January 22, 2020

January 21, 2020

Subscribe to Latest Legal News and Analysis

January 20, 2020

Subscribe to Latest Legal News and Analysis

OCR Issues Five New HIPAA FAQs on Health Information Apps

On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers.

The new FAQs are available here under the Header “Access Right, Apps and APIs.”

In the FAQs, OCR:

  • Emphasizes that an individual’s right to access her/his protected health information (“PHI” or “ePHI”) under HIPAA generally obligates a covered entity to send PHI to a designated app, even if the covered entity is concerned about the app’s security or how the app will subsequently use or disclose the PHI;

  • Explains that a covered entity would not be liable under HIPAA for an app’s subsequent use or disclosure of PHI sent to the app at the direction of an individual, unless the app was “developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity”; and

  • Notes that a covered entity that transmits ePHI to an app via an unsecure manner or channel – at an individual’s direction – would not be responsible for unauthorized access during such transmission, but such an entity may want to counsel the individual regarding the security risks involved in such a transmission.

The FAQs also address potential liability of a covered entity’s EHR system developer under HIPAA following transmission of ePHI to an app on behalf of the covered entity. OCR similarly counsels that liability could attach under HIPAA where the EHR system developer owns the app or has a business associate relationship with the app developer, and makes the app available to, through or on behalf of the covered entity. OCR also notes that “an app’s facilitation of access” to an individual’s ePHI does not in itself create a business associate relationship between the app and a covered entity or EHR system developer.

Ultimately, the new FAQs provide important guidance for covered entities, EHR developers and app developers on the intersection of new forms of technology – such as wearables and health tracking apps – with HIPAA and health care providers. The FAQs also provide a reminder regarding the limits on the applicability of HIPAA, and reiterate the importance of HIPAA’s right to access for individuals.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.


About this Author

Conor Duffy Cybersecurity Attorney

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.


Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...