Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can
a covered entity refuse to disclose ePHI to an app chosen by an
individual because of concerns about how the app will use or disclose
the ePHI it receives?
No.
The HIPAA Privacy Rule generally prohibits a covered entity from
refusing to disclose ePHI to a third-party app designated by the
individual if the ePHI is readily producible in the form and format used
by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA
Rules do not impose any restrictions on how an individual or the
individual’s designee, such as an app, may use the health information
that has been disclosed pursuant to the individual’s right of access.
For instance, a covered entity is not permitted to deny an individual’s
right of access to their ePHI where the individual directs the
information to a third-party app because the app will share the
individual’s ePHI for research or because the app does not encrypt the
individual’s data when at rest. In addition, as discussed in a separate FAQ, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons Covered Entity: Health Plans Issue: Safeguards A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all ...read more
Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)? Yes. To the extent a covered entity is using a process either to obtain consent or act on an individual’s right to request restrictions under the Privacy Rule as a method for effectuating individual choice, policies can be developed for obtaining consent or honoring restrictions on a granular level, based on the type of information involved. For example, specific consent and restriction policies could ...read more
May a covered entity use or disclose protected health information for litigation? Answer: A covered entity may use or disclose protected health information as permitted or required by the Privacy Rule, see 45 CFR 164.502(a) (PDF); and, subject to certain conditions the Rule typically permits uses and disclosures for litigation, whether for judicial or administrative proceedings, under particular provisions for judicial and administrative proceedings set forth at 45 CFR 164.512(e) (GPO), or as part of the covered entity’s health care operations, 45 CFR 164.506(a) (PDF). Depending on the context, a covered entity’s use or disclosure of protected health information in ...read more
