HHS Releases FAQs Regarding HIPAA Right of Access as it Relates to Health and Wellness Apps

Recently, the Department of Health and Human Services (HHS) released a set of FAQs from the Office of Civil Rights. These FAQs are meant to address the Health Insurance Portability and Accountability Act (HIPAA) right of access as it relates to health and wellness applications designated for use by patients and application programming interfaces (APIs) used by providers’ electronic health record systems.

WHAT’S INCLUDED IN THE FAQS?

The new FAQs explain that once protected health information (PHI) is shared with a third-party application, the HIPAA-covered entity will not be liable for subsequent use or disclosure of electronic PHI as long as the app developer is not itself a business associate of a covered entity or other business associate. Common examples of third-party health apps include Fitbit, MyFitnessPal, Garmin Connect, Google Fit and Apple’s Health app.

WHAT DOES THIS MEAN?

Employees should be aware that if they request their PHI to be transferred to a third-party health and wellness app, the app won’t receive HIPAA protections. Additionally, the entity that transfers the PHI to the third-party app will not be held liable for subsequent use or disclosure of the PHI.
As a result, the information shared with the
app could be sent or sold to other companies to advertise products or services to you based on your information. This is similar to how your social media sites present products you might be interested in based on your searches or your interests.

FOR MORE INFORMATION

For more information on HIPAA or the new FAQs, please contact your MJ Consultant.

Download the PDF