Technological advancements over the last several years have made it easier than ever for employers and employees to collect, store, manage, organize, or transmit health information via applications and other software (collectively, "apps"). The Office of Civil Rights ("OCR"), the entity responsible for enforcing the Health Insurance Portability and Accountability Act ("HIPAA"), recently issued FAQs concerning HIPAA’s applicability to apps. The FAQs clarify that once protected health information ("PHI") has been received by an app that is neither a covered entity nor a business associate, the information is no longer subject to the protections of the HIPAA rules.
Health plans are considered covered entities under HIPAA and must comply with HIPAA’s Privacy and Security Rules. Briefly:
Recently, OCR issued guidance in the form of FAQs to address common questions concerning HIPAA compliance related to the use of third-party health apps. Notably, the FAQs clarify the following:
Under HIPAA’s individual right of access, individuals can direct a covered entity to transmit their ePHI to a third-party app in an unsecure manner or through an unsecure channel. The FAQs established that a covered entity transmitting ePHI to a third-party app via an unsecure manner or channel will not be responsible for unauthorized access to the ePHI while in transit, so long as the transmission was at the individual’s request. For example, an individual may request his or her unencrypted ePHI be transmitted to an app as a matter of convenience. In this case, the covered entity would not be responsible for unauthorized access to the ePHI while in transmission to the app. However, the OCR specified that in this situation, the covered entity should advise the individual of the potential risks involved the first time the individual makes the request.
Finally, the OCR stressed that a covered entity is not allowed to refuse to disclose ePHI to an app chosen by an individual, even when the covered entity is concerned about the app’s security or how the app will use or disclose the ePHI. The HIPAA Privacy Rule broadly prohibits covered entities from refusing to disclose ePHI to a third-party app selected by the individual, if the ePHI is "readily producible in the form and format used by the app." For example, a covered entity is not permitted to deny an individual’s request to transmit their ePHI to a third-party app because the app does not encrypt the ePHI when stored in the app.
Employers, as plan sponsors of a health plan, should understand their responsibility under HIPAA as a covered entity and their relationship with any technology used to create, receive, maintain, or transmit ePHI. Accordingly, it is important for employers to:
Our Advisors offer in-depth analysis and are ready to help you successfully navigate employee benefits and health insurance.