Navigating the Line Between Data Access and HIPAA

By Devin Partida, Editor-in-Chief, ReHack.com
Twitter: @rehackmagazine

The rise of internet-based health apps has made it easier than ever for patients to use their smartphones to share medical data with providers, receive test results digitally, and more. However, some concerned parties point out that the increased data access may not always align with the Health Insurance Portability and Accountability Act (HIPAA).

COVID-19 Vaccine-Scheduling Apps Will Not Constitute Violations

In February 2021, officials from the U.S. Department of Health and Human Services (HHS) announced that entities covered under HIPAA could use vaccine-scheduling apps to help people get COVID-19 vaccinations during the health crisis, even if those tools were not fully HIPAA-compliant.

However, the apps cannot connect directly to a patient’s electronic health record (EHR). This situation is an example of how officials may be more lenient about upholding HIPAA, but only if such decisions give people information about how to get protected from COVID-19.

Officials Clarify Record Requests Under HIPAA

HIPAA also contains rules that allow patients to request certain types of protected health information (PHI) from entities covered under the privacy framework. However, recently published guidance includes scenarios that constitute unreasonable requests from an information holder.

For example, a physician cannot require that a person must use a web-based portal to ask for records. That’s because some people may not have internet access.

However, despite that aspect of HIPAA, a study found that 20% of providers were completely non-compliant with HIPAA or only provided patient records after supervisory involvement. A more positive outcome was that 74% of the 3,400 health care entities provided patients with hassle-free access to their records or went beyond what HIPAA requires.

HIPAA Rules Don’t Apply to Some Health Apps

An ever-growing assortment of health apps removes many of the barriers that formerly prevented patients from accessing their medical information. For example, people might use an app to retrieve their medical imaging results or prove to an employer that they received negative COVID-19 tests.

HHS recently clarified situations involving entities covered under HIPAA that transmit electronic PHI to third-party app providers. The information stated that if an app company is not a covered entity or business associate, HIPAA rules do not apply to it.

A 2020 article about the new HIPAA rules gave examples of information that does and does not typically fall under the privacy law. HIPAA would not apply if a patient chose a health app from a marketplace and entered their medical details into it. However, it does come into play for data a health care provider hires a third-party provider to analyze. In that second case, the app company is a business associate.

Authorized Representatives Can Access a Patient’s Health Data

HIPAA accommodates scenarios where designated representatives can request and receive patient data on behalf of someone else. The American Medical Association (AMA) extensively covered data access under HIPAA in 2020.

One of the situations covered related to authorizing someone else to gather patient information. For example, that might occur when an adult child cares for a parent with dementia or when the content relates to a minor with a legal guardian.

The AMA also recommended that providers go over data access specifics with patients from their first visits onward. Following up with reminders about how and why a person should access their records is a great first step, but such patient engagement should also cover how someone could give another person access to their records.

Health Apps May Come With Risks

Patients and individuals who engage with them should also be aware that some data sharing can occur through apps without consent. A fertility-tracking app called Premom got sued due to its alleged data-sharing practices with three companies connected to China.

The suit claims that such actions went directly against the app’s terms of service and privacy policy. The content in those documents confirmed that Premom would collect non-identifiable user data, but it explicitly promised the app company would not pass it on to third parties. Additionally, the legal stipulations associated with Premom said it would ask for user consent before any data-sharing occurred. The lawsuit alleges that the outside companies received data from Premom users for three years.

This reminder highlights why providers should speak to patients about the possible risks of using apps containing health data. Even if HIPAA doesn’t come into the equation, people may still give personal information to outside parties without having that intention.

Privacy Laws Will Likely Keep Evolving

HIPAA dates back to 1996, and most people would agree that internet usage was drastically different then. HIPAA’s original content could not wholly account for that evolution, which is why periodic updates become necessary. That will likely remain true, especially as data access becomes even more accessible through online platforms.