OCR Issues HIPAA FAQs on Software AppsMay 6, 2019 | Eric D. Fader | Cybersecurity | Electronic Health Records | HIPAA | Medical Devices and Wearables
The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) recently issued five new FAQs pertaining to software applications that obtain individuals’ electronic protected health information (ePHI). The FAQs describe various scenarios in which HIPAA covered entities may transmit ePHI to apps, including fitness trackers and other wearables.
In short, a covered entity that sends ePHI to an app will not be liable for unauthorized access to the PHI either in transit or after it is received by the app, unless the app was “developed for, or provided by or on behalf of the covered entity.” Further, the covered entity’s electronic health record (EHR) system developer will not be liable for unauthorized access to the ePHI unless it owns the app or has a business associate relationship with the app developer.
A covered entity may not refuse to disclose ePHI to an app because of concerns about how the app will use or disclose the ePHI. If the app will not be receiving the ePHI “on behalf of or for the benefit of” the covered entity, the covered entity and its EHR system developer need not have a business associate agreement with the app.