HHS Guidance on HIPAA Compliant Apps and Sharing PHI
With the use of health care apps for both patients and providers becoming more and more prevalent, complying with HIPAA regulation to maintain data privacy and security is key. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance in April of 2019 about HIPAA compliant apps and rules for how and when providers may share data with them.
This is particularly important to telehealth and telebehavioral health providers dealing with patients over digital media. The use of HIPAA compliant apps and understanding data sharing rules is absolutely essential to protecting sensitive information regarding treatment.
This guidance comes in the form of an FAQ document. HHS OCR issues new guidance to clear up discrepancies regarding the use and disclosure of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, Social Security number, medical records, and full facial photos, to name a few.
The recent guidance on HIPAA compliant apps and data sharing states that:
- Because patients have the right to access their own PHI, telehealth providers may send that PHI to third-party apps at the patient’s request. Even if a provider is wary about the privacy or security vulnerabilities of an app, they should still adhere to their patients’ requests.
- Telehealth providers will not be held liable under HIPAA if an app misuses patient data, so long as the data was transmitted at the patient’s request. This does not extent to any apps that are provided or used by the providers themselves.
- Telehealth providers will not be held liable under HIPAA if they transmit PHI over an unsecured medium, so long as the data was transmitted at the patient’s request. However, the HIPAA guidance does state that providers should educate patients about the potential risks of sending PHI over unsecured mediums, such as unencrypted email.
This HIPAA compliant app health information guidance should give providers a clearer understanding of their liability when it comes to patient requests to share data with third-party apps. It should be noted again that this guidance only applies in instances when the patient has requested that their PHI be transmitted to an app and not in instances when a provider has chosen to use an app over the course of a patient’s treatment.
To read the full HIPAA compliant app guidance, click here.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure. Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.