Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives? Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?
Can
a covered entity refuse to disclose ePHI to an app chosen by an
individual because of concerns about how the app will use or disclose
the ePHI it receives?
No.
The HIPAA Privacy Rule generally prohibits a covered entity from
refusing to disclose ePHI to a third-party app designated by the
individual if the ePHI is readily producible in the form and format used
by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA
Rules do not impose any restrictions on how an individual or the
individual’s designee, such as an app, may use the health information
that has been disclosed pursuant to the individual’s right of access.
For instance, a covered entity is not permitted to deny an individual’s
right of access to their ePHI where the individual directs the
information to a third-party app because the app will share the
individual’s ePHI for research or because the app does not encrypt the
individual’s data when at rest. In addition, as discussed in a separate FAQ, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.
| HHS Issues Guidance on HIPAA and Audio-Only Telehealth Today, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect. This guidance will help individuals ...read more |
| Enforcement Results as of September 30, 2022 Since the compliance date of the Privacy Rule in April 2003, OCR has received over 309,475 HIPAA complaints and has initiated over 1,053 compliance reviews. We have resolved ninety-seven percent of these cases (300,427). OCR has investigated and resolved over 29,779 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the ...read more |
| Mental Health Center Provides Access and Revises Policies and Procedures Covered Entity: Mental Health Center Issue: Access, Restrictions The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts ...read more |
| Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Covered Entity: Private Practice Issue: Access A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of ...read more |
|
July 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1) November 2022 (54)
Blog Labels
Data Breach (1) PPP Fraud (1) HIPAA (2) BAA (4) EHR Fraud (1) HIPAA Enforcement (3) Telehealth (1) ePHI (2) Covered Entity (40)
|