Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives? Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can
a covered entity refuse to disclose ePHI to an app chosen by an
individual because of concerns about how the app will use or disclose
the ePHI it receives?
No.
The HIPAA Privacy Rule generally prohibits a covered entity from
refusing to disclose ePHI to a third-party app designated by the
individual if the ePHI is readily producible in the form and format used
by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA
Rules do not impose any restrictions on how an individual or the
individual’s designee, such as an app, may use the health information
that has been disclosed pursuant to the individual’s right of access.
For instance, a covered entity is not permitted to deny an individual’s
right of access to their ePHI where the individual directs the
information to a third-party app because the app will share the
individual’s ePHI for research or because the app does not encrypt the
individual’s data when at rest. In addition, as discussed in a separate FAQ, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
| Tuesday, November 1, 2022 Modernizing Medicine Inc. (ModMed), an electronic health record (EHR) technology vendor located in Boca Raton, Florida, has agreed to pay $45 million to resolve allegations that it violated the False Claims Act (FCA) by accepting and providing unlawful remuneration in exchange for referrals and by causing its users to report inaccurate information in connection with claims for federal incentive payments. The Anti-Kickback Statute prohibits anyone from offering or paying, directly or indirectly, any remuneration — which includes money or any other thing of value — to induce referrals of items or services covered by Medicare, ...read more |
| TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information. Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love. The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more |
| Clinic Sanctions Supervisor for Accessing Employee Medical Record Covered Entity: Outpatient Facility Issue: Impermissible Use and Disclosure A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter ...read more |
|
June 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
PPP Fraud (1)
HIPAA Enforcement (3)
EHR Fraud (1)
HIPAA (2)
ePHI (2)
Data Breach (1)
Covered Entity (40)
Telehealth (1)
BAA (4)
|
