Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

July 01, 2019

HHS Publishes HIPAA Guidance for Use of Health Apps

On April 18, 2019, the US Department of Health and Human Services (HHS) Office for Civil Rights issued five new FAQs addressing the applicability of HIPAA to the use of software apps that receive health information. This guidance was released in recognition of expanding e-health technology and the increased use of health apps by patients on mobile devices such as smartphones and watches.

The HHS clarified that, if a patient requests to receive their ePHI on a third-party health app that was not provided by or on behalf of the covered entity, the covered entity is not liable under HIPAA for any breach or impermissible disclosure. The individual’s right of access includes the right to request the covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. If a covered entity transmits ePHI––at the patient’s direction––to an app via an unsecure manner or channel, the covered entity is not responsible for unauthorized access during the transmission, although the entity may wish to counsel the patient about the risk of unauthorized access.

By contrast, if a health care app was developed for or provided by or on behalf of a covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, then a business-associate relationship exists between the covered entity and the app developer, and the covered entity could be liable for an impermissible disclosure of ePHI. If the covered entity contracts with the app developer and provides the app to its patients for remote management, monitoring, or other purposes, the covered entity is subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

The new FAQs are available here under the “Access Right, Apps, and APIs” heading. These new FAQs provide important HIPAA guidance for covered entities, EHR developers, and app developers. Patients are demanding greater data accessibility and convenience through wearables and health-tracking apps, and covered entities must be cognizant of HIPAA compliance when sharing health information via these new technologies.

If you have questions regarding the information presented in this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com or another member of the firm’s health care or health and human services providers teams.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Subscribe

Sign up to receive our latest news

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas

Other

Featured Media

Alerts

Component 2 EEO-1 Online Filing System Update

Alerts

#MeToo Continues Gaining Momentum as NYS Legislature Passes New Employment Discrimination Protections

Alerts

Planning for the End of LIBOR

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out