OCR releases new set of FAQs to address transmission of ePHI to apps

On April 18, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released new FAQs relating to HIPAA right of access to ePHI. Specifically, the FAQs address applications or other software (collectively “apps”) designated by patients to receive ePHI from a covered entity’s EHR (electronic health record) system. The FAQs discuss liability for transmission of ePHI and the apps’ subsequent use or disclosure of health information, business associate relationships and agreements with apps, and whether a covered entity may refuse to disclose ePHI to an app.

OCR emphasized that once ePHI is disclosed to an app, as directed by a patient, a covered entity will not be liable under HIPAA for uses or disclosures of ePHI by the app so long as the app is not a business associate of the covered entity. A business associate relationship will not exist when the app was not developed for or provided by or on behalf of the covered entity. Subsequently, OCR noted an app’s access to a patient’s ePHI at the patient’s request alone would not trigger a business associate relationship or require a business associate agreement to be put in place for the transmission of ePHI from a covered entity.

OCR provided there would be a business associate relationship between a covered entity and an app developer when the app is one a covered health care provider uses to provide services to individuals involving ePHI. In that case, OCR noted the covered health care provider may be liable under the HIPAA Rules if the covered entity’s patient selects that app and that app impermissibly discloses the ePHI it receives.

OCR also provided that under the individual’s right of access to their ePHI, a patient may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. Therefore, a patient could request to a covered entity that their unencrypted ePHI be transmitted to an app as a matter of convenience. OCR noted that the covered entity would not be responsible for unauthorized access to the patient’s ePHI while being transmitted to the app. However, OCR recommended that covered entities notify patients of the potential risks of unsecure transmission of ePHI at least the first time the patient makes such a request.

Also based on an individual’s right of access to their ePHI, OCR stated that a covered entity may not refuse to disclose ePHI to an app chosen by an individual solely because of concerns about how the app will use or disclose the patient’s ePHI. Examples of impermissible refusals provided by OCR included denying disclosure to an app because the app will share the patient’s ePHI for research purposes or because the app does not encrypt the patient’s data when at rest.

OCR FAQs can be found here.