On February 25, 2016, the U.S. Department of Health & Human Services Office of Civil Rights (“OCR”) issued new guidance in the form of FAQs, reaffirming patients’ rights to direct their personal health care data to third parties.  The guidance is good news for medical researchers, mobile health app developers, and others in the industry trying to harness the power of “big data” and personalized care.

While HIPAA has always permitted patients to share their own protected health information, the FAQs are aimed at health care providers, hospitals, and plans who are directly subject to HIPAA’s restrictions and requirements (also known as “covered entities”) and who are often, and understandably, hesitant to send health information to a third party.  Covered entities are required to send protected health information to a third party upon the individual’s written request; electronic copies of signed requests or electronically executed requests are sufficient under HIPAA.  The FAQs confirm that covered entities are not liable for what happens to the individually-directed information once it is in the hands of the third party, eliminating a concern that is a frequent obstacle to accessing health information.

These new FAQs emphasize the importance of developing “seamless communication” in a “health care ecosystem of the future,” where patients are engaged and empowered in their care.  Nevertheless, covered entities must still be vigilant in protecting health information in their possession and obtaining assurances from business associates that information is protected.  Covered entities are encouraged to establish procedures to respond to requests to forward data to third parties.  Third parties will also benefit from developing a readily-available individual written request form for data that complies with HIPAA’s requirements.

The FAQs, including answers to questions regarding the patient’s “Right to Have PHI Sent Directly to a Designated Third Party,” are available here.