Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

July 1, 2019

HHS Publishes HIPAA Guidance for Use of Health Apps

On April 18, 2019, the US Department of Health and Human Services (HHS) Office for Civil Rights issued five new FAQs addressing the applicability of HIPAA to the use of software apps that receive health information. This guidance was released in recognition of expanding e-health technology and the increased use of health apps by patients on mobile devices such as smartphones and watches.

The HHS clarified that, if a patient requests to receive their ePHI on a third-party health app that was not provided by or on behalf of the covered entity, the covered entity is not liable under HIPAA for any breach or impermissible disclosure. The individual’s right of access includes the right to request the covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. If a covered entity transmits ePHI––at the patient’s direction––to an app via an unsecure manner or channel, the covered entity is not responsible for unauthorized access during the transmission, although the entity may wish to counsel the patient about the risk of unauthorized access.

By contrast, if a health care app was developed for or provided by or on behalf of a covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, then a business-associate relationship exists between the covered entity and the app developer, and the covered entity could be liable for an impermissible disclosure of ePHI. If the covered entity contracts with the app developer and provides the app to its patients for remote management, monitoring, or other purposes, the covered entity is subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

The new FAQs are available here under the “Access Right, Apps, and APIs” heading. These new FAQs provide important HIPAA guidance for covered entities, EHR developers, and app developers. Patients are demanding greater data accessibility and convenience through wearables and health-tracking apps, and covered entities must be cognizant of HIPAA compliance when sharing health information via these new technologies.

If you have questions regarding the information presented in this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com or another member of the firm’s health care or health and human services providers teams.

Featured Media

Alerts

CPLR Article 52 Is Exclusive Vehicle to Challenge Use of Enforcement Procedures

Alerts

HHS OCR Issues Guidance on the Use of Remote Communication Technologies for Audio-Only Telehealth Services

Alerts

ADA Accessibility Lawsuits: Appellate Court Affirms Dismissal of Braille Gift Card Complaints

Alerts

Subchapter Five Debt Limit Update: What Was Down Is Heading Back Up!

Alerts

President Biden Uses Production Defense Act Authority to Suspend Tariffs on Solar Imports From China and Other Countries Amid Ongoing Commerce Probe

Alerts

Unwitnessed Fall From Ladder Amounts to Mere Speculation of Liability Under Labor Law

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out