HIPAA regulates four distinct groups: healthcare providers, health plans, healthcare clearinghouses, and business associates. The first three of these are called “covered entities,” and must comply with the HIPAA regulations in their entirety. Business associates (BAs) must comply with the HIPAA Security Rule in full. Business associates (BAs) must also help covered entities comply with the HIPAA Privacy Rule. Business associates must do so by safeguarding protected health information (PHI) shared with them by covered entities. Entities that are neither covered entities nor business associates are referred to as third parties. The issue of third party HIPAA compliance is discussed below.
What are Third Party HIPAA Entities?
Third party HIPAA entities are entities other than covered entities and business associates, that play a role in the collection of patient data. Such entities include patient health app developers.
One such patient health app developer is Jackson Tempra. Jackson Tempra has developed a mental health app known as “What’s Up?” This popular app has been downloaded by millions of users. What’s Up claims to utilize mental health treatment methods such as CBT (Cognitive Behavioral Therapy) and ACT (Acceptance Commitment Therapy), to help users cope with depression, anxiety, and anger. Users enter data into a positive and negative “habit tracker” to maintain good mental health habits, and to “break” those that are counterproductive.
This description makes What’s Up sound like a healthcare provider. However, under the legal definition of the term, What’s Up is not a healthcare provider. “Healthcare provider” means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for healthcare in the normal course of business. A healthcare provider must also engage in certain “HIPAA covered transactions.” What’s Up does not engage in these transactions and therefore, is not a healthcare provider. It is neither a covered entity nor a business associate. Therefore, it is a third party HIPAA entity.
When Do Third Party HIPAA Liability Issues Arise?
Are providers liable under HIPAA for the sharing of electronic protected health information (ePHI) with a third party app? The answer depends upon the relationship between the provider and the app.
According to the Department of Health and Human Services (HHS), when a patient chooses to send health information from a covered entity through an app that is not a covered entity or business associate under HIPAA, the patient data is no longer subject to HIPAA protections. If the individual chose the app to receive the individual’s ePHI, provided the app with the ePHI, and the healthcare provider played no role in providing or transmitting ePHI to the app, the provider is not liable under the Privacy Rule or the Security Rule for a subsequent use or disclosure of the requested ePHI received by the app.
However, if the app was developed, provided by, or on behalf of the covered entity, the app, by definition, “creates, receives, maintains, or transmits ePHI on behalf of the covered entity.” As such, the app is a business associate of the covered entity.
If a patient chooses an app that his or her provider uses to provide services to patients involving ePHI, the provider may be subject to liability under the HIPAA Rules if the provider has failed to enter into a business associate agreement with the app, and the app then impermissibly discloses the ePHI received.