Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

July 1, 2019

HHS Publishes HIPAA Guidance for Use of Health Apps

On April 18, 2019, the US Department of Health and Human Services (HHS) Office for Civil Rights issued five new FAQs addressing the applicability of HIPAA to the use of software apps that receive health information. This guidance was released in recognition of expanding e-health technology and the increased use of health apps by patients on mobile devices such as smartphones and watches.

The HHS clarified that, if a patient requests to receive their ePHI on a third-party health app that was not provided by or on behalf of the covered entity, the covered entity is not liable under HIPAA for any breach or impermissible disclosure. The individual’s right of access includes the right to request the covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. If a covered entity transmits ePHI––at the patient’s direction––to an app via an unsecure manner or channel, the covered entity is not responsible for unauthorized access during the transmission, although the entity may wish to counsel the patient about the risk of unauthorized access.

By contrast, if a health care app was developed for or provided by or on behalf of a covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, then a business-associate relationship exists between the covered entity and the app developer, and the covered entity could be liable for an impermissible disclosure of ePHI. If the covered entity contracts with the app developer and provides the app to its patients for remote management, monitoring, or other purposes, the covered entity is subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

The new FAQs are available here under the “Access Right, Apps, and APIs” heading. These new FAQs provide important HIPAA guidance for covered entities, EHR developers, and app developers. Patients are demanding greater data accessibility and convenience through wearables and health-tracking apps, and covered entities must be cognizant of HIPAA compliance when sharing health information via these new technologies.

If you have questions regarding the information presented in this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com or another member of the firm’s health care or health and human services providers teams.

Featured Media

Alerts

NYS Health and Mental Hygiene Budget Legislation Summary

Alerts

NYS Legislature Passes Legislation to Reopen the CDPAP Fiscal Intermediary Procurement Process

Alerts

Pennsylvania State Court Grants Summary Judgment to Dental Practice Against Insurer for COVID-19 Business Interruption Coverage

Alerts

Unpacking the Impact of the Newly Effective Information Blocking Rule

Alerts

Second Circuit Court of Appeals Certifies Questions Regarding Damages for Improper Judgment Enforcement to New York Court of Appeals

Alerts

NYS Governor Cuomo Signs Bill to Fully Repeal Immunity for Certain Health Care Providers and Facilities

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out