disclosed to a patient via a third-party software app. Three of the new Q&As cover the issue of liability.

In cases where the software app has not been developed by the healthcare provider and the app developer is not a business associate of the covered entity, once PHI has been disclosed to the app at the patient’s request, the information is no longer protected by HIPAA Rules and the healthcare provider is no longer liable for any subsequent uses or disclosures of that information. A healthcare provider could, however, be liable if the app was developed for or is used by the covered entity.

The same applies to liability by a healthcare provider’s EHR system developer. If the EHR developer owns the app or has a business associate relationship with the app developer, the EHR developer could be liable if the app impermissibly uses or discloses ePHI. The EHR system developer would not have HIPAA liabilities after PHI has been sent to a third-party app when there is no business associate relationship with the app developer.

OCR also confirmed that a covered entity or EHR system developer is not obliged to enter into a business associate agreement with a third-party app developer in order to honor a patient’s request to have PHI sent to that app. “An app’s facilitation of access to the individual’s ePHI at the individual’s request alone does not create a business associate relationship,” wrote OCR. “Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).”

A BAA is only required when the app has been developed for the healthcare provider to create, receive, maintain, or transmit ePHI or when the app is used to create, receive, maintain, or transmit ePHI on behalf of the covered entity.

The new Q&As can be viewed on this link.