A patient asks her doctor to send her test results to an app the patient has downloaded on her phone.   The doctor worries that the app is not secure and that the patient might not understand the security risks.  What should the doctor do?

Covered entity health care providers and their business associates likely need to update their HIPAA Access Rights Policies and Procedures to address this scenario.  Rules recently adopted by Office of the National Coordinator (ONC) to implement certain provisions of the 21^st Century Cures Act prioritize patient choice when it comes to requests for electronic health information (EHI).

According to ONC, the information blocking rule:

“[S]trongly encourages providing individuals with information that will assist them in making the best choice for themselves in selecting a third-party application. We believe that allowing actors to provide additional information to individuals about apps will assist individuals as they choose apps to receive their EHI … . Individuals concerned about information privacy and security can gain a better understanding about how the third-party apps are using and storing their EHI, how individuals will be able to exercise any consent options, and more about what individuals are consenting to before they allow the app to receive their EHI.  Practices that purport to educate patients about the privacy and security practices of applications and parties to whom a patient chooses to receive their EHI may be reviewed by OIG or ONC, as applicable, if there was a claim of information blocking. However, we believe it is unlikely these practices would interfere with the access, exchange, and use of EHI if they meet certain criteria.

ONC warns that information provided to the patient about the privacy or security of the app must:

1. Focus on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
2. Be factually accurate, unbiased, objective, and not unfair or deceptive; and
3. Be provided in a non-discriminatory manner. For example, all third-party apps must be treated the same way in terms of whether or not information is provided to individuals about the privacy and security practices employed.

Ultimately, it is the individual’s decision as to whether to use the app to access health information:

“To be clear, an actor [such as a provider or its business associate] may not prevent an individual from deciding to provide its EHI to a technology developer or app despite any risks noted regarding the app itself or the third party developer.

[View source.]