May 10, 2019 -

OCR deploys “Relationship Test” for Third-Party AI and Apps to Determine HIPAA Liability


In a world of exponential growth of AI and healthcare apps (including mobile healthcare (mHealth) apps) and associated data security risks, Office of Civil Rights (OCR) through certain FAQs available here has released guidance for HIPAA covered entities (i.e. a healthcare plans, healthcare providers and healthcare clearing house) and electronic health record (EHR) developers when they respond to an individual’s request to transmit electronic protected health information (ePHI) to a third-party application or software (an app). In the guidance, OCR clarifies the obligations of the covered entities in such circumstances and expounds on the liability implications for such covered entities. This inquiry into a covered entity’s obligations and underlying liability is significant as the covered entity is required not only to ensure that its business associates (and sub-business associate) comply with applicable HIPAA obligations, but also to ascertain for itself, if it owes any data breach notification obligations to an individual when it acts on such individual’s request.

As per the OCR FAQs, the key to determining any liability largely depends on the relationship between the covered entity and the app which receives ePHI upon an individual’s request. If such app is used by the covered entity to render services to the individual, then in that case the covered entity may be subject to liability under the HIPAA rules if the app impermissibly discloses the ePHI it so receives. However, if the app chosen by an individual is not provided by or on behalf of the covered entity (i.e. for purposes of HIPAA, the app developer does not create, receive, maintain, or transmit ePHI on behalf of the covered entity), then the covered entity bears no liability for any impermissible disclosure once such ePHI reaches the app.

A similar “relationship test” as above is to be applied when a covered entity’s EHR system developer transmits ePHI to the app on behalf of the covered entity. The question that needs to be determined in such circumstances is whether the EHR system developer owns the app or does not own the app, or (if it owns the app) whether it provides the app to, through, or on behalf of, the covered entity.  Or, does it create the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity)? If the EHR system developer owns the app and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses or disclosures of the health information received by the app.

The underlying question from the HIPAA standpoint usually revolves around whether a business associate agreement is required to be executed between the covered entity/ EHR developer and the developer of the app designated by the individual. Upon an individual’s request, an app’s access to ePHI, where the app was not developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was not provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), does not require a business associate agreement to be executed.

OCR also clarifies what a covered entity should do if it determines that an individual’s request to send the ePHI to the app is in an unsecured manner or through an unsecure channel. Pursuant to the “individual’s right of access” under 45 CFR 164.524, OCR confirms that an individual may request their unencrypted PHI to be transmitted as a matter of convenience. It is important to note that while covered entities generally must safeguard the information in transit and are responsible for impermissible disclosures of PHI that occur in transit, OCR provides for one exception under FAQ 2039 which deals with transmission in an unsecured manner or via an unencrypted email (as described earlier in this paragraph). Therefore, in such circumstances, a covered entity would not be held responsible for unauthorized access to the individual’s ePHI while in transit; provided, the covered entity has notified the individual about the risks associated with such unsecure transmission the first time such a request is received from the individual and the individual accepts such security risks.

While OCR does recognize that a covered entity may have concerns as to how an app uses or discloses the ePHI it receives, under the HIPAA Privacy Rule (See 45 CFR 164.524) it has clarified that the covered entity cannot refuse to disclose ePHI to an app chosen by an individual because of such concerns. It further elucidates that a covered entity is generally not prohibited from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app.

Covered entities should also be mindful of their obligations under FAQ 2039 when complying with an individual’s request to send his or her information to the app. As per FAQ 2039, the covered entity is required to implement reasonable safeguards in carrying out the individual’s request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity’s system, but the covered entity’s obligation does not extend to verifying the email address of the app as provided by the individual.

Therefore, a clear determination of the relationship between various parties (i.e. covered entity, EHR system developer and app developer) under HIPAA is a threshold matter that needs to be addressed before the entities engage into any kind of commercial arrangement where PHI is involved. As a practical matter, the parties should bear in mind the following:

  1. Establish and provide for the relationship between the covered entity (or the EHR developer) and the app developer.
    • Some of the pertinent questions a covered entity may consider are: who directs the access and control of the ePHI? does the third-party app require access to ePHI for purposes of providing services on behalf of covered entity to the individual? who pays for the third-party app services? Is the contractual arrangement a mere facilitation of access to use ePHI (i.e. an interoperability agreement) at individual’s request or something more?
    • If the app developer is engaged via the covered entity’s EHR developer, then it is advisable for the covered entity to require the EHR developer to seek its prior consent before any subcontracting relationship is entered into by the EHR developer where PHI is involved.
  2. If the third-party app developer is not a business associate of the covered entity, then the covered entity should notify the individual clearly as to the risks, if any, associated with the transmission (including transmission through unsecure channels or in an unsecure manner) to a third-party app and it would be a good idea to seek a written authorization from the individual for such transmission.
  3. For the third-party app developers, check the mobile health apps interactive tool available at the Federal Trade Commission’s website to assess if HIPAA and other laws apply to such app.