Q&A: HHS Final Rules, Patient Access to PHI & Health Apps IntersectRachel V. Rose, JD, MBA, presented the webinar “HHS Final Rules, Patient Access to PHI & Health Apps Intersect” recently and a recording can be viewed here. Rachel returned to answer many commonly asked questions from the webinar.

In addition to HL7FHIR capability standards are organizations still required to comply with NIST standards and the HIPAA security rule?

Yes. Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR) is specific to healthcare app development. Importantly, since PHI is involved HIPAA applies. And, NIST compliance is required by the United States Government and its contractors. NIST is also cited in the Omnibus Rule 78 Fed. Reg. 5566 (Jan. 25, 2013).

How is COVID-19 affecting the implementation of these rules?

COVID-19 has extended the effective implementation date. The final rules initially said 6 months from the date of publication in the Federal Register. Now, it is 12 months. Also, there are regulations that will be “off shoots” which were discussed during the presentation with different dates. See https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.

Can you please expand on API?

Application Programming Interfaces are “a computing interface which defines interactions between multiple software intermediaries. It defines the kinds of calls or requests that can be made, how to make them, the data formats that should be used, the conventions to follow, etc.” A common example is Apple OS.

Is there the potential for False Claims Act liability in relation to the 21st Century Cures Act Final Rules?

Yes. Any entity that completes an attestation and submits it to the government in exchange for payments can be susceptible to liability under the False Claims Act. In the past, the United States Department of Justice either on its own or through a qui tam action brought by a whistleblower, has held companies liable for submitting false and fraudulent claims related to the HITECH Act’s Meaningful Use Program. The U.S. Department of Justice announced on January 27, 2020 that Practice Fusion, a health information technology (IT) vendor, has entered into a civil settlement and deferred prosecution agreement (DPA) worth $145 million that resolves civil investigations led by the U.S. Attorney’s Office for the District of Vermont, the U.S. Attorney’s Office for the Northern District of California, and the Civil Division’s Commercial Litigation Branch of main justice, as well as a criminal investigation led by the U.S. Attorney’s Office for the District of Vermont.

What is a key distinction for covered entities in terms of HIPAA liability related to healthcare apps?

As HHS indicated, in keeping with the Privacy Rule, “the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.” Caution should be taken by providers as the two 21st Century Cures Act Rules are implemented because an unknown app could be a portal for cybercriminals to launch a malware attack. Stay tuned.

Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) – represents clients on healthcare, cybersecurity, securities and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at rvrose@rvrose.com.

Be sure to look up a recording of this webinar on YouTube and on our podcast, 1st Talk Compliance. Take a look at our brand-new book: HIPAA Privacy and Security, and our online compliance training courses such as What is HIPAA?, and HIPAA Business Associate Agreements Under HITECH. And check out Rachel’s other blogs Recent HHS Guidance Underscores the Importance of HIPAA Compliance and Q&A: HIPAA and Health Apps.