HIPAA Compliant App | Telehealth.org Blog

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

With the use of health care apps for both patients and providers becoming more and more prevalent, complying with HIPAA regulation to maintain data privacy and security is key. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance in April of 2019 about HIPAA compliant apps and rules for how and when providers may share data with them.

This is particularly important to telehealth and telebehavioral health providers dealing with patients over digital media. The use of HIPAA compliant apps and understanding data sharing rules is absolutely essential to protecting sensitive information regarding treatment.

This guidance comes in the form of an FAQ document. HHS OCR issues new guidance to clear up discrepancies regarding the use and disclosure of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, Social Security number, medical records, and full facial photos, to name a few.

The recent guidance on HIPAA compliant apps and data sharing states that:

Because patients have the right to access their own PHI, telehealth providers may send that PHI to third-party apps at the patient’s request. Even if a provider is wary about the privacy or security vulnerabilities of an app, they should still adhere to their patients’ requests.
Telehealth providers will not be held liable under HIPAA if an app misuses patient data, so long as the data was transmitted at the patient’s request. This does not extent to any apps that are provided or used by the providers themselves.
Telehealth providers will not be held liable under HIPAA if they transmit PHI over an unsecured medium, so long as the data was transmitted at the patient’s request. However, the HIPAA guidance does state that providers should educate patients about the potential risks of sending PHI over unsecured mediums, such as unencrypted email.

This HIPAA compliant app health information guidance should give providers a clearer understanding of their liability when it comes to patient requests to share data with third-party apps. It should be noted again that this guidance only applies in instances when the patient has requested that their PHI be transmitted to an app and not in instances when a provider has chosen to use an app over the course of a patient’s treatment.

To read the full HIPAA compliant app guidance, click here.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Using Apps for Clinical Care? 5 Steps to Legal, Ethical, Evidence-Based Mental Health Apps

Clients and patients rely on psychotherapists to suggest apps for their care. Although many practitioners report using apps in their clinical practice, few have received specific training to select, implement and monitor the use of apps in clinical care.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.