Stream: patient empowerment
Topic: Right-of-Access applies to 3rd party Apps?
John Moehrke (Feb 25 2020 at 20:41):
Discussion today on the Security WG questions if the Right-of-Access is sufficient to authorize disclosure of HIPAA covered data to a third party. It clearly is sufficient for a patient themselves to download their data, but there is concern that authorizing access to a third-party requires a written authorization. See the notes from todays security wg call https://confluence.hl7.org/pages/viewpage.action?pageId=76159379
Specifically "Request for Individual's Access" vs "Request for 3rd Party's Access".
Seems to me that there is NOT a bright line between downloading and authorizing 3rd party access. How is the user using a browser and desktop/tablet/phone distinctly different than them authorizing an app. Especially when that app is a degenerate app that does nothing but download the content to the desktp/tablet/phone filesystem. How is it different when that app is more involved in synchronizing the data continually (e.g. Apple HealthKit), or where that app is a cloud process, or where that app is a set of researchers utilizing the data in a way consistent with what the patient expected them to do?
Josh Mandel (Feb 25 2020 at 21:16):
Is this a question about current legal requirements in the USA?
John Moehrke (Feb 25 2020 at 21:28):
yes
John Moehrke (Feb 25 2020 at 21:29):
although the point seems important to set clarity globally. but yes, the current topic is centered around patient right of access vs authorizing access to a 3rd party app.
Josh Mandel (Feb 25 2020 at 23:07):
There seems to be a pretty clear position from the office for civil rights on this in the US (e.g., "Right to Have PHI Sent Directly to a Designated Third Party" section of https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html). The requirements are basically just for electronic signatures. So you can call that a "written authorization," but the SMART on FHIR authorization flow fits the bill.
Dave deBronkart (Feb 26 2020 at 12:11):
You hit the nail on the head, Josh. Thanks.
This is one of a number of clarification issued by OCR in recent years. Another is that even though plain email is not secure, if the patient wants their data sent that way, the data holder must comply. Bit.ly/HIPAAemail
Dave deBronkart (Feb 26 2020 at 12:13):
@Steve Posnack of ONC (who spoke at Redmond DevDays) may want to add something, or maybe not :-)
John Moehrke (Feb 26 2020 at 13:17):
I agree, and want to bring visibility to this
I think the problem is that the clarification also is contradictory (as read by some)
'''quoted
Individual’s Right to Direct the PHI to Another Person
An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature. The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person. See 45 CFR 164.524(c)(3).
'''
this says that it MUST be in writing. but next sentence says it may accept an electronic copy. Specifically the "in writing" is being read as physical writing, not just using written words on some medium (aka electronic). Where is this clarified?
Last updated: Apr 12 2022 at 19:14 UTC
