What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?

Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel.  See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii).  For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience.  In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app.  With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.

Created 04/18/19