HHS Guidance on HIPAA Compliant Apps and Sharing PHI
With the use of health care apps for both patients and providers becoming more and more prevalent, complying with HIPAA regulation to maintain data privacy and security is key. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance in April of 2019 about HIPAA compliant apps and rules for how and when providers may share data with them.
This is particularly important to telehealth and telebehavioral health providers dealing with patients over digital media. The use of HIPAA compliant apps and understanding data sharing rules is absolutely essential to protecting sensitive information regarding treatment.
This guidance comes in the form of an FAQ document. HHS OCR issues new guidance to clear up discrepancies regarding the use and disclosure of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, Social Security number, medical records, and full facial photos, to name a few.
The recent guidance on HIPAA compliant apps and data sharing states that:
- Because patients have the right to access their own PHI, telehealth providers may send that PHI to third-party apps at the patient’s request. Even if a provider is wary about the privacy or security vulnerabilities of an app, they should still adhere to their patients’ requests.
- Telehealth providers will not be held liable under HIPAA if an app misuses patient data, so long as the data was transmitted at the patient’s request. This does not extent to any apps that are provided or used by the providers themselves.
- Telehealth providers will not be held liable under HIPAA if they transmit PHI over an unsecured medium, so long as the data was transmitted at the patient’s request. However, the HIPAA guidance does state that providers should educate patients about the potential risks of sending PHI over unsecured mediums, such as unencrypted email.
This HIPAA compliant app health information guidance should give providers a clearer understanding of their liability when it comes to patient requests to share data with third-party apps. It should be noted again that this guidance only applies in instances when the patient has requested that their PHI be transmitted to an app and not in instances when a provider has chosen to use an app over the course of a patient’s treatment.