Apr 302019

OCR Reduces HIPAA Penalties and Clarifies Liability for Transferring ePHI to Third-Party Health Apps

Rina Mady, Kate Heinzelman, Britney Alexandrea Garr and Meenakshi Datta
, , , ,

New Annual HIPAA Penalty Tiers

Six months after imposing the largest ever HIPAA fine ($16 million) following a HIPAA data breach, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) has announced that it is exercising its enforcement discretion to lower maximum annual HIPAA penalties.

Under the 2009 HITECH Act, Congress established four categories of HIPAA violations with increasing levels of culpability.  The four tiers are where:

(1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

(2) the violation was due to reasonable cause, and not willful neglect;

(3) the violation was due to willful neglect that is timely corrected; and

(4) the violation was due to willful neglect that is not timely corrected.

OCR guidance issued last week changed the Department’s historical position that the maximum penalty for violations of an identical HIPAA provision for each of the four types of violations is $1.5 million per year.  While OCR retains the $50,000 maximum per-violation penalty across all tiers, its new guidance adopts graduated annual limitations for violations of the same requirement, which lower the annual limitations for all but the most serious violations.  Under the Department’s new guidance, “no knowledge” violations may result in an annual penalty of up to $25,000, “reasonable cause” up to $100,000, willful neglect that is corrected up to $250,000, and willful neglect that is not corrected up to $1.5 million.

Guidance on Mobile Apps Chosen by Patients

OCR Frequently Asked Questions (“FAQ”) released earlier this month clarify the circumstances in which covered entities (e.g., healthcare providers) will and will not be held liable for third-party applications’ (“apps’”) uses and disclosures of protected health information (“PHI”).  see also Additional HHS Guidance, https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/index.html

The FAQs clarify that whether a covered entity bears liability for an app’s use or disclosure of PHI depends on whether the app is chosen by the patient, and whether the PHI was provided to an app developed by, or provided by or on behalf of, the covered entity.  If the app is chosen by the individual to receive his or her PHI, and the app is not provided by or on behalf of the covered entity, the covered entity is not liable for subsequent use or disclosure of the requested PHI by the app.  Conversely, if the app is developed for, or provided by or on behalf of, the covered entity, the covered entity may be liable for disclosures or uses of the ePHI by the app.  HHS further explains that, if a provider uses an application programming interface (“API”) to connect to an app designated by a patient, the API must comply with applicable HIPAA requirements.  An additional FAQ explains that covered entities generally may not refuse to disclose ePHI to a third-party app of the patient’s choosing and underscores that the HIPAA does not govern how such apps can use information that has been disclosed to them pursuant to patients’ exercise of their rights to access their own PHI.

Rina Mady

Chicago

rmady@sidley.com

Kate Heinzelman

kheinzelman@sidley.com

Britney Alexandrea Garr

balexandreagarr@sidley.com

Meenakshi Datta

Chicago

mdatta@sidley.com

You might also like
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

New U.S. FDA Draft Guidance Outlines Path To Faster Modification of AI/ML-Enabled Devices

The U.S. Food and Drug Administration (FDA or Agency) has issued new draft guidance on “Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions”1 that discusses a “science-based approach to ensuring that AI/ML-enabled devices can be safely, effectively, and rapidly modified, updated, and improved in response to new data.”2 This approach should offer more certainty to industry as FDA’s stated goal is to allow AI/ML-enabled devices to be modified faster in accordance with FDA requirements while being “built to adapt to the data and needs of individual health care facilities” and “adapt to deliver treatments according to individual users’ particular characteristics and needs.”3 Those wishing to comment on the draft guidance should note that the comment period closes on July 3, 2023.