Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can
a covered entity refuse to disclose ePHI to an app chosen by an
individual because of concerns about how the app will use or disclose
the ePHI it receives?
No.
The HIPAA Privacy Rule generally prohibits a covered entity from
refusing to disclose ePHI to a third-party app designated by the
individual if the ePHI is readily producible in the form and format used
by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA
Rules do not impose any restrictions on how an individual or the
individual’s designee, such as an app, may use the health information
that has been disclosed pursuant to the individual’s right of access.
For instance, a covered entity is not permitted to deny an individual’s
right of access to their ePHI where the individual directs the
information to a third-party app because the app will share the
individual’s ePHI for research or because the app does not encrypt the
individual’s data when at rest. In addition, as discussed in a separate FAQ, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more
Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Health Care Provider Issue: Safeguards A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the ...read more
SCOPE OF CRIMINAL ENFORCEMENT UNDER 42 U.S.C. § 1320d-6 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6, and the knowingly element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense. MEMORANDUM OPINION FOR THE GENERAL COUNSEL DEPARTMENT OF HEALTH AND HUMAN SERVICES AND THE SENIOR COUNSEL TO THE DEPUTY ATTORNEY GENERAL You have asked jointly for our opinion concerning the scope of 42 U.S.C. § 1320d-6 (2000), the criminal enforcement provision of the ...read more
Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)? Yes. To the extent a covered entity is using a process either to obtain consent or act on an individual’s right to request restrictions under the Privacy Rule as a method for effectuating individual choice, policies can be developed for obtaining consent or honoring restrictions on a granular level, based on the type of information involved. For example, specific consent and restriction policies could ...read more
