On April 19, 2019, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released a set of frequently asked questions (FAQs) pertaining to HIPAA right of access third-party apps. HHS’s release states:
“The FAQs address the Health Insurance Portability and Accountability Act (HIPAA) right of access as it relates to apps designated by individual patients and application programming interfaces (APIs) used by a healthcare provider’s electronic health record (EHR) system. The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.”
The Health Information Technology FAQs are accessible at: https://www.hhs.gov/hipaa/for-professionals/faq/health-information-technology/index.html.