The Department of Health and Human Services Office (HHS) for Civil Rights has recently issued guidance to address the increase utilization of patient health applications and questions around HIPAA compliance. On this take, officials noted that the FAQs are designed to address HIPAA right of access when it comes to the apps patients use to share data with their providers and the APIs used by providers’ EHRs. As the federal agency issued two data sharing rules in February this year, the questions are aimed to shed light on any privacy, security, or compliance concerns.
The official said in a statement that the FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA-covered entity will not be liable under HIPAA for subsequent use or disclosure of electronically protected health information, provided the app developer is not itself a business associate of a covered entity or another business associate. HHS officials described when it comes to provider liability as it relates to electronically protected health information sharing with an app or other software for the use or disclosure of the received ePHI that HIPAA liability is determined by the relationship between the covered entity and the app. According to the HHS official, when a patient chooses to send health information from a covered entity through an app that is not a covered entity or business associate under HIPAA, the patient data is no longer subject to HIPAA protections.
Several study reports are presented in this regard, one of those found that 79 percent of well-accepted healthcare apps routinely share user data without transparency around the practice. Moreover, another study found most mental health applications for depression and smoking cessation unveiled data without precisely disclosing the practice to users. However, in the HHS’ context, caregivers may only share concerns with patients about app privacy and security, but if the patients request their data they can share it.