In April of 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a new series of guidance in the form of FAQs about HIPAA compliant apps, health information, and the disclosure of PHI.
HIPAA guidance is routinely issued by OCR to clarify changes to enforcement or regulatory activity as a result of changes and trends in the health care industry. Oftentimes, this HIPAA guidance will be issued in response to changes or updates in technology.
This most recent OCR HIPAA media guidance about compliant apps that process health information is just such a response.
In this HIPAA compliant app guidance FAQ, OCR states that:
- HIPAA gives individuals the right to access their protected health information (PHI, any demographic information that can be used to identify a patient). That means that if a patient requests for their PHI to be sent to a designated app, the provider should follow their request. That even includes scenarios when a provider may be concerned about the app’s privacy or security, or about how the app will go about using that PHI.
- Providers who transmit PHI to a third party app at a patient’s request will not be held liable under HIPAA regulation for subsequent unlawful disclosures that the app may make. It should be stressed that this exception only applies so long as the app was not “developed for, or provided by or on behalf of the [provider] – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the [provider].”
- Providers who transmit PHI to a third party app at a patient’s request via an unsecured channel will not be held liable for a data breach that may occur in transit. However, the HIPAA compliant app HHS guidance stresses that providers should make patients aware of the risks involved with non-secure data transmissions.
With newly unfolding health care tech, including apps and mHealth devices, HIPAA regulation must adapt to account for new data protection requirements. With increasing requests from patients to share PHI with third-party health information apps, providers must be aware of their responsibilities and liability when it comes to data privacy and security. Understanding HIPAA compliant app data sharing is critical to keeping up with patients’ increasing desire for data accessibility and provider engagement.
To find out more about HIPAA privacy and security requirements, click here to register for one of our upcoming educational HIPAA webinars!