The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) updated its health information technology (IT) frequently asked questions page with new guidance related to health IT access rights under the Health Insurance Portability and Accountability Act (HIPAA). The five new topics OCR addresses are:
- whether a HIPAA-covered entity bears liability under HIPAA rules for electronic protected health information (ePHI) that it transmits to a third-party application or software at an individual’s request;
- what liability a covered entity faces if at the individual’s request, it sends the individual’s ePHI via an unsecured method to an application;
- whether an electronic health record (EHR) system developer bears liability for the transmission of ePHI to an application at the request of the individual;
- whether a covered entity can refuse to disclose ePHI to an application of the individual requestor’s choice because of security concerns of the covered entity; and
- whether a covered entity or the EHR system developer need to enter into a business associate agreement with an application receiving an individual’s ePHI.
In general, OCR clarifies that once an individual requests his or her information be transmitted to a third-party application by the covered entity (which includes health care providers), neither the covered entity nor the EHR developer bear responsibility for the ePHI under HIPAA rules. The covered entity or EHR developer could be liable only if there is a business-associate relationship between the application and the covered entity, such as when the application creates, receives, or maintains ePHI on behalf of the covered entity. This new guidance is particularly relevant for HIPAA-covered entities given HHS’ push for increased patient access through third-party applications and application programming interfaces in the recent interoperability and information blocking proposed rules.
Contact Senior Director of Policy Erin O’Malley at eomalley@essentialhospitals.org or 202.585.0127 with additional questions.
