The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a health app developer must comply with HIPAA, but tackle a different question – when are covered entities or business associates liable under HIPAA for the subsequent misuse of electronic protected health information (ePHI) by a health app developer?

To answer questions about an app developer’s HIPAA obligations, OCR’s prior guidance focused on the direct-to-consumer nature of the app. OCR concluded that if the patient initiated use of the app, or brought the app to his or her health care provider (i.e., a covered entity), the app developer would not be considered a business associate of that covered entity. Notably, OCR also did not consider the existence of an interoperability agreement between the patient’s health care provider and the app developer to change this analysis. By contrast, in circumstances where a health care provider contracts with the app developer for purposes of patient management services, or for remote patient health counseling, monitoring, or messaging services, and the provider recommends its patients to download the app, then OCR considers the app developer a business associate of the covered entity.

OCR’s new FAQs extend upon this discussion of the business associate relationship between a covered entity and app developer, and highlight the vicarious liability faced by a covered entity if and when an impermissible use or disclosure of ePHI involves the app. The new FAQs reiterate that if the app was not provided by or on behalf of the covered entity, then the covered entity will not be liable for a breach of any information later experienced by the app. However, if the app was developed for, or provided for or on behalf of, the covered entity, then the covered entity could be held responsible for an impermissible use or disclosure of the ePHI in the app. In other words, if OCR determines that an app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity for its patients, then the app developer is a business associate of the covered entity, and the covered entity may be liable for an impermissible use or disclosure of ePHI in connection with the app. Importantly, according to the FAQs, the same logic applies to business associates who engage app developers on behalf of covered entities.

Yet, OCR appears to miss a critical element in its analysis of liability to be imposed on a covered entity when a business associate runs afoul of its HIPAA obligations, or on the latter when a business associate subcontractor violates HIPAA. With the promulgation of the Health Information Technology for Economic and Clinical Health Act (HITECH) Final Rule, covered entities became liable for the actions of their business associates, but only so long as a federal common law relationship of agency exists between the two.1 As a result, HITECH made covered entities significantly more responsible for the actions of their business associates, but with careful consideration that not all business associates would be considered agents of covered entities. According to OCR, the agency relationship would be a fact-specific determination, taking into account the terms of the BAA as well as the totality of the circumstances of the relationship between the two entities.

Now, with its recently released FAQs, OCR has signaled its intention to pay closer attention to the fault attributable to a covered entity when a business associate breaches the integrity or security of a patient’s ePHI. The requirement for an agency relationship between the covered entity and business associate places some guardrails around the possibility of vicarious liability, but also makes the need to clearly define the relationship between the parties critically important. OCR’s new focus reflects the importance of covered entities identifying their business associates correctly and contracting with them appropriately.

From a practical perspective, this is not as easy as it may sound. Health care providers and other entities in the health care industry are becoming structurally more complicated as many such entities no longer act solely as HIPAA-covered entities or business associates. For example, health care providers may provide technology and related services as a business associate to other covered entities. Or, as another example, a covered entity could have a dual relationship with another covered entity: one relationship where they exchange ePHI to provide health care to mutual patients and another where they act as a business associate. Moreover, covered entities and business associates may be hybrid entities when they provide technology and related services as part of and separate from their HIPAA-regulated roles.

The technology arrangements may also be complicated and tangle the agency analysis assessing the potential risk of vicarious liability. Application developers may provide technology solutions with various levels of interaction with HIPAA-regulated entities, including off-the-shelf, configurable, or fully customized products and services. The technological details of the solution may be integral to the agency analysis for vicarious liability. For example, is an agency relationship created when an entity is providing a cloud-based platform that has a standard foundation for all customers but includes the ability for both the application developer and the covered entity to configure and customize some portions of it? Is a covered entity insulated from vicarious liability if it uses a technology solution that it can configure for its purposes, but exposed to vicarious liability if it requests customizations from an application developer that will have the exact same result? Should a covered entity use out-of-the-box technology solutions that may not ideally fit its business operations (possibly creating risk) rather than work with a third party to build a solution that better meets its operational objectives but increases the risk of vicarious liability?

We work with HIPAA-regulated entities to analyze how these relationships with technology providers can impact their HIPAA risk exposure. These FAQs seem to further muddy an already murky legal analysis by ignoring the critical agency element limiting the applicability of vicarious liability, and emphasize that HIPAA-regulated entities should pay close attention to whether they are creating an agency relationship with technology providers. Such entities may significantly increase their HIPAA-related risk if they treat technology-related agreements as business-as-usual deals. While the legal agency analysis can be complicated, they should thoroughly understand the parties’ roles, the technology involved, the actual tasks performed by the application developers, and other factors so they can accurately assess the potentially significant impact on their HIPAA risk exposure from using technology provided by third parties.

1 45 CFR 160.402(c)(1). Interestingly, in another FAQ that predates HITECH, but was reviewed by OCR subsequent to the HITECH Final Rule, OCR did not consider a covered entity to be liable for, or required to monitor, the actions of its business associates if the parties had signed a business associate agreement (BAA), and the covered entity took reasonable steps, to cure a breach in the event one occurred.