HHS guidance clarifies HIPAA liability with use of 3rd-party health apps

The Trump administration is pushing the healthcare industry to be a part of the smartphone economy, but there has been some confusion about whether healthcare providers and their health IT vendors would be held accountable for how patients use their health data.

To address this, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released guidance to answer common questions about the use of third-party apps under the Health Insurance Portability and Accountability Act (HIPAA). Two recently proposed interoperability rules from HHS call for the industry to adopt standardized application programming interfaces (APIs) so patients can access their health data using smartphone apps.

During a Health IT Advisory Committee meeting last week, National Coordinator for Health IT Donald Rucker, M.D., said ONC has heard many concerns from providers and electronic health record (EHR) vendors that they might bear liability if patients download their data to healthcare apps under the HIPAA right of access.

RELATED: HIMSS19: ONC, CMS officials outline the framework for interoperability, the use of APIs, FHIR

With its new guidance, OCR clarifies that when a patient shares protected health information with a third-party app or requests their healthcare provider share their health data with an app, the provider organization is not liable for any subsequent use or disclosure of the data as long as the app developer is not a business associate of the provider. For example, the healthcare provider or health plan would have no HIPAA responsibilities or liability if an app that a patient designated to receive their protected health information later experienced a breach, OCR said.

“Once the patient downloads their data, their data is their responsibility. Once they download their information to an app then they need to sort out the secondary use issues,” Rucker said during the meeting. “The liability for stewardship of the data ends once the patient downloads it.”

The exception is if an app was “developed for, or provided by or on behalf of the covered entity—and, thus, creates, receives, maintains, or transmits electronic protected health information on behalf of the covered entity,” the OCR guidance says.

RELATED: HIMSS19: Loud and clear message from feds on patient data: They belong to patients

In that case, provider or health plans could be liable under the HIPAA rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. “For example, if the individual selects an app that the health care provider uses to provide services to individuals involving protected health information, the health care provider may be subject to liability under the HIPAA rules if the app impermissibly discloses the ePHI received,” OCR said.

The guidance from OCR addresses four other issues as it relates to access rights, apps and APIs:

  • A healthcare organization that transmits HIPAA protected health data to a third-party app via an insecure manner or channel—at the patient’s direction—would not be responsible for unauthorized access to the patient’s data while in transmission to the app. But the provider or health plan may want to counsel the patient regarding the data security risks involved.
  • Do providers’ EHR system developers face potential HIPAA liability for sending patients’ health data to an app on behalf of the provider? It depends on the relationship between the EHR vendor, the provider and the app, OCR said. If the EHR vendor owns the app or has a business associate relationship with the app developer and makes the app available to, through or on behalf of the provider, then the vendor could potentially face HIPAA liability as a business associate of a HIPAA covered entity in the event that the app impermissibly uses or discloses the health data. If the EHR vendor does not own the app, or if it owns the app but makes it available in an app store as part of a different line of business and not as part of its business associate relationship with any covered entity, the EHR vendor would not be liable under the HIPAA rules for any subsequent use or disclosure of the health data.
  • Patients’ right to access their protected health information under HIPAA generally obligates a provider to send their health data to a designated app, even if the provider is concerned about the app’s security or how the app will subsequently use or disclose the information.
  • Healthcare organizations and their health IT vendors are not required to have a business associate agreement with a third-party app developer in order to transmit patients’ data to that app. An app's facilitation of access to a patient’s health information at the patient’s request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app, such interoperability arrangements. A business associate agreement is required, however, if the app was developed to create, receive, maintain or transmit health information on behalf of the provider or health plan, or was provided by or on behalf of the healthcare organization, directly or through its EHR vendor.