The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when HIPAA regulated entities may be held vicariously liable for data breaches experienced by the health app providers.

The new FAQs reiterate that a covered entity will not be liable for a breach of health information if the health app is not provided by or on behalf of the covered entity. Determining an app was developed for, or provided for or on behalf of a HIPAA regulated entity can be difficult given increasingly complicated business structures in the health care industry and the variety of technology solutions available in the market. For example, it is unclear how customized a technology solution must be for it to be “developed for, or provided for or on behalf of” a HIPAA regulated entity. For this reason, it is important to fully understand the relationship of the parties and the technology involved to properly analyze potential HIPAA risk exposure from using third-party technology.

To read more on the new HIPAA FAQs and the potential impact on the use of third-party technology solutions, click here.