Patients are seeking to interface the data you collect about them in your practice with their mobile health tracking device – a Fitbit, Apple Watch, or the like. If your practice is fielding these patient requests, you may be questioning your liability related to this information transfer. On April 18, 2019, the Office of the Inspector General released a statement with instructions regarding the liability, while recommending guidance be issued to the patient.
"Under the individual right of access, an individual may request a covered entity to direct their ePHI (electronic protected health information) to a third-party app. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request." 1
If you consider such a request outlandish, recognize that the Office of the National Coordinator for Healthcare Information Technology (ONC) issued a proposed rule that makes your practice's participation a requirement. In the press release, the ONC states, “The proposed rule helps ensure that patients can electronically access their electronic health information at no cost.” This is one of many components of fulfilling the interoperability requirement of the 21st Century Cures Act.
The final rule has not yet been issued. In the interim, the ONC has launched a pilot program called "Data at the Point of Care" (DPC) as part of the federal government’s MyHealthEData initiative. The final rule is expected to be released by the end of 2019.
For more information, see the CMS fact sheet here.
1 https://www.hhs.gov/hipaa/for-professionals/faq/3010/what-liability-does-a-covered-entity-face.html
