US Pharm. 2019;44(9):10-12.

The Health Insurance Portability and Accountability Act (HIPAA) generally allows a patient to obtain a copy of the patient’s own protected health information (PHI) that is maintained in a designated record set. A pharmacy receiving a request for PHI must respond within 30 days and may require the patient to make the request in writing as long as the pharmacy informs the individual of the requirement. Subject to certain identified exceptions, the pharmacy must provide the individual with access to the PHI in the requested form and format if it is readily producible, or if not, in a readable hard-copy form or other form and format as agreed by the pharmacy and the patient. The patient also may direct the pharmacy to transmit the copy of PHI directly to another person designated by the patient.1

Requests for PHI Received via a Mobile App

A request by a patient or the patient’s representative for electronic PHI to be received through a mobile application raises certain additional issues related to the patient’s access to such information. These issues were addressed recently in a series of frequently asked questions published by U.S. Department of Health and Human Services.

A pharmacy may not refuse to disclose electronic PHI to an app chosen by a patient solely because of concerns about how the app will use or disclose the electronic PHI it receives. A pharmacy also may not refuse to disclose electronic PHI to a third-party app designated by the patient if the electronic PHI is readily producible in the form and format used by the app. The HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) do not limit how a patient or the patient’s designee, through an app, may use the PHI. For instance, the pharmacy may not deny an individual’s right of access to the patient’s own electronic PHI through a third-party app because the app does not encrypt the individual’s data when at rest.2

Requests for PHI Through Third-Party Apps

A patient may request a pharmacy to send the patient’s electronic PHI to a third-party app in an unsecure manner or through an unsecure channel. In those circumstances, the pharmacy would generally not be responsible under HIPAA for unauthorized access to the patient’s electronic PHI during transmission to the app. The pharmacy, however, may wish to inform the individual of the potential risks involved the first time the individual makes the request.3

When PHI is received from a pharmacy at the patient’s direction through a mobile app operated by a third party that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the app chosen by an individual to receive the individual’s requested electronic PHI was not provided by or on behalf of the pharmacy, the pharmacy would not be liable under HIPAA Rules for any subsequent use or disclosure of the requested electronic PHI by the app. For example, the pharmacy would have no HIPAA responsibilities or liability if such an app that the individual designated to receive electronic PHI later experiences a breach. However, if the app was developed for, or provided by or on behalf of the pharmacy, the pharmacy could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business relationship between the pharmacy and the app developer. In those circumstances, the pharmacy may be subject to liability under HIPAA Rules if the app impermissibly discloses the electronic PHI received.4

Mobile Apps Provided by a Pharmacy

A request by a patient to access the patient’s electronic PHI through a mobile app raises a question as to whether a business agreement is required between the pharmacy and its pharmacy practice platform provider or electronic health record (EHR) system provider. A business associate is a person or entity that creates, receives, maintains, or transmits PHI on behalf of or for the benefit of the pharmacy, directly or through another business associate, to carry out covered functions or activities of the pharmacy.5

In certain circumstances, a pharmacy may make a mobile app available to its patients so they may access their own PHI. If the app is developed to create, receive, maintain, or transmit electronic PHI on behalf of the pharmacy, or was provided by or for the pharmacy directly or through its EHR system provider acting as the pharmacy’s business associate, then a business associate agreement is required with the provider. An app’s facilitation of access to the individual’s electronic PHI at the individual’s request alone does not create a business associate relationship.6

EHR System Provider Liability

The potential liability of the pharmacy’s EHR system provider must also be considered. Whether the provider is liable under HIPAA Rules after transmitting electronic PHI via the app on behalf of the pharmacy depends on the relationship, if any, between the pharmacy, the EHR system provider, and the app chosen by the individual to receive the individual’s electronic PHI.

If the EHR system provider does not own the app, or if it owns the app but does not provide the app to or on behalf of the pharmacy, the EHR system provider would generally not be liable under the HIPAA Rules for a subsequent use of disclosure of the electronic PHI received by the app. Thus, if the EHR provider creates the app and makes it available in an app store as part of a different line of business, the provider would not be liable under HIPAA Rules for a subsequent use or disclosure of the requested electronic PHI received by the app.

On the other hand, if the EHR system provider owns the app or has a business associate relationship with the app developer and provides the app to or on behalf of the pharmacy, the EHR system provider could face HIPAA liability for any impermissible uses and disclosures of the health information received through the app. For example, if an EHR system provider contracts with the app developer to create the app on behalf of a pharmacy and the patient later identifies that app to receive electronic PHI, then the EHR system provider could be subject to HIPAA liability if the app impermissibly uses or discloses the electronic PHI.7

The FTC Act

In addition, the pharmacy must consider the potential application of the Federal Trade Commission Act (FTC Act) and state laws related to unfair and deceptive trade practices. Generally, the use and disclosure of PHI by a pharmacy for purposes other than payment, treatment, healthcare operations, and other purposes not permitted under HIPAA implicate the FTC Act and require HIPAA-compliant authorization. Although the requirements for a HIPAA authorization and compliance with the FTC Act are outside the scope of this article, pharmacies should be aware that the FTC Act might be implicated whenever consumer health information is used or disclosed for purposes not allowed under HIPAA.8

As a best practice, a pharmacy may wish to inquire with pharmacy platform providers whether they develop, sell, or license any of the apps independently of the pharmacy. If so, the pharmacy should consider risks to the pharmacy associated with the provider’s mobile apps and whether the provider should indemnify the pharmacy in connection with those risks. The pharmacy also may wish to review the provider’s insurance program to assess whether there is adequate coverage for the risks and to ask whether the pharmacy may be included as an additional insured on such coverages.

The information in this article is general in nature and is not intended to provide legal or other professional advice.

REFERENCES

1. See 45 CFR §§164.524(a)(1), (b)(1) and (2), (c)(2), (c)(3)(ii); U.S. Department of Health and Human Services (HHS) Health Information Privacy FAQ No. 3010 (created April 18, 2019). The PHI must be maintained in a designated record set, and the patient generally may not inspect or copy, (1) psychotherapy notes, (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, or (3) PHI maintained that is: (A) subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or (B) exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR §493.3(a)(2). Under 45 CFR §160.103, a pharmacy may be considered a “covered entity” subject to HIPAA if the pharmacy transmits any health information in electronic form in connection with a covered transaction. For purposes of this article, the pharmacy is considered to be a covered entity.
2. HHS Health Information Privacy FAQ No. 3012 (created April 18, 2019).
3. See 45 CFR §§164.524(a)(1), (c)(2)(ii), (c)(3)(ii); HHS Health Information Privacy FAQ No. 3010. A pharmacy must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI from the pharmacy by alternative means or at alternative locations. 45 CFR §§164.522(b)(1)(i). Consequently, HHS has issued guidance that a healthcare provider should accommodate an individual’s request to receive appointment reminders via email and that patients may initiate communications with a provider using email. According to HHS, if this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider believes the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider may alert the patient of those risks and let the patient decide whether to continue email communications. HHS cautions providers to use reasonable safeguards where the providers communicate with patients electronically. Such safeguards include checking an email address for accuracy before sending the message. HHS Health Information Privacy FAQ No. 570 (created December 15, 2008). In addition, a pharmacy should be aware that state law may apply to the electronic PHI provided by or for the pharmacy to the app.
4. HHS Health Information Privacy FAQ No. 3009 (created April 18, 2019).
5. See 45 CFR §160.103.
6. HHS Health Information Privacy FAQ No. 3013 (created April 18, 2019).
7. HHS Health Information Privacy FAQ No. 3011 (created April 18, 2019).
8. See generally 45 CFR §164.508 related to the requirements pertaining to a HIPAA-compliant authorization and HHS, “Sharing Consumer Health Information? Look to HIPAA and the FTC Act” (Oct. 2016).

To comment on this article, contact rdavidson@uspharmacist.com.