OCR addresses HIPAA and health information apps in new FAQs

On April 18, the Office of Civil Rights (OCR) added five new answers to their FAQ section on the relationship between HIPAA and health apps that use patient information.

The questions covered the relationships among covered entities (CE), app developers, and EHR system developers, as well as patient access to their electronic protected health information (ePHI). 

Key takeaways from the FAQs include:

• HIPAA liability depends on whether an app is developed for and provided to patients by a CE via a business associate agreement (BAA) with an app developer. If an app creates, receives, maintains, or transmits ePHI on behalf of the CE, then the CE could be liable under HIPAA for impermissible disclosures.

• When an individual directs a CE to send ePHI to an app, the EHR system developer would only bear liability for subsequent impermissible uses and disclosures of the ePHI received by the app if the EHR system developer is in a business associate relationship with the app developer.

• HIPAA only requires a BAA between EHR systems developers and app developers in cases where an app is developed specifically on behalf of a CE or was provided by or on behalf of the CE directly or through its EHR system developer acting as the CE’s business associate.

• Because individuals have right of access to their information, patients can request that ePHI be directed to an app in an unsecure manner. The CE has no liability with what happens to the information after the transaction. Further, the CE cannot refuse to disclose ePHI to an app, even if they have concerns about how the app will use the information, if the ePHI has been requested via an individual’s right of access.

Read the full answers on HHS’ FAQ page under the “Access Right, Apps, and APIs” link.