Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can
a covered entity refuse to disclose ePHI to an app chosen by an
individual because of concerns about how the app will use or disclose
the ePHI it receives?
No.
The HIPAA Privacy Rule generally prohibits a covered entity from
refusing to disclose ePHI to a third-party app designated by the
individual if the ePHI is readily producible in the form and format used
by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA
Rules do not impose any restrictions on how an individual or the
individual’s designee, such as an app, may use the health information
that has been disclosed pursuant to the individual’s right of access.
For instance, a covered entity is not permitted to deny an individual’s
right of access to their ePHI where the individual directs the
information to a third-party app because the app will share the
individual’s ePHI for research or because the app does not encrypt the
individual’s data when at rest. In addition, as discussed in a separate FAQ, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
Issued by: Office for Civil Rights (OCR) What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? Answer: If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan with a covered entity that OCR determined ...read more
Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers Covered Entity: General Hospitals Issue: Impermissible Uses and Disclosures; Authorizations A state health sciences center disclosed protected health information to a complainant's employer without authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. All staff was trained on the revised procedures. ...read more
Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more
National Pharmacy Chain Extends Protections for PHI on Insurance Cards Covered Entity: Pharmacies Issue: Impermissible Uses and Disclosures; Safeguards A pharmacy employee placed a customer's insurance card in another customer's prescription bag. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. The revised policies are applicable to all individual ...read more
