Last Updated: May 30, 2019
With the abundance of health care software applications (apps) available for physicians and patients to transmit electronic protected health information (ePHI) with, many physicians and other covered entities might not realize their potential liabilities for privacy breaches. The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) offers guidance in the form of FAQs to clarify such potential liabilities under the Health Insurance Portability and Accountability Act (HIPAA).
This guidance can be accessed here.
Why Was This Guidance Needed?
The HIPAA Privacy Rule (which can be found at 45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards which covered entities must follow to protect the privacy of patient PHI. Most health care providers are considered a covered entity for HIPAA purposes. HIPAA also protects a patient’s right to access their PHI, see 45 CFR §164.524.
There are numerous apps available for ePHI to be transmitted between health care entities and patients. As these apps have emerged and gained greater prominence, many entities have questioned whether utilizing these apps to share and transmit data leaves them vulnerable to HIPAA violations. Given the wealth of these apps available, guidance was needed by OCR to clarify the potential for HIPAA liability.
Note that this guidance offers no determination as to whether specific individual apps are HIPAA compliant.
HIPAA Liability When App Is Provided by the Practice
If a covered entity provides or selects an app for patients to transmit and receive their ePHI with, the covered entity could be liable under HIPAA if the app impermissibly discloses the ePHI received. In this scenario, liability exists because the app is used by the entity to create, receive, maintain, or transmit ePHI on behalf of the covered entity.
Note that if an app was developed to create, receive, maintain, or transmit ePHI on behalf of a covered entity, a business associate agreement between the entity and app developer would be needed.
HIPAA Liability When App Is Chosen by a Patient
If a patient requests ePHI to be transmitted to a third-party app of the patient’s choosing, one which the patient supplied or identified, a covered entity is not liable under HIPAA for any subsequent use or disclosure of the requested ePHI received by the app.
A patient may request a covered entity to transmit ePHI to a third-party app in an unsecure manner or through an unsecure channel. In such a circumstance, OCR’s new guidance clarifies that the covered entity would not be responsible for unauthorized access to the individual's ePHI while in transmission to the app. However, OCR opines that it may be prudent for the entity to inform the patient of the potential security risks involved with this request.
Can a Covered Entity Refuse to Disclose ePHI to an App Chosen by a Patient?
No, a covered entity cannot refuse to disclose or transmit ePHI to an app chosen by a patient, even if the covered entity has security concerns about the app. The HIPAA Privacy Rule, see 45 CFR§164.524, prohibits a covered entity from refusing to disclose PHI in a form or format designated by a patient if the PHI requested is readily producible in that form or format.
Where Can I Find Additional Information?
HHS and OCR have published a number of other informative FAQs regarding HIPAA compliance for health care professionals.
The Office of the National Coordinator for Health Information Technology (ONC) also has a number of resources on PHI privacy and security, which can be accessed here.
The Pennsylvania Medical Society (PAMED) has a wealth of information on HIPAA compliance that can be accessed at www.pamedsoc.org/HIPAA. And, find PAMED’s general legal information on medical records at www.pamedsoc.org/medicalrecords.
PAMED’s Quick Consult on “Confidentiality of Medical Records and Other Personal Health Information” details HIPAA’s Privacy Rule and is available to all PAMED members.
PAMED members with questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.
PAMED's Legal Resource Center
PAMED's Legal Resource Center provides quality, timely legal advocacy and resources for member physicians who practice in Pennsylvania. You'll find:
- News on PAMED's strong legal advocacy in the courts, legislature, and state government agencies
- Resources about laws and regulations that impact the practice of medicine, in the form of frequently asked questions (FAQs), legal briefs, and more.
Get details at www.pamedsoc.org/LegalResourceCenter.