Health information technology (health IT) involves the exchange of health information in an electronic environment. Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of electronic health information be ensured as this information is maintained and transmitted electronically.
OCR released frequently asked questions about the HIPAA right of access related to apps designated by the individual and application programming interfaces (APIs) used by the provider’s electronic health record system. The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity or its business associate will not be liable under the HIPAA Rules for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of the covered entity. The FAQs also clarify that if a provider uses an API to connect to an app designated by an individual, the API should have in place the appropriate privacy and security protections.
HIPAA privacy components of the Privacy and Security Toolkit
The materials below are the HIPAA privacy components of the Privacy and Security Toolkit developed in conjunction with the Office of the National Coordinator. The Privacy and Security Toolkit implements the principles in The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework). These guidance documents discuss how the Privacy Rule can facilitate the electronic exchange of health information.
Learn more about the Privacy and Security Framework and view other documents in the Privacy and Security Toolkit, as well as other health information technology resources.