Industry News

OCR Issues New FAQs on Covered Entities and Applications

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued new Health Insurance Portability and Accountability Act of 1996 (HIPAA) guidance regarding applications and software.  Specifically, the five new Frequently Asked Questions (FAQ) address the applicability of HIPAA to covered entities, business associates (BA), and applications when individuals seek to receive their health information using an application or other software.

In the new FAQs, OCR explains the following:

  • A covered entity would not be liable under HIPAA for any subsequent use or disclosure of requested ePHI received by an application at the direction of the individual who is the subject of the information, or the individual’s representative, if the application is not another covered entity nor a BA. However, if the application is created for the covered entity, provided by the covered entity, or the application is used on behalf of the covered entity, and the application creates, receives, transmits or maintains ePHI on behalf of the covered entity, the covered entity can be liable for the application’s misuse or improper disclosure of the ePHI;
  • A covered entity would not be liable for unauthorized access to an individual’s ePHI while using an unsecure method to transmit the ePHI to an application at the individual’s request. However, OCR suggests that the covered entity inform the individual of the potential risks involved in transmitting Protected Health Information (PHI) through unsecure means; and
  • A covered entity is obligated, under HIPAA’s individual right to access, to send PHI to a designated application upon the individual or individual representative’s request, regardless of the covered entity’s concerns about how the application will use or disclose the ePHI or the security of the application.

The FAQs also explain that HIPAA liability for EHR system developers depends on their relationship with the covered entity and the application.  Although an EHR system developer would be a BA of a covered entity, it would not be liable under HIPAA for any subsequent improper use or disclosure of the consumer requested ePHI received by an application if: 1) the EHR system developer does not own the app; or 2) the EHR system developer owns the application but does not provide the application to, through, or on behalf of the covered entity.  However, the EHR system developer could potentially be liable under HIPAA for any impermissible uses and disclosures of PHI received by an application if the EHR system developer has a BA relationship with the application developer or owns the application, and provides the application to, through, or on behalf of the covered entity.

OCR further emphasizes that an application’s facilitation of access to an individual’s ePHI at the individual’s request does not, on its own, create a BA relationship between the covered entity or EHR system developer and application.  However, HIPAA would require a BA agreement between the covered entity and the application if an application was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by, or on behalf of the covered entity.

The OCR FAQs are available at:

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hippa-access-right-health-apps-apis/index.html