By Jessica Davis, Health IT Security | April 29, 2019

The Department of Health and Human Services Office for Civil Rights recently released guidance to address the increase use of patient health apps and questions around HIPAA compliance.

According to officials, the FAQs are designed to address HIPAA right of access when it comes to the apps patients use to share data with their providers and the APIs used by providers’ EHRs. As HHS released two data sharing rules in February, the questions are designed to shed light on any privacy, security, or compliance concerns.

“The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA-covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate,” officials wrote.

When it comes to provider liability as it relates to electronic protected health information sharing with an app or other software for the use or disclosure of the received ePHI, HHS officials explained that HIPAA liability is determined by the relationship between the covered entity and the app.

When a patient chooses to send health information from a covered entity through an app that is not a covered entity or business associate under HIPAA, the patient data is not longer subject to HIPAA protections, HHS officials wrote.

READ MORE: Mental Health Apps May Share User Data without Clear Privacy Policies

“If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained.

That means if the health app used to transmit data is later breached, the covered entity wouldn’t have any HIPAA responsibilities, they added.

However, if the app was developed, provided by, or on behalf of the covered entity, “ and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity,” the covered entity could be found liable under HIPAA for a “subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer.”

“For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received,” officials wrote.

For providers who choose to send ePHI using an unsecure method to an app, based an a patient’s request, the covered entity would not be found responsible. Under an individual right to access, patients can request to direct their ePHI through an unsecure channel or method.

READ MORE: Majority of Health Apps Share User Data, Without Transparency

Although the covered entity would not be responsible for any unauthorized access caused during transmission in this circumstance, but HHS stressed that the provider “may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.”

Further, HHS said a covered entity is not allowed to refuse to disclose ePHI to an app chosen by a patient, even with concerns about how the app will use or disclose the ePHI it receives. HIPAA broadly prohibits providers from refusing to disclose patient data to a third-party app chosen by a patient, if the ePHI is “readily producible in the form and format used by the app.”

“The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access,” officials explained.

“For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest,” they added.

What’s more HIPAA doesn’t apply to third-parties that don’t meet the definition of a HIPAA-covered entity or business associate. The statement is crucial given several recent reports that found many health apps potentially share data without user consent.

READ MORE: HIPAA Needs Clarity Around Patient Data Sharing, AMIA, AHIMA say

A BMJ report found that 79 percent of the most popular health apps routinely share user data without transparency around the practice, while a study published in JAMA found most mental health apps for depression and smoking cessation disclosed data without accurately disclosing the practice to users.

With HHS’ position, providers may only share concerns with patients about app privacy and security, but will still need to share data if the patient requests it.

HHS also shed light on business associate agreements with app developers.

“HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate),” HHS explained.

“However, if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required,” they added.