NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
Data Privacy Blog > Categories
New York law prohibits first responders from selling patient data for marketing purposes
On October 7, 2019, New York Governor Andrew M. Cuomo signed into law a bill that prohibits New York ambulance service providers and advanced life support first response service providers from selling, disclosing, transferring, or otherwise using identifiable patient information for marketing purposes. “Marketing” is defined as advertising, promotion, or any other activity that is intended to influence business sales or market share, including evaluating the effectiveness of marketing personnel or practices.

Although the legislation limits marketing-related uses and disclosures, it continues to permit ambulance providers and other first responders to share identifiable patient data with the patient and those authorized to make health care decisions for the patient, with health care providers treating the patient, and with the patient’s insurer, as well as third parties that have a legal right to the information—such as those authorized by a court order, a government entity, or law enforcement personnel. With patient consent, identifiable information can be used for training, promotion, or for staff recognition and recruitment.

All types of entities—for-profit, nonprofit, and governmental—are subject to these data restrictions, although nonprofit and governmental entities may use a patient’s name and address to solicit donations.

The legislation takes effect 180 days from its October 7, 2019, enactment date.

Protecting Higher Education Institutions from HIPAA Risks

In a recent webinar, the Nixon Peabody Higher Education team addressed the potential implications of HIPAA on colleges and universities, including in relation to their employer-sponsored health plans, student health clinics, and counseling programs.

Does HIPAA apply to student health centers? Laurie Cohen, Partner (Health Care, Albany)

In providing health care services to students, the college/university will be considered a health care provider under HIPAA (and thus a “covered entity”) if it submits claims electronically to a student’s health insurer or conducts any other covered transactions electronically.

Although the college/university may be considered a HIPAA-covered entity, the college/university will not, however, be required to comply with the HIPAA Privacy Rule to the extent that the health records maintained by the health center relate only to its students. HIPAA specifically excludes “education records” or “treatment records” from the definition of “protected health information (PHI).”

Instead, such student health records are governed by the Family Educational Rights and Privacy Act (FERPA). Although HIPAA does not apply to student health records, if the college or university meets the definition of a covered entity, HIPAA will apply to any PHI of non-students held by the college or university. To limit the application of HIPAA to specific components/departments, the college or university will want to determine whether to designate itself a “hybrid-covered” entity.

College/university-sponsored health plans are HIPAA-covered entities. Yelena Gray, Partner (Labor & Employment, Chicago)

College and university group health plan sponsors must amend their plan documents for compliance with HIPAA, certify to their plans that the sponsor will adhere to the HIPAA requirements, and establish a firewall between the sponsor’s personnel with access to PHI and the sponsor’s other workforce.

Colleges and universities must also identify plan vendors that are business associates and enter into business associate agreements with them to ensure maximum protection for plan participants and their covered dependents.

Is the college/university regulated as a HIPAA business associate? Valerie Breslin Montague, Partner (Health Care, Chicago)

Colleges and universities should continually review their operations to determine whether any of their services trigger HIPAA regulation as a business associate arrangement, such as a university providing administrative services to a physician faculty practice plan, where such an arrangement involves access to protected health information. If so, the organization should ensure that it enacts a HIPAA compliance plan and carefully reviews the provisions of all business associate agreements to ensure that the terms governing indemnification, notification, de-identification, and return of data, among others, are acceptable.

Assessing the applicability of HIPAA.

The consequences of noncompliance with HIPAA are significant. Nixon Peabody is able to assist colleges and universities to assess the applicability of HIPAA to its health center operations; its employer-sponsored health plan, as well as other components.

Please reach out to Laurie Cohen, Yelena Gray, or Valerie Montague for additional information.

Dental practice learns if you don’t have anything that is HIPAA compliant to Yelp don’t Yelp at all

On October 2, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Elite Dental Associates - Dallas, P.C. (Elite) had agreed to pay $10,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy Rules.

Elite is a private dental practice in Dallas, Texas, that had a patient submit a review on Elite’s Yelp review page. Elite decided to respond to the patient’s review by disclosing the patient’s last name and details of her treatment plan and insurance. The patient subsequently submitted a complaint to OCR on June 5, 2016, regarding Elite’s response.

Once OCR initiated an investigation of the dental practice to review the patient’s complaint, OCR determined that Elite improperly disclosed PHI of multiple patients in response to Elite’s Yelp reviews without valid HIPAA authorizations; failed to implement policies and procedures with respect to PHI, including releasing PHI on social media/public platforms; and failed to have the minimum content required in its Notice of Privacy Practices as provided by the HIPAA Privacy Rule. Even though Elite had the above significant HIPAA violations, OCR noted that it took into account Elite’s size, financial circumstances, and cooperation with OCR’s investigation when accepting the $10,000 settlement amount.

OCR Director Roger Severino stated, “Social media is not the place for providers to discuss a patient’s care” and that “[d]octors and dentists must think carefully about patient privacy before responding to online review.”

To drive this point forward, part of Elite’s corrective action plan with OCR includes Elite being required to revise its Notice of Privacy Practices to include a description of the uses and disclosures of PHI for which Elite is required to obtain an individual’s authorization and OCR gives examples of posting on Elite’s website, social media pages, and/or other public platforms to include in this Notice. Notably, this requirement to provide specific social media examples that require HIPAA authorization goes beyond what is provided in the Notice of Privacy Practices requirements in the HIPAA Privacy Rule. 45 CFR §164.520(b) only requires specific notice of the requirement for authorization for psychotherapy notes and marketing and sale of PHI. For all other uses or disclosures not otherwise permitted by HIPAA, 45 CFR §164.520(b) only requires a general statement that other uses and disclosures not described in the Notice of Privacy Practices will be made only with an individual’s written authorization and a statement that the individual may revoke an authorization.

Elite’s lesson with OCR is an important lesson for all HIPAA covered entities about the necessity of understanding their responsibilities under HIPAA when posting or responding on any social media platform.

OCR’s press release about this settlement can be found here.

OCR keeps its promise to enforce PHI right of access violations

On September 9, 2019, the Department of Health and Human Services, Office for Civil Rights (OCR) issued its first enforcement action under its Right of Access Initiative.  Bayfront Health St. Petersburg, a 480-bed hospital in Florida (“Bayfront”), was fined $85,000 and is subject to a corrective action plan following its failure to provide a mother with timely access to her unborn child’s medical records. 


The enforcement action was spurred by the mother’s complaint to OCR, stating that she requested from Bayfront the medical records of her unborn child and had not received them.  OCR’s investigation found that Bayfront failed to provide the mother with access to the requested PHI.  In addition to the financial penalty, Bayfront is required to develop or revise access policies and procedures that comply with the HIPAA requirements and train workforce members and applicable business associates on these policies and procedures.


OCR’s Right of Access Initiative, announced earlier this year, is intended to “vigorously enforce” patients’ rights to receive copies of their medical records in a prompt manner without being overcharged for the records.  The right of access is a fundamental patient right under the HIPAA Privacy Rule, and OCR has expressed concern that health care providers were failing to provide timely patient access and were overcharging patients for copies of their records.  Health care providers, and any business associates tasked with assisting with the provision of access to records, must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access.  A health care provider must provide patient access within 30 days of a request unless it has a reason to deny the request that is permissible under the Privacy Rule or unless it has a valid reason to extend its response time by no more than 30 days.  The provider is limited to charge only a reasonable, cost-based fee for the records.  Applicable state law may specify precise amounts or place additional limitations on what a provider may charge a patient.

SAMHSA announces proposed revisions to Part 2 confidentiality requirements

This post is adapted from an Alert posted August 28, 2019 and was co-authored by Jacalyn Smith.

On August 26, 2019, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rule Making (NPRM) outlining revisions to the Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations. The proposed rule in part reflects SAMHSA‘s efforts to facilitate and enhance coordination of care for substance use disorders (SUD) while still maintaining Part 2 confidentiality protections.

SAMHSA has also issued another proposed rulemaking specifically to provide clarification that a court may authorize disclosure of confidential communications when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, even if the extremely serious crime was not allegedly committed by the patient as previously provided by the 2017 Final Rule (82 FR 052).

The following analysis presents an overview of the key proposed changes to Part 2 and the implications for Part 2 programs as well as non-Part 2 providers.

Applicability and re-disclosure

Within the NPRM, SAMHSA seeks to clarify the confidentiality and restrictions on re-disclosure of SUD-related information collected by Part 2 programs and non-Part 2 providers. SAMHSA clarifies that a non-Part 2 provider’s inclusion of SUD information in such provider’s records does not subject that record to Part 2, even in cases where the SUD information may have originated from a discussion with a Part 2 provider or from the non-Part 2 provider’s review of the Part 2 record. The NPRM specifically states: “the intent of these proposed clarifications is to better facilitate coordination of care between non-Part 2 providers and Part 2 programs, and to resolve lingering confusion among non-Part 2 providers about when and how they can capture SUD patient care information in their own records, without fear of those records being subject to the confidentiality requirements of Part 2.” SAMHSA also seeks to clarify that the Part 2 restrictions on re-disclosure apply to the Part 2 record and not the SUD information that may be learned from such record and then incorporated by the non-Part 2 provider in her records generated during the course of treating the individual. The NPRM states: “the intent is to allow a non-Part 2 provider to receive SUD information about a patient from a Part 2 program, and then to engage in a treatment discussion with that patient, informed by that information, and then be able to create her own treatment records including SUD content, without the latter becoming covered by Part 2.”

SAMHSA also recommends that non-Part 2 providers “segregate” or “segment” patient records in order to differentiate information subject to Part 2’s confidentiality requirements and information gathered from a discussion with a Part 2 provider used or learned from the review of the Part 2 record, in conjunction with information learned or confirmed by the non-Part 2 provider in the course of treating a patient. The NPRM proposes to add a new subsection (d)(2)(ii) to § 2.12 to read: “Notwithstanding paragraph (2)(i)(C) of this section, a non-Part 2 treating provider may record information about a substance use disorder (SUD) and its treatment that identifies a patient. This is permitted and does not constitute a record that has been re-disclosed under Part 2, provided that any SUD records received from a Part 2 program or other lawful holder are segregated or segmented. The act of recording information about a SUD and its treatment does not by itself render a medical record which is created by a non-Part 2 treating provider subject to the restrictions of this Part 2.”

Consent requirements

The 2017 final rule (82 FR 052) for Part 2 made several changes to the consent requirements for disclosure of protected information in Part 2 records including amending the written consent requirements regarding identification of the individuals and entities to whom disclosures of protected information may be made. This change allowed the use of a general designation in the “to whom” section of the consent requirement to individuals or entities with a treating provider relationship to the disclosing patient. With limited exceptions, disclosures of protected information to other entities or individuals without a treating provider relationship still required providing a specific individual name who would receive the protected information. SAMHSA noted that this amendment led to patients with SUDs having difficulty authorizing the disclosure of their protected information to third parties for non-treatment purposes, such as trying to obtain social security benefits or obtaining housing in a local sober living or a halfway house program (e.g., if the patient did not have a specific individual name at a halfway house).

SAMHSA now proposes to allow patients to authorize the disclosure of their protected information to organizations that do not have a treating provider relationship with the patient without the need to identity a specific individual that will receive the information. For example, if a patient wants a Part 2 program to disclose certain information to the Social Security Administration for benefit purposes, under the proposed rule, the patient would only need to identify the agency on the “to whom” section of the consent form.

Notably, however, SAMHSA proposes to maintain the treatment provider relationship requirement if a recipient entity is an entity that facilitates the exchange of health information or a research institution in order to ensure that only entities with the need to know the protected information from Part 2 records receive it.

Disclosures permitted with written consent

In the 2018 final rule (83 FR 239) for Part 2, SAMHSA determined that disclosures by lawful holders to contractors, subcontractors, and legal representatives for the purpose of payment and health care operations activities are permitted with written consent. While SAMHSA included a list of possible payment and health care operations activities, it previously decided not include such list in the Part 2 regulations. Thereafter, SAMHSA noted that stakeholders expressed confusion on whether information from Part 2 records could be disclosed for certain activities if not explicitly identified in the regulatory text. SAMHSA now proposes to list out the payment and health care operations activities (e.g., billing, underwriting, third-party liability coverage, etc.) in the Part 2 regulations that were previously provided in the 2018 final rule preamble while also noting that adding this list to the regulations is intended to be illustrative rather than exhaustive. SAMHSA also reiterated the same point as made in the 2018 final rule that disclosure for payment and health care operations is not intended to cover care coordination or case management (unlike as seen with HIPAA, which includes such activities under “health care operations”).

Disclosures to central registries and PDMPs

SAMHSA proposes to allow non-opioid treatment program (OTP) providers that have a treating relationship to a patient to access the central registries (organizations that obtain information from withdrawal management or maintenance treatment programs) to inquire about the patient. SAMHSA recognizes that with the opioid epidemic it is a necessity for providers that work with patients with SUDs to have access to the information provided in central registries to prevent not only duplicate patient enrollment for OUD treatment but also to help non-OTP providers make informed decisions about appropriate treatments.

In regards to prescription drug monitoring programs (PDMPs), previous SAMHSA guidance informed OTP providers that they could not disclose patient identifying information to a PDMP unless an exception applied. SAMHSA has now determined that, based on the opioid crisis, the lack of OTP data from PDMPs can result in significant adverse events, as patients may receive either duplicate or possibly contraindicated prescriptions outside of any prescriptions provided by an OTP provider. Therefore, SAMHSA proposes to allow OTP providers and other lawful holders to report OTP prescription data to their respective state PDMPs. Part 2 providers would still be required to obtain written consent from the patient whose identifying information would be disclosed prior to any submission to the respective PDMP.


SAMHSA also recommended changes to how research institutions access patient identifying information in SUD-related studies. Under Section 2.52, Part 2 providers may only disclose patient’s identifying information without patient consent if the research is conducted by a HIPAA covered entity or its business associate that (1) has obtained authorization from the patient, (2) holds a waiver or other authorization that is consistent with HIPAA Privacy Rule, or (3) is subject to the HHS regulations regarding the protection of human subjects under the Common Rule. As the number of patients receiving treatment for SUD and OUD continues to rise, SAMHSA found limiting access to specific research institutions ultimately restricts the advancement of treatment.

Under the new rule, SAMHSA proposes modifying Section 2.52 to allow Part 2 data to be disclosed to three types of research entities. First, patient identifying information may be disclosed to a HIPAA covered entity or a business associate that is neither a HIPAA covered entity nor subject to the Common Rule, as long as any such data will be disclosed in accordance with the HIPAA Privacy Rule. SAMHSA will also allow research disclosures to members of the workforce of HIPAA covered entities for employer-sponsored research that requires all research activities to meet the requirements of either the Privacy Rule and/or the Common Rule. Last, patient identifying information may be disclosed to entities governed by the Federal Drug Administration’s regulations for the protection of human subjects in clinical investigations.

Audit and evaluation

To address perceived confusion as to permissible disclosures for audits and evaluations, as well as to align the Part 2 regulations with those governing quality improvement organizations, SAMHSA proposes rule updates regarding disclosures for audits and evaluations. Acknowledging that the Part 2 regulations do not define audits and evaluations, SAMHSA clarifies that these concepts are not limited to reviews that analyze the performance of individual Part 2 programs. Audits or evaluations may be tools to determine if changes need to be made at an agency or payor level. In the NPRM, SAMHSA encourages Part 2 programs to disclose de-identified information, but acknowledges that this may not always be feasible or economical. The NPRM specifies that Part 2 programs may disclose records to government agencies and third-party payors for audit and evaluation purposes, including for identifying actions necessary to improve treatment and outcomes for Part 2 patients, and that records may be disclosed to government agencies and their contractors for audits or evaluations mandated by law. It also clarifies that an auditor may be a party that has administrative control over the Part 2 program with respect to audits and evaluations of the program.

Undercover agents and informants

To combat any illicit sale or transfer of drugs by medical personnel, the Part 2 regulations currently permit the placement of undercover agents and informants within Part 2 programs, limited to a period of six months. Following input from the U.S. Department of Justice, SAMHSA believes that this six-month cap is overly restrictive, as investigations can last for longer periods. The NPRM proposes allowing court-ordered placement of an undercover agent or informant within a Part 2 program for a period of up to 12 months starting from the date that the agent is placed in the program, or the date the informant is identified. Courts may further extend the period of placement through a new court order.

Public comments

For the NPRM for all but the proposed change addressed below, stakeholders will have until October 25, 2019, to submit their comments. For the NPRM regarding clarification for when courts may authorize disclosure of confidential communications, stakeholders will have until September 25, 2019, to submit their comments.

OCR releases new set of FAQs to address health plans’ use of PHI for care coordination and continuity of care

On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released a new FAQ document to address how the HIPAA Privacy Rule allows health plans to share PHI in certain circumstances.

The first FAQ addresses care coordination and care management disclosures between two health plans. OCR emphasized that both these activities are included in the definition of health care operations as provided by the HIPAA Privacy Rule. Disclosures for health care operations purposes must be based on the two entities having a relationship with the individual who is the subject of the requested PHI and the PHI pertains to that relationship. Therefore, OCR noted the Privacy Rule permits one health plan to share PHI about an individual in common with a second health plan for care coordination purposes without the individual’s authorization. In terms of an individual switching health plans, OCR provided that the Privacy Rule would also allow an individual’s previous health plan to disclose PHI to the new health plan without the individual’s authorization as well.

The second FAQ addresses health plans using and disclosing PHI to inform individuals about other available health plans that it offers without the individual’s authorization. Generally, health plans are prohibited from using or disclosing PHI for marketing purposes without an individual’s authorization. There are, however, certain exceptions to the marketing authorization requirement and also there are specific activities that are not included in the definition of marketing. OCR provided that one exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans so long as the health plan is not receiving financial remuneration for the communications. To demonstrate this exclusion, OCR provided that when a “Plan A” discloses PHI about an individual to “Plan B,” which is a separate covered entity, Plan B is allowed to send communications to the individual regarding Plan B’s health plan options to replace the individual’s current plan (e.g., discussion of Medicare plans when reaching age of eligibility) so long as there is no remuneration received by Plan B for sending this communication to the individual and such disclosure complies with any applicable business associate agreement(s).

The OCR FAQ document can be found here.

Failure to conduct risk analysis leads to OCR penalties for business associate

On May 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Medical Informatics Engineering, Inc. (MIE) had agreed to pay $100,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.

MIE provides software and electronic medical record services to health care providers. On May 26, 2015, MIE found suspicious activity on one if its servers and upon further examination determined that unauthorized access to its network began on May 7, 2015, leading to hackers accessing electronic PHI (ePHI) of approximately 3.5 million people. Access was based on a compromised user ID and password.

On July 23, 2015, MIE filed a breach report to OCR and OCR’s investigation determined in part that MIE did not conduct a comprehensive risk analysis, as required by the HIPAA Security Rule, prior to the breach by the hackers. OCR Director Roger Severino stated “[e]ntities with medical records must be on guard against hackers” and “[t]he failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

MIE’s corrective action plan requires MIE in part to develop a complete inventory of all of its facilities, categories of electronic equipment, data system and applications that create, receive, transmit or maintain ePHI and subsequently conduct a risk analysis that evaluates the risks to ePHI on MIE’s inventory.

Interestingly, the day after OCR’s MIE settlement press release, OCR issued a press release providing that it has issued a new fact sheet to list out all HIPAA provisions through which a business associate can be held directly liable for HIPAA compliance.

OCR’s press release about this settlement can be found here and OCR’s press release about the new fact sheet for business associates can be found here.

OCR revises HIPAA annual penalty limits to address culpability

In April 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notification). OCR published the Notification to alert the public that OCR is exercising its discretion in assessing Civil Money Penalties under HIPAA as amended by the HITECH Act.  

In February 2009, the HITECH Act established four categories for HIPAA violations with increasing penalty tiers based on the level of culpability. It also amended HIPAA by eliminating the prohibition on the penalties for a covered entity if it did not know and with reasonable diligence would not have known of a HIPAA violation. The four categories for HIPAA violations became the following:

  • No Knowledge: The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision
  • Reasonable Cause: The violation was due to reasonable cause, and not willful neglect
  • Willful NeglectCorrected: The violation was due to willful neglect that is timely corrected
  • Willful NeglectNot Corrected: The violation was due to willful neglect that is not timely corrected

While the HITECH Act applied four different annual penalty limits (ranging from $25,000 to $1,500,000) based on the level of culpability, in the Interim Final Rule to implement the enhanced penalty provisions of the HITECH Act, OCR applied the highest annual cap of $1.5 million to all violations regardless of the level of culpability (see first table below). OCR provided that applying the highest annual limit for all levels of culpability was “the most logical reading” of the HITECH Act since this was “consistent with Congress’ intent to strengthen enforcement.”


Minimum Penalty/Violation

Maximum Penalty/Violation

Annual Limit

No Knowledge




Reasonable Cause




Willful NeglectCorrected




Willful NeglectNot Corrected





However, the Notification provides that upon further review OCR has concluded that a “better reading of the HITECH Act” is to apply annual limits based on the level of culpability (see second table below).


Minimum Penalty/Violation

Maximum Penalty/Violation

Annual Limit

No Knowledge




Reasonable Cause




Willful NeglectCorrected




Willful NeglectNot Corrected




OCR will use the above penalty tier structure, as adjusted for inflation, until further notice and plans to have future rulemaking to modify the penalty tiers in the current regulation “to better reflect the text of the HITECH Act.”

Given the significant decrease of the annual limits for all but one category for HIPAA violations, covered entities and business associates may welcome OCR’s revised reading of the HITECH Act. This change in the annual limits may be especially welcomed since OCR under the previous penalty tiers collected $28.7 million from settlements and cases in 2018 (see February 27, 2019 NP Privacy Partner Blog Post).

Three million dollar settlement emphasizes the importance of a robust HIPAA compliance program

On May 6, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Touchstone Medical Imaging (Touchstone), a diagnostic medical imaging services provider, requiring a three million dollar financial settlement and a two-year Corrective Action Plan.


There are a number of lessons that HIPAA covered entities and business associates can glean from the Touchstone enforcement action, a notable one being that an entity should promptly and thoroughly investigate any security incident or potential data breach. Both OCR and the Federal Bureau of Investigation (FBI) notified Touchstone that one of its FTP servers was allowing uncontrolled access to patients’ protected health information (PHI). After initially denying the exposure, Touchstone eventually reported a breach of more than 300,000 social security numbers and other PHI. OCR found that both Touchstone’s investigation of the incident, as well as its notification, were not handled in a timely manner.


In investigating Touchstone, OCR also found that the entity did not conduct an accurate and thorough risk analysis—a key enforcement priority of OCR in recent years. As part of its Corrective Action Plan, Touchstone is required to conduct an enterprise-wide risk analysis, including creating an inventory of all of its equipment, systems, applications and off-site storage facilities that contain PHI. This is a key element for any organization in order to decide what systems and processes best secure PHI and other sensitive data.


In addition, OCR detailed that Touchstone failed to execute business associate agreements with its vendors, including its information technology vendors, prior to the disclosure of PHI. Similar to prior settlements, the Touchstone settlement emphasizes the importance of understanding which vendors will receive or have access to an organization’s PHI and having the parties involved execute a business associate agreement at the outset of the arrangement. 
OCR releases new set of FAQs to address transmission of ePHI to apps

On April 18, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released new FAQs relating to HIPAA right of access to ePHI. Specifically, the FAQs address applications or other software (collectively “apps”) designated by patients to receive ePHI from a covered entity’s EHR (electronic health record) system. The FAQs discuss liability for transmission of ePHI and the apps’ subsequent use or disclosure of health information, business associate relationships and agreements with apps, and whether a covered entity may refuse to disclose ePHI to an app.

OCR emphasized that once ePHI is disclosed to an app, as directed by a patient, a covered entity will not be liable under HIPAA for uses or disclosures of ePHI by the app so long as the app is not a business associate of the covered entity. A business associate relationship will not exist when the app was not developed for or provided by or on behalf of the covered entity. Subsequently, OCR noted an app’s access to a patient’s ePHI at the patient’s request alone would not trigger a business associate relationship or require a business associate agreement to be put in place for the transmission of ePHI from a covered entity.

OCR provided there would be a business associate relationship between a covered entity and an app developer when the app is one a covered health care provider uses to provide services to individuals involving ePHI. In that case, OCR noted the covered health care provider may be liable under the HIPAA Rules if the covered entity’s patient selects that app and that app impermissibly discloses the ePHI it receives.

OCR also provided that under the individual’s right of access to their ePHI, a patient may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. Therefore, a patient could request to a covered entity that their unencrypted ePHI be transmitted to an app as a matter of convenience. OCR noted that the covered entity would not be responsible for unauthorized access to the patient’s ePHI while being transmitted to the app. However, OCR recommended that covered entities notify patients of the potential risks of unsecure transmission of ePHI at least the first time the patient makes such a request.

Also based on an individual’s right of access to their ePHI, OCR stated that a covered entity may not refuse to disclose ePHI to an app chosen by an individual solely because of concerns about how the app will use or disclose the patient’s ePHI. Examples of impermissible refusals provided by OCR included denying disclosure to an app because the app will share the patient’s ePHI for research purposes or because the app does not encrypt the patient’s data when at rest.

OCR FAQs can be found here.

1 - 10 Next

Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP