New HIPAA Guidance for Medical App Developers
The federal Department of Health and Human Services' Office for Civil Rights (OCR), which enforces HIPAA, maintains a website with very helpful "frequently asked questions" (FAQs) regarding the HIPAA Privacy Rule and Security Rule. On April 18, 2019, OCR published five new FAQs discussing aspects of HIPAA that are important for medical app developers. For example, FAQ 572 analyzes whether a covered entity that fulfills a patient's request to send ePHI to an application or other software (app) is liable under HIPAA for how the app uses or discloses the electronic protected health information (ePHI). OCR indicated that information would no longer be subject to HIPAA once it is received, at the individual’s direction, by an app that does not fall under HIPAA's definition of a "covered entity" or "business associate." If the app was not provided by or on behalf of the covered entity, and the app does not create, receive, transmit or maintain ePHI on behalf of the covered entity, the covered entity would not be liable under HIPAA for how the app then uses and discloses the ePHI.
FAQ 573 considers whether a covered entity faces liability if an individual asks the covered entity to transmit ePHI in an unsecure manner. In that situation, although the covered entity should consider letting the individual know of the possible risks of such transmission, the covered entity would not be liable if the transmission allowed unauthorized access to the data.
Another FAQ, number 574, considers whether an electronic health record (EHR) system developer could be liable for sending ePHI to an app. If the EHR system developer does not own the app, or does not provide it to, through, or on behalf of a covered entity, the EHR system vendor would not be liable under HIPAA for improper use or disclosure of the ePHI received by the app if the individual patient has asked that it be transmitted to the app. Possible HIPAA liability could result, however, if the app impermissibly uses or discloses ePHI and the developer owns the app or has a business associate relationship with the app developer.
The OCR guidance also considers, in FAQ 575, whether a covered entity can refuse to send ePHI to an app designated by the patient because the covered entity is concerned about how the app will use or disclose the data. OCR was unequivocal when it said that the covered entity should not refuse. HIPAA does not restrict how an app chosen by the individual patient may use health information that has been disclosed pursuant to the individual's right of access.
Sometimes a HIPAA business associate agreement will be required between a covered entity or its EHR system developer. FAQ 576 explains that an app that merely facilitates access to the individual's ePHI at the individual's request, by itself, does not create a business associate relationship. If the app developer creates, receives, maintains, or transmits ePHI on behalf of or for the benefit of a covered entity, however, a business associate agreement would be required. Whether HIPAA applies to a particular app or app developer will require a careful analysis of the facts and circumstances in light of current OCR guidance.