In January of 2021, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (Notice) to modify the HIPAA Privacy Rule. HHS has proposed to modify the Privacy Rule right of access provision by (among other measures) requiring providers, at an individual’s request, to mail or electronically transmit PHI to or through the individual’s personal health application (PHA). HHS seeks to define PHAs as “electronic applications used by an individual to access health information about that individual, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity.” Examples of PHAs include FitBit and WebMd apps. The period for public comment on the Notice closed on May 6. Numerous healthcare groups have expressed opposition to the proposed requirement to electronically transmit PHI to or through a PHA. Details about why the healthcare groups are opposed to the proposed requirement are discussed below.

Proposal to Modify HIPAA Privacy Rule: No Oversight

Proposal to Modify HIPAA Privacy Rule

HHS, in seeking to justify addition of a “PHA provision” has noted that individual use of personal health applications to access and manage personal health information, is growing. Individuals (or their personal representatives) use a personal health application for the individuals’ own purposes, such as to monitor their own health status and access their own PHI using the PHA application.

Currently, HIPAA does not require that providers accommodate requests by patients to transmit information such as weight, vital signs, and or other health information.

Providers are worried that this requirement may be imposed. PHA developers are not regulated by HIPAA as either covered entities or business associates. The proposed new Privacy Rule does not regulate these entities, either. Healthcare groups, including providers and advocacy organizations, have submitted public comments voicing concerns about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps.  These groups expressed concern that, since PHAs and those who develop, manufacture, or sell them, are not regulated by HIPAA, PHI that a provider sends to a PHA at a patient’s request may be accessed or used by third parties. These third parties could use the PHI for illegal financial gain or another illegal purpose.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance