The Trump administration is pushing the healthcare industry to be a part of the smartphone economy, but there has been some confusion about whether healthcare providers and their health IT vendors would be held accountable for how patients use their health data.
To address this, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released guidance to answer common questions about the use of third-party apps under the Health Insurance Portability and Accountability Act (HIPAA). Two recently proposed interoperability rules from HHS call for the industry to adopt standardized application programming interfaces (APIs) so patients can access their health data using smartphone apps.
During a Health IT Advisory Committee meeting last week, National Coordinator for Health IT Donald Rucker, M.D., said ONC has heard many concerns from providers and electronic health record (EHR) vendors that they might bear liability if patients download their data to healthcare apps under the HIPAA right of access.
With its new guidance, OCR clarifies that when a patient shares protected health information with a third-party app or requests their healthcare provider share their health data with an app, the provider organization is not liable for any subsequent use or disclosure of the data as long as the app developer is not a business associate of the provider. For example, the healthcare provider or health plan would have no HIPAA responsibilities or liability if an app that a patient designated to receive their protected health information later experienced a breach, OCR said.
“Once the patient downloads their data, their data is their responsibility. Once they download their information to an app then they need to sort out the secondary use issues,” Rucker said during the meeting. “The liability for stewardship of the data ends once the patient downloads it.”
The exception is if an app was “developed for, or provided by or on behalf of the covered entity—and, thus, creates, receives, maintains, or transmits electronic protected health information on behalf of the covered entity,” the OCR guidance says.
In that case, provider or health plans could be liable under the HIPAA rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. “For example, if the individual selects an app that the health care provider uses to provide services to individuals involving protected health information, the health care provider may be subject to liability under the HIPAA rules if the app impermissibly discloses the ePHI received,” OCR said.
The guidance from OCR addresses four other issues as it relates to access rights, apps and APIs:
- A healthcare organization that transmits HIPAA protected health data to a third-party app via an insecure manner or channel—at the patient’s direction—would not be responsible for unauthorized access to the patient’s data while in transmission to the app. But the provider or health plan may want to counsel the patient regarding the data security risks involved.
- Do providers’ EHR system developers face potential HIPAA liability for sending patients’ health data to an app on behalf of the provider? It depends on the relationship between the EHR vendor, the provider and the app, OCR said. If the EHR vendor owns the app or has a business associate relationship with the app developer and makes the app available to, through or on behalf of the provider, then the vendor could potentially face HIPAA liability as a business associate of a HIPAA covered entity in the event that the app impermissibly uses or discloses the health data. If the EHR vendor does not own the app, or if it owns the app but makes it available in an app store as part of a different line of business and not as part of its business associate relationship with any covered entity, the EHR vendor would not be liable under the HIPAA rules for any subsequent use or disclosure of the health data.
- Patients’ right to access their protected health information under HIPAA generally obligates a provider to send their health data to a designated app, even if the provider is concerned about the app’s security or how the app will subsequently use or disclose the information.